Democratic senators have reached out to Tim Cook to inquire about how Apple handles personal data on its new COVID-19 screening app and website.
The app helps users assess risk factors, recent exposure, and symptoms. Following answering the questionnaire, the app will provide the CDC's recommendations on the next steps to take. This includes whether or not a test is recommended at this time, and when to contact a medical provider.
Senators Bob Menendez, Kamala Harris, Cory Booker and Richard Blumenthal sent a letter to Tim Cook on Friday expressing concern for Americans' confidential health data and how it is handled during the screening process. The senators wanted to make sure the app was safeguarding users data, as well as complying with the Health Insurance Portability and Accountability Act (HIPAA.)
They are also asking for information on Apple's agreements with federal and state governments for the development of the app, according to the letter, a copy of which was obtained by Bloomberg.
The senators have acknowledged that Apple says the software doesn't require a sign in, nor does it require the use of an Apple ID. Apple assures users of the site that it only collects anonymous information from users about general site use.
The full letter, sent to AppleInsider by the office of Sen. Menendez:
We write to express our concerns and to obtain information about your company's launch of a virus screening application and website for SARS-CoV-2. As COVID-19 continues to spread, application and website developers are moving quickly to provide reliable at-home risk assessment and symptom screening tools to advise whether individuals should be evaluated for infection. Although, the use of technological innovations and collaboration with the private sector is a necessary component to combating COVID-19, Americans should not have to trade their privacy at the expense of public health needs.
As you know, on March, 27, 2020, the Centers for Disease Control and Prevention (CDC) announced the release of an app and website created by Apple in partnership with the White House Coronavirus Task Force and the U.S. Department of Health and Human Services. The app and website are designed for individuals to complete a questionnaire about their health and exposure to determine if they should seek care for COVID-19 symptoms. Both the website and app guide users through a diagnostic questionnaire, and once completed, provide CDC recommendations on next steps including guidance on social distancing and self-isolating, how to closely monitor symptoms, recommendations on testing, and when to contact a medical provider.
While we acknowledge Apple's statements regarding user privacy and that the questionnaire tools "do not require a sign-in or association with a user's Apple ID, and users' individual responses will not be sent to Apple or any government organization," we are nonetheless concerned for the safety and security of Americans' private health data. Additionally, Apple maintained that although it will not collect personal information, it will collect "some information" to help improve the site without identifying what that information will be.
In the interest of Americans during these unprecedented times, all data collected via Apple's screening tools should remain confidential and must not be used for any commercial purposes in the future. Moreover, Apple should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA). Additionally, we would like to better understand your efforts to keep any collected information safe from potential hackers, foreign state and non-state actors with nefarious intent, and other criminal enterprises.
To address these concerns, please provide answers to the following questions no later than April 10, 2020. We appreciate your efforts to protect Americans and we look forward to your response.
1. Please provide the specific terms of any agreement between your company and the federal government and/or state governments.
2. Are the Apple screening site and app governed under the terms of the HIPAA? If not, please explain why.
3. What are the specific data retention policies regarding any and all information entered into the website and app by individuals?
4. Can individuals who use the website and app access and monitor the data that Apple collects about them?
5. Will Apple commit that it will refrain from using data collected on the website and app for commercial purposes?
6. Will Apple commit to refraining from sharing or selling the data collected on the website and app to third parties?
7. What specific cybersecurity safeguards will be utilized to ensure the security of the data entered on the website and app?
8. Will the website and app be accessible to those with disabilities?
Updated with full letter from Sen. Menendez.