Apple, Google begin to spread pro-privacy, batt-friendly coronavirus contact-tracing API for phone apps

Public health agencies get green light to emit software using joint-developed tech

Analysis Apple and Google have officially released their Exposure Notification API, a joint technology project to allows public health organizations to build mobile apps capable of efficient and anonymous coronavirus contact tracing via Bluetooth.

The basic idea is that you run one of these apps on your phone, and the software uses the Apple-Google-developed interface to communicate with copies of itself on other people's nearby devices over Bluetooth. When someone declares, via the app, that they've likely or certainly caught the COVID-19 bio-nasty, all phones that have been in the vicinity of that person's handheld will find out, alerting their owners that they may have been exposed to the virus. Each country or region is expected to have its own app. No data goes to Apple or Google.

The numbers of people coming in contact with those thought or confirmed to be infected may help experts monitor and analyze the actual spread of the virus. The US Centers for Disease Prevention and Control has warned a large number of people running the contact-tracing software are needed for this all to work properly.

Last month, Apple and Google announced they were working together to augment public health efforts to curb the spread of COVID-19, by implementing a "privacy-preserving contact tracing" solution in iOS and Android. This technology is designed to be decentralized and secure, and use Bluetooth radio signals efficiently without taxing devices' batteries.

"Mobile devices can be used in an automated and scalable way to help determine who has been exposed to a person that later reports a positive diagnosis of COVID-19," the internet giants explained in their documentation [PDF]. "For example, they can be used to send a rapid notification to the exposed person with instructions on next steps."

The Exposure Notification API offers a ready-made way for public health agencies to implement contact tracing in apps they're developing. These apps are not a replacement for manual contact tracing, but are intended to add something to the process. What that is exactly is not certain.

Joint front

Apple and Google in a joint statement on Wednesday emphasized that privacy is essential for mobile contact tracing apps to work, in that, people won't want to use an application that spies on who you've been near. Users will get to decide whether they want to receive Exposure Notifications and whether, if diagnosed with COVID-19, whether they will report their health status to the app.

"User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps," the odd couple said, noting that the system does not collect or use location data from mobile devices.

The project is designed with two phases in mind. Initially, people will have to download an app backed by a public health agency. There are dozens of contact tracing apps underway on national and regional levels.

Apps using the Apple-Google framework will transmit a random Bluetooth identifier that changes every 10 to 20 minutes, and will receive identifiers broadcast by such apps on other phones.

These identifiers get stored on device. At least once a day, the contact tracing app connects to a health org's server to fetch a list of identifiers associated with individuals who have chosen to report a positive COVID-19 diagnosis. And if there's a match indicating the user was in the vicinity of someone with a positive diagnosis, the user will – if settings allow – be notified and advised on what to do next.

woman surrounded by piles of tissues uses smartphone app

NHS contact tracing app isn't really anonymous, is riddled with bugs, and is open to abuse. Good thing we're not in the middle of a pandemic, eh?


Apple and Google insist that no data will be shared with public health authority apps, apart from two exceptions. First, if the user chooses to report a positive diagnosis, their most recent contact identifiers will be added to the server list so other users linked to those identifiers can be notified.

Second, if the user receives a contact notification, the system will share the day contact was recorded, how long contact lasted, and the Bluetooth signal strength during that period.

In the second phase of this project, Apple and Google plan to bake contact tracing tech into their respective mobile operating systems. "After the operating system update is installed and the user has opted in, the system will send out and listen for the Bluetooth beacons as in the first phase, but without requiring an app to be installed," the companies explain.

This API, they insist, will only be available to public health officials, and their apps must abide by specific privacy, security, and data control rules. Phase two is projected to arrive "in the coming months."

Hmm, about that

Among technologists and privacy experts, there's skepticism that contact tracing apps will work well enough to be useful. In a Brookings Institution blog post last month, privacy researcher Ashkan Soltani, law professor Ryan Calo, and biology professor Carl Bergstrom argued that contact tracing apps at best will be only marginally helpful to limit the spread of COVID-19, and could harm privacy and enable malicious attacks.

One of the issues, cited by Soltani when The Register spoke with him about contact tracing apps in the UK and Australia, is that mass adoption is necessary to be effective.

With only 81 per cent of people in the US having smartphones, we could only capture about 65 per cent of exposure events, based on Metcalfe's Law of network scale. And that's if every single smartphone owner ran a compatible contact tracing app, a rather unlikely scenario.

In Singapore, a contact tracing app made without the Apple-Google framework was downloaded by just one in six people.

Then there's the potential for abuse, the possibility of false positives and false negatives, and the chance that privacy protections will be permanently weakened if health tracking technology gets put into place without an accompanying legal framework.

But presumably Apple and Google felt it was better to propose a technological common ground for contact tracing apps than to deal with the politically fraught task of policing home-grown implementations developed without much consideration for privacy or security. ®

Similar topics

Other stories you might like

  • Product release cycles are killing the environment, techies tell British Computer Society

    Running Linux on a vintage box is one answer, but someone has to hold big tech's feet to fire

    Bringing an end to the relentless nature of annual product release cycles is something that should be top of the agenda for the soon-to-run 2021 United Nations Climate Change Conference, also known as COP26.

    Or so says the BCS, formerly known as the British Computer Society, which reckons cutting electronic waste is the most pressing concern for 30 per cent of the 1,100 plus members it surveyed recently.

    Alex Bardell, chair of the BCS Green IT Specialist Group, said reducing e-waste was already on the radar thanks to the chip shortage.

    Continue reading
  • UK science suffers as lawmakers continue to dither over Brexit negotiations

    Horizons Europe carrot dangled amid protocol wrangling

    A report from the UK House of Commons' European Scrutiny Committee has blamed delays in Brussels for choking off revenue streams to British institutions and businesses.

    The UK departed the European Union following a 2016 referendum. One of the results was that UK businesses were no longer able to tender for lucrative contracts within the bloc.

    The Brexit Divorce Bill uncomfortably laid out the facts back in 2018. The satellite navigation system Galileo was one victim despite substantial involvement from the UK in its development. Another was the Copernicus Earth monitoring programme; the UK was infamously snubbed when the European Space Agency (ESA) handed out six juicy contracts to institutions from the Continent.

    Continue reading
  • Warehouse belonging to Chinese payment terminal manufacturer raided by FBI

    PAX Technology devices allegedly infected with malware

    US feds were spotted raiding a warehouse belonging to Chinese payment terminal manufacturer PAX Technology in Jacksonville, Florida, on Tuesday, with speculation abounding that the machines contained preinstalled malware.

    PAX Technology is headquartered in Shenzhen, China, and is one of the largest electronic payment providers in the world. It operates around 60 million point-of-sale (PoS) payment terminals in more than 120 countries.

    Local Jacksonville news anchor Courtney Cole tweeted photos of the scene.

    Continue reading
  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Advertorial Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading

Biting the hand that feeds IT © 1998–2021