
Contact tracing app vetted by Apple found to share data with Foursquare/Google - clairity
https://appleinsider.com/articles/20/05/22/contact-tracing-app-vetted-by-apple-found-to-share-data-with-foursquare-and-google
======
yladiz
They buried the lede here:

> While Care19 does not rely on the recently released Apple-Google Exposure
> Notification API, Apple was involved in the vetting of the app

The way the article was written, it seemed like the app was using the Exposure
Notification API but doesn’t say it wasn’t until half way through, and then
says that the app was “vetted” by Apple.

Well, all apps are vetted by Apple, that’s how the iOS App Store process
works. The article (and the Washington Post article this is based on) really
don’t give details about how involved Apple was, making me believe that this
was likely treated as a normal app and was vetted as a normal app.

In other words, I get the frustration with the app sending data to places it
shouldn’t like FourSquare, which is pretty irresponsible for an app that’s
supposed to be just for contact tracing, but I don’t really see how Apple is
part of the problem.

~~~
grawprog
>Well, all apps are vetted by Apple

And as such, Apple is responsible for it existing in their store.

>making me believe that this was likely treated as a normal app and was vetted
as a normal app.

You'd think with the privacy issues surrounding contact tracing apps, they
would have taken a closer look. Seems negligent not to.

How does Apple get away with both the accolades when it keeps a 'curated
walled garden' that's supposed to protect users from themselves, as i've seen
quoted many times on hn, yet they get a pass when they end up allowing things
users would be upset about and well it's not their fault?

It can't be both ways. If they advertise a safe curated garden, then they
do.have responsibility when.something slips through.

~~~
yladiz
> You'd think with the privacy issues surrounding contact tracing apps, they
> would have taken a closer look. Seems negligent not to.

I don't think if this is a good argument, though. Apple is pushing governments
that want a contact tracing app to use their Exposure Notification API, which
has strong privacy maintaining limitations - for example, it's decentralized,
on the phone. In fact, Apple specifically designates contact tracing apps as
ones approved and using the Exposure Notification API[1]. The apps that don't
use this API are limited - specifically, they can't keep Bluetooth on in the
background (meaning, when the phone is locked).

> How does Apple get away with both the accolades when it keeps a 'curated
> walled garden' ... yet they get a pass when they end up allowing things
> users would be upset about?

In general, the "accolades" are with respect to how the phone treats apps, as
well as in comparison to Google's Play Store. Apple is much more strict in
their review process than Google, so blatantly malicious things like malware
don't get through.

In this specific case, without more details I do believe that Apple treated
the app as a "normal app", as it didn't use the Exposure Notification API, and
what is meant by "vetted" here is that it was reviewed using the normal app
review process. If that's not the case I would agree Apple has some
culpability but without those details and thus assuming that this app was not
treated specially, I don't think Apple is at fault here. If this had happened
with an app using the API this would have been a much bigger news story as it
would have shown that the review process for the contact tracing apps is very
poor since contact tracing apps are specifically forbidden from both getting
location data, which this article is talking about.

1:
[https://developer.apple.com/contact/request/download/Exposur...](https://developer.apple.com/contact/request/download/Exposure_Notification_Addendum.pdf)

