Apple, Google update exposure notification APIs with new protections and capabilities

Apple and Google plan to shut down the system once the pandemic is over

Apple Google logo

Apple and Google continue to provide updates and more details about their work on a COVID-19 tracking API, now referred to as ‘exposure notification.’ MobileSyrup has published several updates regarding the new details. You can find all the articles related to the exposure notification API below.

Roughly two weeks after Apple and Google’s initial announcement about a joint effort to develop APIs to help public health authorities track the spread of COVID-19, the two companies have released more details about how the system will work. Further, Apple and Google representatives outlined updates to the plan that will increase privacy protections and improve tools for health authorities.

As a reminder, the two companies are developing APIs to leverage Bluetooth Low Energy (BLE) technology on Android and iOS devices to determine if people come into contact with someone who has COVID-19. You can learn more about how the system works in prior coverage available here.

First and foremost, Apple and Google representatives detailed a shift in terminology to better represent the platform’s function. Instead of contact tracing, the companies will refer to the platform as exposure notification. The technology is intended to notify users of potential contact with someone who may have COVID-19. Further, the companies don’t intend to replace manual contact tracing performed by public health authorities with the tool. Instead, they hope to supplement contact tracing with information and data from the tool.

Changes to improve privacy protections.

Company representatives outlined several changes that will improve privacy protections in a press briefing on April 24th. To start, Apple and Google will update the API that powers the system to randomly generate daily tracking keys instead of deriving them from a long-term key stored on devices.

Previously, the system incorporated a long-term key on each device used to derive daily keys that derived the rotating proximity keys shared with other nearby devices. Company representatives said they designed the system this way to increase efficiency and use less storage. However, Apple and Google determined that optimization wasn’t necessary.

Because the long-term key was no longer necessary, and it posed a potential identification risk if someone were to access the long-term key stored on your phone, the companies chose to avoid the problem entirely by removing the long-term keys.

Instead, the system will now use random rolling temporary keys that generate the proximity keys. Proximity keys still change randomly in 10 to 20-minute intervals.

Additionally, Apple and Google said the exposure notification system would now encrypt Bluetooth metadata. That change would make it more difficult for someone to try and identify a person using that information.

Finally, the API now includes a maximum exposure time of 30 minutes. When an app requests exposure time, time is recorded at five-minute intervals up to a maximum time reported at 30 minutes.

API changes to improve the quality of apps and reported results

Apple and Google representatives also detailed several API changes that should improve results for health authorities making apps to leverage the platform.

One of the most significant changes is that the API will now include information about the power level of Bluetooth signals in data traded between phones. Combined with the Received Signal Strength Indication (RSSI), this data can help estimate the distance between two phones when contact was made.

This change could help appease concerns about BLE leading to false positives. For example, BLE has a range of 30 feet, which extends far beyond the six-foot guideline for physical distancing. The API change could help health authorities determine if someone was closer or further away from a carrier of COVID-19 and therefore determine exposure risk.

To further capitalize on the change, Apple and Google will also allow developers to specify signal strength and duration thresholds for exposure events. In other words, health authorities will be able to define parameters that constitute what is and is not an exposure event. Company representatives said that these different standards wouldn’t impact interoperability. Instead, the parameters will act as a filter for phones looking for potential matches.

Additionally, the two companies will update the API to allow health authorities to determine the number of days since the last exposure event. Access to this information can help authorities better communicate next steps to users.

Finally, the two companies will switch encryption from the HMAC standard to AES, which is an industry-standard. Many devices have built-in hardware to accelerate AES encryption. That should lead to improved performance and will prevent the system from slowing down people’s phones.

When and how exposure notifications will come to users

Despite recent reports that the exposure notification system could start rolling out to users on April 28th, Apple and Google representatives say they’re targeting mid-May for the release of the first phase of the system.

Further, the companies still plan to deliver the platform in two phases. The first will be an API system that public health authorities can build interoperable apps off of. Users will still need to download an app to opt-in to the exposure notification system. The second phase will see the tools built directly into iOS and Android so that users don’t need to use a third-party app to participate. However, people will still need to opt-in to exposure notifications through a settings menu in their phone. Company representatives said the second phase will be available in the coming months.

Additionally, Google still plans to deliver the first phase to users via a Play Services update. By pushing out the update through Play Services and not through an Android OS upgrade, the API would be able to cover roughly 2 billion Android devices.

As for Apple, the company remained tight-lipped about how it would deliver the API to iOS users. Company representatives did say that Apple would focus on delivering it to devices running iOS 13 first since the majority of iOS devices are running that version of the OS. However, Apple representatives did not discuss how the update would come to phones on older versions of iOS.

While the changes are good, they still don’t answer all of the questions surrounding the effort. For one, these changes don’t address how health authorities will verify positive diagnoses and prevent trolls from claiming to be infected. The companies appear to be leaving that up to local public health authorities.

Both companies claim they can turn the system on and off at a regional level. Further, Apple and Google plan to shut down the system once the COVID-19 pandemic is over.

In the case of Canada, the government is in the early stages of assessing the use of technology in combatting COVID-19. At the moment, all options are on the table, but it’s not clear if or how Canada would incorporate Apple and Google’s exposure notification platform.

If you’re curious about the details of Apple and Google’s joint effort, the companies plan to release a FAQ page to answer peoples’ questions. We’ll add a link to it when it goes live.