Apple and Google continue to provide updates and more details about their work on a COVID-19 tracking API, now referred to as ‘exposure notification.’ MobileSyrup has published several updates regarding the new details. You can find all the articles related to the exposure notification API below.
- Apple and Google’s Exposure Notification System now publicly available – 20/05/2020
- New UI samples show Apple, Google’s exposure notification system – 04/05/2020
- Apple, Google begin rolling out betas with exposure notification API – 29/04/2020
- Apple, Google update exposure notification APIs with new protections and capabilities – 24/04/2020
- Apple, Google share more details about COVID-19 contact tracing system – 13/04/2020
- Apple, Google developing tool to help public health officials track COVID-19 – 11/04/2020
Apple and Google are working to help public health officials through technology. The pair announced a partnership that would see both companies develop software systems to aid in contact tracing during the COVID-19 pandemic.
The companies detailed the system in a series of white papers. At a basic level, it relies on data shared through Bluetooth Low Energy (BLE) and approved apps from health organizations. The BLE transmissions would act as a form of contact tracing — something public health officials usually perform manually. Contact tracing is the process of reaching out to all the people an infected person has been in contact with.
Apple and Google’s system would create a voluntary BLE network between people’s phones. The network would form the foundation of an automated contact tracing system that notifies people when they’ve been in close contact with someone who has COVID-19. Further, the system would allow public health authorities to access that data.
The plan involves a few stages before it will be fully realized. To start, both companies will introduce a pair of iOS and Android APIs in mid-May that health authorities’ apps can utilize. During this phase, public health authorities will need to make an app using that API and users will need to download it to participate in contact-tracing. While the need to download a third-party app could severely limit adoption, it could also assuage some privacy concerns around the plan. If you don’t have the app, authorities can’t gather data.
However, the system isn’t as problematic when it comes to privacy as one might expect. Since it uses Bluetooth instead of GPS, the contact tracing network it establishes is based on proximity to other people, not on your physical location. It’s also voluntary at both stages of implementation, which means users have to opt-in to the process.
Using BLE could lead to false positives
Based on the information we have now — which in some ways is rather limited — the system stores your last 14 days of ‘proximity data.’ Essentially, whenever your phone is close to someone else’s handset, the devices trade anonymous identifier beacons over BLE. These identifiers change often so that companies can’t use the data to identify users.
BLE has a range of up to 30 feet, which is far outside of the six feet health authorities recommend for physical distancing, as well as outside the distance that COVID-19 can travel from one infected person to another. Unfortunately, the BLE signal can only tell if a person was within the 30-foot radius, not how close that person was to you. The issue here is that users can trigger the system without being close enough to infect each other, which could lead to false positives.
The Verge reports that Apple says it’s investigating that issue. For the time being, public health apps using the API can include a duration that phones must wait to record a ‘proximity event.’ One suggested time would be five minutes. For example, that would mean a neighbour who walked by you on the street wouldn’t register on the system. If you stopped to chat, then the system could register that as a proximity event.
However, that interval could also lead to some holes in the data. In the current social climate of physical distancing and lockdown of all but essential services, there aren’t many situations where one person will spend more than five minutes with another in that kind of proximity.
At the moment, there are too many unknowns about the system and the apps that will use it to determine how much of an issue this will be, if it proves an issue at all. Suffice it to say that there will likely be some false positives, but the tradeoff could be worth it if the system can reliably warn people about potential exposure to COVID-19.
How does all this work?
During the first phase, which relies on third-party apps, it seems that the phones handle the exchange of identifier keys. When a person is positively diagnosed with COVID-19, the result would be entered into the app. With the users’ consent, the last 14 days of their generated identifier keys are uploaded to the cloud. Other phones periodically download the list of identifier keys and check for matches. When a match is found, the phone notifies its user that they were recently exposed to someone with COVID-19 and provides information about what to do next.
At the moment, there are a lot of questions about third-party apps. It’s not clear which organizations are working with Apple and Google at the moment, or how the apps will look and function. Presumably, the apps will be interoperable at some level. Since Apple and Google are working together on the API, the data will likely work between both iOS and Android. Further, all apps based on the same API presumably will be able to share data.
It’s also worth noting that the software solutions could vary drastically between regions and countries. While the API that powers this should be available in Canada, it currently isn’t clear if any Canadian public health agencies will utilize the software. Toronto previously suggested using cellphone data to combat COVID-19, but ultimately decided not to go through with the plan. This could be a less invasive method to accomplish the same goal.
Baking the system into the operating system could have its own problems
As for the second phase, Apple and Google have provided less detail about what this would look like. The goal seems to be that users can opt-in to the system through their phones’ settings. Then the phone would handle the key-swapping without a third-party app. Finally, if a user is exposed, the phone handles notifying them.
However, there are a few questions around this part of the plan. For one, how does the phone transition users from a warning about potential exposure to next steps? Would Canadian users be pointed to Canadian public health services and testing centres? Perhaps the warning notification will be vague, and users will be left to figure things out on their own?
The other significant issue would be operating system updates. While fragmentation is more prevalent on Android, not everyone with an iPhone is running the latest software either. If the system requires an OS upgrade, that could be as big a deterrent as asking people to download an app. And what about old phones that don’t support BLE? Granted, iOS has supported BLE since 2011 and Android since 2012, so most people will probably be okay on that front. Still, it’s something to consider.
The system does not replace manual contact tracing or testing
However this system is implemented, it must work in conjunction with manual contact tracing and wide-spread testing. On its own, there are too many potential flaws for countries to rely on the system entirely. It can serve as an excellent tool to warn people about possible exposure and stop them from spreading COVID-19, but it cannot replace testing.
Other countries are putting similar systems in place, including Singapore and China. Further, the Czech Republic plans to release a contact tracing app this month and Britain, Germany and Italy are developing their own tracing tools.
South Korea also has a wide-spread tracing tool it developed following the MERS outbreak in 2015. It relies more on location and other data shared with and disseminated by the government. People who have potentially crossed paths with someone carrying COVID-19 are notified via smartphone and tested for the virus. Further, South Korea uses contact tracing to test people on a colossal scale. This system helps narrow down who and where to test. The system is working for South Korea, which has managed to contain the spread of COVID-19.
While these tools can help contain the spread of the virus when mixed with wide-spread testing and manual contact tracing, privacy advocates are still worried. According to CBC News, privacy and civil liberties activists warn that tracing apps must be designed so that governments can’t abuse them to track citizens.
Apple and Google say their solution has privacy and security baked in. For the most part, it looks like that’s the case. But while BLE may be better for privacy, it could bring a host of other problems with it.
You can learn more about the Apple and Google contact tracing initiative from the following resources:
Update 13/04/2020: Many of the questions raised in this article were answered in a recent call with company representatives, which you can read here.