Apple and Google have rolled out the first phase of their COVID-19 contact tracing framework. It makes it possible for public health authorities across the world to connect their apps with data that could help them identify people at risk from the virus.
This is the first phase in a two-part rollout of the Apple and Google framework originally announced on 10 April. It isn’t an app, but rather an Exposure Notification application programming interface (API) that apps can interact with. Those apps must be contact tracing apps from from public health authorities. Users must download and authorise those apps to participate.
Here’s how it works: a phone running an app that uses the API will periodically use Bluetooth to ping other phones with a random beacon – a string of characters that isn’t connected to the user’s identity information. That beacon changes frequently to increase security, but the phone keeps a list of the beacons that it sends out. It also stores a list of all the beacons that it receives from phones nearby.
If a person tests positive for the virus, they can enter the test result into the public health authority’s app to show it that they’re infected, and give it permission to upload the last 14 days of beacons that their phone has transmitted. Those beacons are stored in the cloud, but they’re the phone’s own. It doesn’t send the beacons that it has collected from other phones.
Each day, phones running an app that uses the API will download a list of beacons from phones whose users have tested positive for the virus. It checks the beacons that it has collected locally from interacting with other phones against that downloaded list. If there’s a match, that’s a good indicator that the user has been in contact with an infected person. No one will know who that is, but the app will notify the user that they’re at risk and tell them what to do next.
Google and Apple worked together on the API so that phones using each of their operating systems can exchange beacons with each other.
The framework has some properties designed to preserve privacy while making them more accurate. First, it doesn’t use GPS data, meaning that the API won’t send users’ locations back to the cloud (this doesn’t apply to other apps or operating system features, though). Using Bluetooth rather than GPS location to track proximity is more accurate because the framework can estimate how close people are within a six-foot radius using Bluetooth signal strength. GPS won’t give you this level of accuracy.
Some countries, such as Germany, have agreed to use the framework for their apps. Others, including the UK, have chosen to develop applications using their own data architecture in a more centralized approach. The NHS contact tracing app also uses Bluetooth proximity tracing. Unlike the Apple/Google framework, though, it sends a list of anonymous IDs that an infected user’s phone has collected from other phones. It also stores part of an infected person’s postcode in a central cloud database.
This week, the government delayed the launch of that app, according to the Guardian, following a warning of security flaws in the system. Researchers sounded an alarm about the transmission of more detailed interaction records and long storage times for information. They said:
Whilst we understand that more detailed records may be desirable for the epidemiological models, it must be balanced with privacy and trust if sufficient adoption of the app is to take place.
Widespread adoption is crucial to slow or halt the spread of the virus according to academics, who have said that an app could halt the virus outbreak if 80% of all smartphone users adopted it.
Today, Apple and Google are leaving it up to public health authorities to build apps that can take advantage of their API. In the second phase, the companies will embed the app functionality directly into their operating systems, albeit with an opt-in requirement. It will support the same beaconing and notification functionality, but will then prompt at-risk users to install the appropriate public health authority app.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Ira Kroll
There is already an app that purports to do this: Novid.
Would it be possible to review it?
Pete Haigh
Time for a flip phone
Ian R
Doesn’t leaving Bluetooth on weaken the phones security and end user privacy?
Paul Ducklin
A bit, yes, because you’re identifying yourself (in a weak sort of way) to all and sundry passing by, and allowing apps on your phone (including the Covid-19 tracker) to make inferences about your location based on other Bluetooth devices that are identifting themselves nearby.
spryte
“Those beacons are stored in the cloud, ” You mean “on someone else”s computer” … The Laws of Uninteded Consequences say this will get out of hand more quickly than COVID19 (IMHO).
Anon
What if people who download the app decide to be pricks and mark themselves positive in-mass when they aren’t? People are going to be A-holes and hostile to anything new and some simply want to troll and watch the world burn. Is there a way to keep this sort of “attack” from happening?
Paul Ducklin
I guess the “how to decide how seriously to take reports both of contacts and of infections” is beyond the remit of the API itself, which is about how to manage a web of contacts (replace Covid-19 with any other item you like) in a way that keeps you pseudoanonymous and doesn’t entrust a central authority with all the collected data. This is just a way to build an app that can do contact tracing, whatever than means, without the giant central database that some apps are planning to use instead.
Danny Bradbury
I’d be more worried about one or two people falsely marking themselves positive and then leaving their phone in a high-traffic area just for the lulz. I think there’s only so much the designers can do to counter bad actors, though, and I imagine that kind of activity would get noticed and weeded out pretty quickly.
Ema
I expect Google and Apple made their API interface contract available to government earlier, which means they should be able to do an inplace swap. The API will only function during the emergency period and if everyone uses it could allow us to hit back hard at the virus, by only locking down those that have been in contact. It would be good if the government app gave back a rating of risk, low, medium and high based on number of close connections you network.
Wouter
Next step. It’s always on. No way to opt-out.
Oh and Apple and Google already conveniently and silently added more ‘features’ to the API such as location data and device id.
No thank you
Al
Actually it’s a “Exposure Logging” API, not “Contact Tracing” as it was incorrectly named in the beta version. Only the user will know if they have been exposed and must voluntarily self-report to any Contact Tracing efforts conducted by their Public Health authorities.
Danny Bradbury
The official name for the API is Exposure Notification, as per the companies’ documentation. Contact tracing is a generic term.