Everything we know about the Google/Apple COVID-19 contact tracing tech

Here's how it works, what it does, why it matters and links to further information.

Apple, Google, iOS, privacy, security, mobile, Android,

Creeping erosion of privacy? Desperately needed technology-based solution to a global life-or-death problem? A little of both? Here is what we think we know now about the Apple/Google contact tracing technology announced on Friday.

What has happened?

Apple and Google are working together to develop COVID-19 contact tracing technology for both Android and iOS devices.

“All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world’s most pressing problems,” the companies said in a statement announcing the move.

The two giant corporations have published draft technical documentation, including Bluetooth and cryptography specifications and framework documentation.

Here is what they say:

“Across the world, governments and health authorities are working together to find solutions to the COVID-19 pandemic, to protect people and get society back up and running. Software developers are contributing by crafting technical tools to help combat the virus and save lives. In this spirit of collaboration, Google and Apple are announcing a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.”

And what Tim Cook said:

In a Tweet, Apple CEO Tim Cook said:

“Contact tracing can help slow the spread of COVID-19 and can be done without compromising user privacy. We’re working with [Google] to help health officials harness Bluetooth technology in a way that also respects transparency and consent.”

Why is this technology needed?

Public health officials worldwide believe contact tracing can be used to help prevent the spread of coronavirus. Mobile telecoms, other companies and governments are using contact tracing in an attempt to mitigate its spread.

What this means in practice is that mobile networks are sharing with governments the data they hold about people’s movements, something that alarms privacy advocates who see it as a potential move toward surveillance state.

An ACLU paper pertaining to this is available online.

Taiwan, Singapore, China, South Korea, UK and Israel are all using this kind of information. And OneZero explains some of the ways in which these technologies are being deployed.

Apple and Google hope that by making useful information available in a highly anonymized form they can both boost public health response\, while also protecting end user privacy.

How it works

  • When in place, smartphones running the technology will broadcast randomly created, unique identifiers using Bluetooth Low Energy that change every 15-minutes.
  • Any device within two meters distance will record that signal ID, which is designed to protect end user anonymity.
  • This data doesn’t get used unless other conditions are met.
  • The identifier contains no other personal information.
  • The list of identifiers you have interacted with doesn't leave your device unless you choose to share it.
  • If you test positive with the virus you will not be identified to other users, Apple or Google.
  • All matching takes place on the device, and uses relay servers which forward information to your device. That way you can see if you have been in proximity of someone suffering COVID-19 in the last 14-days.

What does the technology consist of?

Apple and Google's comprehensive solution will include application programming interfaces (APIs) and operating system-level technology.

How will this be introduced?

Given the urgent need, the solution will be implemented in two steps, which Apple and Google both hope will maintain user privacy.

  • In May, the companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities. Official apps will be made available.
  • In “the coming months," Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms.

How is privacy protected?

Individuals will be able to opt-in to participate in the system, and will need to do so on a large scale if it's to be effective. It is also designed to enable interaction with a broader ecosystem of apps and government health authorities.

“Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders. We will openly publish information about our work for others to analyze,” the companies said.

What about the data?

The system keeps data on devices that have been near each other.

Apps from officially sanctioned public health authorities will get access to the data on your device, and users who download those apps can report whether they’ve been diagnosed with COVID-19.

The system also alerts people by periodically checking broadcast keys to see whether  anyone has tested positive. If you have been close to someone who has been infected you’ll receive an alert, but won’t be given the identity of the person you were near.

How the system works in a more personal sense

In practice, the system might work like this:

  • Two or more people spend 10 minutes of so in close proximity (within two meters) of one another.
  • When they do, their smartphones exchange anonymous identifiers.
  • Should one of them subsequently be diagnosed with COVID-19 the system will be updated with this news via a health authority app that uses the Google/Apple API.
  • If the diagnosed user consents to it, their most recent identifiers will be shared to the system which uses public health data.
  • This information is then broadcast via the app to all users, and anyone whose device identifies your anonymised identifier as a contact it has been in touch with will be alerted that they have been exposed to the virus.
  • They will then be advised of the next step they should take according to their government health advisors: Self-isolation, medical contact or testing, for example.

The process for the most part takes place on your device. Location information is not shared and data that is shared is anonymized and remains subject to your consent.

Isn’t this system ripe for abuse?

There are two obvious forms of potential abuse:

Surveillance-hungry states may use the system as a thin wedge toward deeper oversight over communities. The use of frequently changed anonymous identifiers and the need for user consent is part of the protection against this.

Attention-seeking users may attempt to game the system, claiming illness to cause panic among others. This is what integration with authorized public health apps is meant to protect against, as it implies some protection against the potential for deliberate or mistaken self-identification to generate such panic (but see ‘In the UK’, below).

In the UK

The UK government isn’t doing enough testing, many critics say. As a result of its failure to prepare, deployment of the technology in that country will allow people to self-diagnose, reports 9to5Mac.

This will reduce the accuracy of the app (which depends on verified health testing) and also make it possible to create unwarranted panic among others based on an individual’s flawed self-diagnosis. It will also nurture both over- and under-reporting, as people with mild symptoms don’t report and those with possible symptoms do report.

Criticisms of the solution

There are several emerging criticisms. University of Cambridge professor Ross Anderson points to several problems, one of which is that in built-up areas the Bluetooth-based contact tracing feature may pick up false positives, such as identifying neighbors on either side of dividing walls as having been in contact.

Critics also warn that the same technology could be used to monitor other forms of social contact. A government may demand its use for other scenarios, such as murder investigations or even to silence dissent.

Where can I get more information?

Both Apple and Google have published extensive draft APIs explaining use of this technology and how developers may be able to implement it within their apps.

Apple has published the following:

Google’s Android Contact Tracing API is available here. You can find specifications for contact tracing with Bluetooth and its cryptography here and here. Google’s explanatory document explaining privacy safe contact tracing using Bluetooth LE is here.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Copyright © 2020 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon