1 Introduction
RQ1: How did the complex decision situation surrounding the standardization of DCT unfold?RQ2: How did the platform owners impose their protocol as the technological standard for DCT, and what benefits might this strategy entail for Google and Apple?RQ3: What are the consequences and trade-offs of Google and Apple winning the standards war against complementors?
2 Theoretical foundations
2.1 IT standards
Tension | Development vs. diffusion | Private vs. public interests | Stability vs. flexibility |
---|---|---|---|
Example | Standardization activities are considered a failure-prone endeavor, bound to both the effective development of standards and the creation of adequate conditions for their adoption | Empowering large actors can be beneficial in addressing coordination problems, but can simultaneously introduce pitfalls, such as an overly narrow technological search, as well as lock-in/lock-out effects | Standards must be stable enough to ensure compatibility through a common understanding of the technology, while at the same time they need to be flexible enough allowing them to be changed and adapted to their area of application |
Literature | Markus et al. (2006) | Uotila et al. (2017) | Hanseth et al. (1996) |
2.2 Software platform ecosystems
2.2.1 The boundary resource model
2.2.2 Control in software platform ecosystems
3 Research design
3.1 Study setting
Actor | Google (& Apple) | TraceCo | CrowdCo | Political actors |
---|---|---|---|---|
Role | Owners of the operating systems and associated marketplaces to which the development and distribution of DCT apps are tied | Platform complementors with the objective of providing their DCT app to other organizations, thereby reliant on the ecosystems of Google and Apple | Partner of TraceCOV concerning their DCT app and providing the technological know-how for the development of the app | Public authorities providing DCT apps to their citizens, thus acting as platform complementors. In Germany represented by the Ministry of Health |
3.2 Case description
3.3 Methodology
n | Organization | Role | Main theme(s) | Pseudonym | Date |
---|---|---|---|---|---|
1 | TraceCo Consulting | Head of Marketing | Initial interview, GAEN | D#1.1 | 03.07.2020 |
2 | TraceCo Germany | Project Leader on Operational Level | Project initialization | D#2 | 09.07.2020 |
3 | CrowdCo | Head of Technological Partner | DCT technology, GAEN | D#3.1 | 31.07.2020 |
4 | TraceCo Middle East | Project Leader on Operational Level | Customer perspective | D#4 | 14.08.2020 |
5 | TraceCo Consulting | Project Sponsor | Deployment & marketing | D#5.1 | 14.08.2020 |
6 | TraceCo Germany | Sales & Key Account Manager | Sales interview | D#6 | 02.09.2020 |
7 | TraceCo Consulting | Head of Marketing | Roll-out progress | D#1.2 | 11.09.2020 |
8 | TraceCo Germany | Coordinator Frontend Team | Frontend & deployment | D#7 | 25.09.2020 |
9 | TraceCo Germany | User | User perspective | D#8 | 22.10.2020 |
10 | CrowdCo | Head of Technological Partner | DCT technology, GAEN | D#3.2 | 30.10.2020 |
11 | TraceCo Consulting | Project Sponsor | Follow-up & outlook | D#5.2 | 06.11.2020 |
12 | Google EMEA | Director Business Development | GAEN | PO#1 | 16.05.2022 |
13 | German Parliament | Committee on Digital Affairs | Corona-Warn-App, GAEN | G#1 | 15.06.2022 |
14 | German Ministry of Health | Corona-Warn-App | Corona-Warn-App, GAEN | G#2 | 17.06.2022 |
Type | Exemplary sources | References |
---|---|---|
Public correspondence | Governments; Ministries of Health; European Commission; European Center for Digital Rights | |
Corporate correspondence | Google; Apple | |
White papers and websites of DCT protocols | DP-3T, PEPP-PT; ROBERT; BlueTrace | |
Scientific documents | Research articles, technical reports, and research reports on DCT apps and protocols | Farrahi et al. (2014), Ahmed et al. (2020), Azad et al. (2020), Vaudenay (2020a), Boutet et al. (2020, 2021), Zastrow (2020), Li et al. (2020), Kleinman and Merkel (2020), Sharon (2020), Rowe et al. (2020), Cebrian (2021), Krehling and Essex (2021), Wang et al. (2021), White and van Basshuysen (2021b) and Schultz et al. (2022) |
News articles | Forbes; The Washington Post; The New York Times; Financial Times; Bloomberg; The Guardian; Fortune; BBC News; Reuters | Barbaschow (2020), Baumstieger et al. (2020), Francisco (2020), Hurtz (2020), Kelion (2020a, b, c), Schurter (2020), Horowitz (2020), Burton (2020), Busvine (2020a, b), Lomas (2020a, b), Gold (2020), Chee (2020), Doffman (2020a, b), Fouquet (2020), Hern (2020), Etherington and Lomas (2020), Kelly (2020), Newton (2020a, b), Vincent (2020), Criddle and Kelion (2020), Abboud et al. (2020), Albergotti and Harwell (2020), Scott et al. (2020), Morrow (2020), Dillet (2020), Gladstone (2020), Ilanbey (2021) and Meyer (2021) |
