Apple and Google CEOs should be held responsible for protecting coronavirus tracking data, says GOP Sen. Hawley

Key Points
  • Republican Sen. Josh Hawley of Missouri asked the CEOs of Apple and Google to hold themselves personally liable for protecting the data collected through their contact tracing efforts related to the coronavirus.
  • The firms have teamed up to release tools for apps that would notify users if they come into contact with someone diagnosed with Covid-19.
  • Hawley said he was concerned that even anonymized data could be "reidentified" and used as a surveillance mechanism.

In this article

Sen. Josh Hawley, R-Mo., talks with reporters after the Senate Republican Policy luncheon in Russell Building on Tuesday, March 17, 2020.
Tom Williams | CQ-Roll Call via Getty Images

Apple CEO Tim Cook and Google CEO Sundar Pichai should hold themselves personally responsible for protecting data collected through their efforts to trace the spread of Covid-19, Sen. Josh Hawley, R-Mo., wrote in a letter to the CEOs on Tuesday.

"If you seek to assure the public, make your stake in this project personal," wrote Hawley, a prominent tech critic. "Make a commitment that you and other executives will be personally liable if you stop protecting privacy, such as by granting advertising companies access to the interface once the pandemic is over."

Apple and Google announced earlier this month that they have teamed up in an effort to combat the spread of the new coronavirus. The companies will release tools allowing public health authorities to create apps that will notify users who opt-in if they have come into contact with someone who has tested positive for Covid-19. The system, known as contact tracing, will use Bluetooth connections in phones.

The partnership has drawn both praise and skepticism just as lawmakers across the political spectrum had agreed that a national privacy law was urgently needed. Several proposals are on the table, but relief measures for the ongoing pandemic have been top priority in Congress over the past several weeks.

In his letter to Cook and Pichai, Hawley said that even though the companies promised to use anonymized data in the project, data can often be "reidentified" by cross-checking it with another data set. 

"Pairing the data from this project with the GPS data that both your companies already collect could readily reveal individual identities," Hawley wrote, adding that the project "could create an extraordinarily precise mechanism for surveillance."

Hawley said Google's record on privacy furthered his concerns. As attorney general of Missouri in 2017, Hawley had investigated Google on antitrust grounds. Since then, as a member of Congress, Hawley has frequently criticized what he sees as weak enforcement of antitrust and consumer protection laws on tech companies including Google and Facebook.

Neither company commented directly on Hawley's letter, but highlighted the privacy protections for the contact tracing project that they had previously announced. Users have to opt-in to having their data collected for contact tracing, which is based on rotating Bluetooth identifiers, rather than users' locations. The contact tracing is done on a users' device with only non-identifying keys stored on Google and Apple servers. Even if a user tests positive, the system will not identify them to anyone notified. 

Hawley acknowledged in his letter that his request was unusual, but said, "A project this unprecedented requires an unprecedented assurance on your part."

Subscribe to CNBC on YouTube.

WATCH: Why the U.S. government is questioning your online privacy

Why the U.S. government is questioning your online privacy