Apple, Google begin to spread pro-privacy, batt-friendly coronavirus contact-tracing API for phone apps

Analysis Apple and Google have officially released their Exposure Notification API, a joint technology project to allows public health organizations to build mobile apps capable of efficient and anonymous coronavirus contact tracing via Bluetooth.

The basic idea is that you run one of these apps on your phone, and the software uses the Apple-Google-developed interface to communicate with copies of itself on other people's nearby devices over Bluetooth. When someone declares, via the app, that they've likely or certainly caught the COVID-19 bio-nasty, all phones that have been in the vicinity of that person's handheld will find out, alerting their owners that they may have been exposed to the virus. Each country or region is expected to have its own app. No data goes to Apple or Google.

The numbers of people coming in contact with those thought or confirmed to be infected may help experts monitor and analyze the actual spread of the virus. The US Centers for Disease Prevention and Control has warned a large number of people running the contact-tracing software are needed for this all to work properly.

Last month, Apple and Google announced they were working together to augment public health efforts to curb the spread of COVID-19, by implementing a "privacy-preserving contact tracing" solution in iOS and Android. This technology is designed to be decentralized and secure, and use Bluetooth radio signals efficiently without taxing devices' batteries.

"Mobile devices can be used in an automated and scalable way to help determine who has been exposed to a person that later reports a positive diagnosis of COVID-19," the internet giants explained in their documentation [PDF]. "For example, they can be used to send a rapid notification to the exposed person with instructions on next steps."

The Exposure Notification API offers a ready-made way for public health agencies to implement contact tracing in apps they're developing. These apps are not a replacement for manual contact tracing, but are intended to add something to the process. What that is exactly is not certain.

Joint front

Apple and Google in a joint statement on Wednesday emphasized that privacy is essential for mobile contact tracing apps to work, in that, people won't want to use an application that spies on who you've been near. Users will get to decide whether they want to receive Exposure Notifications and whether, if diagnosed with COVID-19, whether they will report their health status to the app.

"User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps," the odd couple said, noting that the system does not collect or use location data from mobile devices.

The project is designed with two phases in mind. Initially, people will have to download an app backed by a public health agency. There are dozens of contact tracing apps underway on national and regional levels.

Apps using the Apple-Google framework will transmit a random Bluetooth identifier that changes every 10 to 20 minutes, and will receive identifiers broadcast by such apps on other phones.

These identifiers get stored on device. At least once a day, the contact tracing app connects to a health org's server to fetch a list of identifiers associated with individuals who have chosen to report a positive COVID-19 diagnosis. And if there's a match indicating the user was in the vicinity of someone with a positive diagnosis, the user will – if settings allow – be notified and advised on what to do next.

Apple and Google insist that no data will be shared with public health authority apps, apart from two exceptions. First, if the user chooses to report a positive diagnosis, their most recent contact identifiers will be added to the server list so other users linked to those identifiers can be notified.

Second, if the user receives a contact notification, the system will share the day contact was recorded, how long contact lasted, and the Bluetooth signal strength during that period.

In the second phase of this project, Apple and Google plan to bake contact tracing tech into their respective mobile operating systems. "After the operating system update is installed and the user has opted in, the system will send out and listen for the Bluetooth beacons as in the first phase, but without requiring an app to be installed," the companies explain.

This API, they insist, will only be available to public health officials, and their apps must abide by specific privacy, security, and data control rules. Phase two is projected to arrive "in the coming months."

Hmm, about that

Among technologists and privacy experts, there's skepticism that contact tracing apps will work well enough to be useful. In a Brookings Institution blog post last month, privacy researcher Ashkan Soltani, law professor Ryan Calo, and biology professor Carl Bergstrom argued that contact tracing apps at best will be only marginally helpful to limit the spread of COVID-19, and could harm privacy and enable malicious attacks.

One of the issues, cited by Soltani when The Register spoke with him about contact tracing apps in the UK and Australia, is that mass adoption is necessary to be effective.

With only 81 per cent of people in the US having smartphones, we could only capture about 65 per cent of exposure events, based on Metcalfe's Law of network scale. And that's if every single smartphone owner ran a compatible contact tracing app, a rather unlikely scenario.

In Singapore, a contact tracing app made without the Apple-Google framework was downloaded by just one in six people.

Then there's the potential for abuse, the possibility of false positives and false negatives, and the chance that privacy protections will be permanently weakened if health tracking technology gets put into place without an accompanying legal framework.

But presumably Apple and Google felt it was better to propose a technological common ground for contact tracing apps than to deal with the politically fraught task of policing home-grown implementations developed without much consideration for privacy or security. ®