Open letters | German data privacy and security associations; international researchers |
4 Results
4.1 Pre standards war: digital technology to assist in the pandemic response
At the end of the day, the backend does not care whether it is processing location data or contact tracing data. So, the whole backend that manages and efficiently plays out all the infection IDs needed for contact tracing and potentially on millions of devices, that was already there. […] We simply took another app, which we already had as a demo app, as a basis and then built the product based on it. (D#3.1)
The national app in Singapore, which was launched relatively early on, could not run in the background at all. […] And then we solved that three weeks later […]. So that should give a sense of how much one is at the front of what is technically possible at this point. (D#2)
4.2 Standards war: battle between incompatible technologies
[…] SAP was already involved in advising Fraunhofer when it became clear that the complexity was becoming too great for this research institute, and T-Systems (i.e., Deutsche Telekom) had already been entrusted with hosting issues when it became clear that the small hosting solutions that had been considered up to that point would have been massively overwhelmed by the data traffic caused by such apps. (G#2)
Our approach was actually from the outset [...] to create a whole portfolio of apps that all have this one component of contact tracing in them so that different segments of the market can be served by different players. The important thing is that they are all compatible with each other. (D#3.1)
On a meta-level, it would have been totally exciting from an epidemiological and infection- and pandemic-scientific point of view to do investigations, make analyses, identify hotspots, and so on and so forth. (D#2)
The advantage of storing data centrally is that you can do much more with it in terms of analysis. [...]. You have a comprehensive overview of the entire behavior of your population in an anonymous way and also only regarding their contact behavior. (D#3.1)
[…] there are arguments to follow the centralized approach because then you have a minimum set of data that allows you to evaluate what you are doing. (G#2)
[…] people always said, “we actually need the data, we want as much data as possible to be able to evaluate things to combat the corona crisis.” It would have often spoken for the centralized approach. (G#1)
If we say the goal is that the owner of the app wants to drive analytics, the centralized [approach] is much better suited, but it has this big “trust disadvantage,” let’s call it that, because per se, you certainly can also design it in a way that is privacy-preserving. (D#3.1)
[...] the anonymity of the approach was never in question. The centralized approach was also a data-efficient approach in terms of its fundamental idea. After all, it was only about hosting anonymized data in the background. (G#2)
So, data protection and data security. [...] This is something that you don’t really touch politically. It must be a basic prerequisite, so to speak, that everything is done in compliance with data protection. And I would always say from the parliamentary point of view, “we’d rather the thing doesn’t work so well than have a problem at the data protection level.” (G#1)
4.3 End of the standards war: intervention by the platform owners
After all, it was not the problem with the German solution that Apple had, but Apple said that the release for a centralized approach would then also fundamentally enable abusive apps, which [they] do not expect from Germany, but which other states would then possibly pick up on and then actually develop a surveillance tool out of it. (G#2)
[…] in the beginning, we lacked the imagination of how to develop such a tracing app, but at the same time evaluate its effectiveness at some point when you don't have any data on how many people are warned by the app and how many of them test positive later. (G#2)
On the part of the Ministry of Health, the centralized approach was certainly promoted to our working group, and it was explained why the centralized approach was the more important and better one. Which were also quite conclusive arguments. (G#1)
We ourselves probably never really understood why this switch came so abruptly. That was certainly also influenced by the fact that these companies, namely Google and Apple, were actually pursuing this decentralized approach with their […] protocol. (G#1)
[…] if you didn’t want to use an interface that was provided by Google and Apple, […] you would then encounter significant technological challenges that could not be easily solved without the support of these two players. (G#2)
