Apple and Google tweak key bits of contact-tracing privacy plan
As European nations back decentralised plan that leaves data on the device until users call in sick
Apple and Google have revealed a little more about their plans to support COVID-19 contact-tracing apps and changed up some of their security plans.
In an updated FAQ document released late last Friday, the companies explain their plans to employ a "privacy-preserving identifier - basically, a string of random numbers that aren't tied to a user's identity and change every 10-20 minutes for additional protection". The pair's previous plan was for a key to be associated with each device.
The new shifting identifier will make it more difficult for those tracking Bluetooth signals to associate the keys with specific users.The companies said they made the changes after consulting government and health agencies around the world.
The companies also clarified that the anonymized data will never reach a public health authority until a person tests or declares themselves positive for COVID-19 and opts in. Apple and Google won't see the information ever.
Apps using the API will check health authorities databases of self-confessed carriers daily, and match those records with encounters recorded on users' phones. What happens if there's a match is not made clear: likely an alert is shown to each user who came in the vicinity of someone with the disease.
The regime outlined in the new FAQ appears also to have ended the debate over whether to use "centralised" contact-tracing that creates on source of data, or the "decentralised" scheme advocated by Apple, Google and the DP-3T contact-tracing effort. Germany's health minister, after the nation previously favored the PEPP-PT scheme, told Die Welt the government is now backing the decentralised approach. Switzerland and Austria have done likewise.
“This app should be voluntary, meet data protection standards and guarantee a high level of IT security,” they said. “The main epidemiological goal is to recognise and break chains of infection as soon as possible," Chancellery Minister Helge Braun and Health Minister Jens Spahn said.
Apple and Google say their system will be released in two phases. The first will release a whitelisted API to authorities in each country. "Apps will receive approval based on a specific set of criteria designed to ensure they are only administered in conjunction with public health authorities, meet our privacy requirements, and protect user data."
The second phase will see the software installed at the operating system level. Apple hopes that this will encourage widespread adoption of the tracing app, which experts say is necessary to its success. ®