It makes you dependent on the big players, but you also notice very quickly that they have solved technological challenges with the API that we hadn’t solved before, and that’s why it’s such a balancing act. (G#2)
We really didn't have any other alternative, and pressure would not have been a promising option, because it worked for some decisions in the past, but for this fundamental decision, it was relatively clear that Apple would not budge. (G#2)
And now, through this survey and through the data donation, we have really been able to extract very extensive insights into what the app actually does. (G#2)
[...] Apple has a rule that only one app per country is allowed in, and of course, that is always the government app, the official one. That is understandable to a certain extent because they want to increase the adoption and do not want to promote a variety of apps. On the other hand, it is, of course, difficult for us. (D#1.1)
[...] In scenarios where you have Android devices and iPhones and relatively high coverage, it actually works quite well. It is pretty much as close as you can get to the perfect solution from Apple and Google [...]. (D#3.2)
UK then discontinued relatively soon and did not develop for a while, and then came back to us when the political decision was made there to develop a new decentralized solution. They were then two to three months behind us. (G#2)
[…] we then had discussions with Apple and Google, which led to improvements on their side and improvements on our side […]. (G#2)
[…] Apple was not thrilled that we wanted to do the [venue] check-in. In the beginning, they were very concerned because they were afraid that location data could be used via this check-in feature. […]. But that was also a point why the check-in [feature] took longer [...]. And we had the same thing again with the vaccination certificates. Here, too, our colleagues in the USA were not enthusiastic because they said it was not part of the core functions [...]. (G#2)
As far as data security was concerned, for example, the Chaos Computer Club was invited to the expert discussion. They did not find any leaks. That is very rare. (G#1)
If you want to be successful at all with an app like this, it has to have maximum trust from all the entities, consumer watchdogs, Chaos Computer Club, and others who have a significant say in civil society. (G#2)
4.4 Post standards war: prevention of fragmentation and lock-out
[…] There is quite a bit of their politics involved: “We actually only want to bring in our interface.” So, there they set up very, very big hurdles. It is not even a competition on the market because nobody from TraceCo says that the German Corona-Warn-App is garbage. They just say: “we want to make it accompanying to it to increase the bandwidth.” (D#3.1)
[…] quite on the contrary because that would harm us at the end of the day and our whole business with the government. (D#5.1)
It simply costs too much. And it is terribly complicated. I mean, if every company has an enterprise account (i.e., Apple Developer Account), then it is easy. It works immediately. But that is not the standard. Not every company has its own enterprise account, especially not medium-sized companies, and that is where we actually want to go. (D#5.1)
5 Discussion
5.1 Competing roles and the DCT dilemma
5.2 The substitution response by Google and Apple
Concept | Description |
---|---|
GAEN-based apps | DCT apps that leverage the technological foundation of the GAEN protocol via the GAEN API, thereby complying with the regulations and specifications jointly defined by the platform owners Google and Apple |
GAEN protocol | Technological foundation embedded in the operating system layer of iOS and Android devices that provides the respective smartphones with mechanisms to log users’ encounters and alert them once they have come in close proximity with an infected user |
GAEN API | Boundary resource that provides regulated access to the GAEN protocol allowing governmental apps to access the contact tracing data collected in the operating system layer while the platform owners remain in control |
Installed user base | Existing iOS and Android users, representing the total number of potential adopters of DCT apps and thus constituting a critical resource for achieving the mass adoption required for DCT to be effective |
App store(s) | Boundary resource that provides regulated access to the installed base of Android and iOS allowing app providers to distribute their apps and reach potential adopters while the platform owners can lock out certain complementors and block unwanted complements |
Bluetooth limitations | Apple’s predetermined governance measures restricting the Bluetooth functionality for iOS devices due to potential security concerns |