Tech giants Apple and Google announced that they are building together a Bluetooth based COVID-19 contact tracing tool. It will help individuals determine whether they have been in contact with a COVID-19 infected person. The collaboration will assist health officials track the spread of Coronavirus and inform potentially exposed people so that they can get tested without violating the infected patient's privacy.
The Google and Apple engineering teams are working on application programming interfaces (APIs) and operating system-level technology to enable contact tracing. The APIs would allow iOS and Android to exchange information and make use of them. The app once released by Apple and Google will be available for download on the App Store and the Play Store.
Contact tracing is a useful tool that allows public health authorities to track the spread of the disease. It works by identifying and following up with people who have come in contact with a person infected by COVID-19.
Apple and Google have been working on the project for the past two and a half weeks. The plan was to release these tools in May followed by converting them into iOS and Android software to allow more people to use them.
Apple and Google’s COVID-19 contact tracking technology will be released on April 28th. From April 28 , the contact tracing API will be available to software developers for building apps on behalf of public health agencies.
Apple and Google said the following in a joint statement,
“Since COVID-19 can be transmitted through close contact with affected individuals, public health officials have identified contact tracing as a valuable tool to help contain its spread. Many leading public health authorities, universities, and NGOs around the world have been doing important work to develop opt-in contact tracing technology. To further this cause, Apple and Google will be launching a comprehensive solution to assist in enabling contact tracing. Given the urgent need, the plan is to implement this solution in two steps while maintaining strong protections around user privacy.”
The companies added,
"Through close cooperation and collaboration with developers, governments, and public health providers. We hope to harness the power of technology to help countries around the world slow the spread of COVID‑19 and accelerate the return of everyday life."
Google CEO Sundar Pichai tweeted about the project on Twitter, saying the two companies are committed to working together on these efforts. Similarly, Apple CEO Tim Cook added in his own tweet that the new initiative respects transparency and consent.
How will the Tool work?
Contact tracing is a well-known and debated tool. But it needs to be adopted by health authorities and universities working on multiple projects to contain the spread. For instance, MIT’s efforts to use Bluetooth to create a privacy-conscious contact tracing tool was inspired by Apple’s Find My System. But such organizations identified technical hurdles they were unable to overcome and asked for help.
The system uses on-board radios in your device to transmit an anonymous ID over short ranges using Bluetooth technology. If two people happen to be near each other for a period of time, their phones exchange the anonymous identifiers every 15 minutes. With additional consent, the servers transmit your rotating IDs of the last 14 days to other devices for searching a match.
A match is determined based on amount of time spent and distance maintained between two devices. People—whether symptomatic, asymptomatic, or diagnosed with COVID-19—have their IDs fed into the system via a Public Health Authority app that has integrated the API. If a match is found with another user tested positive for COVID-19, you are notified and can take steps to be tested and go into self-quarantine.
Privacy and Transparency
Both Apple and Google say that privacy and transparency will be prime in a public health effort like this one. They are committed to building a system that does not compromise with personal privacy in any way. There will be zero use of location data, which includes users who report positive. This tool is not about where affected people are but instead whether they have been around infected individuals.
All this would be done without revealing your name or any other data as the tech giants promise complete privacy. You will not be told about the person who has contracted Coronavirus, but be notified that you have come in contact with a COVID-19 positive person.
The system works by assigning a random rotating identifier to a person’s phone and transmitting it via Bluetooth to nearby devices. That identifier which rotates every 15 minutes and contains no personally identifiable information. Also, the list of identifiers you’ve been in contact with doesn’t leave your phone unless you choose to share it.
Users that test positive will not be identifiable to other users, Apple, or Google. Google and Apple can disable the broadcast system entirely when it is no longer needed.
Apple and Google plan to release the contact tracing tools in two phases. Each phase would have different objectives and add new features.
The first phase includes a private proximity contact detection API that will be released by both Apple and Google for use in apps on iOS and Android. This API will be a simple one and relatively easy for existing or planned apps to integrate. The API would allow apps to ask users to opt for contact tracing, allowing their device to broadcast the rotating identifier to devices that the person “meets”. This would trace people who may come in contact with COVID-19 patients to alert them about taking further steps.
The second phase of the project is to improve efficiency and adoption of the tracing tool by bringing it to the operating system level. There would be no need to download an app. The users would just opt for the tracing right on their device. The public health apps would continue to be supported but this would address a much larger spread of users.
This phase will be for the coming months. It would give the contract tracing tool the ability to work at a deeper level, improve battery life, effectiveness, and privacy. If handled by the system properly, then improvement in areas like cryptographic advances would benefit the tool directly.
Will there be any Ads?
Google and Apple have clarified that there will be no ads. Ad-targeting firms wouldn't be allowed to directly implement Bluetooth contact-tracing protocol to track users.
But a possible scenario as suggested by cryptographer Matthew Green mentions that an advertising firm could put Bluetooth gadgets in stores that collect contact-tracing codes emitted by visiting customers. The firm could then use the public health app to download all the keys of people who are later diagnosed as COVID-19 positive and generate all of their codes for the last two weeks.
This would allow retailers only to track people who reported themselves as COVID-19 positive. Not everyone using the tool can be tracked i.e. the vast majority of users would be left out. It would also allow only those few infected people to be tracked.
The decision about advertisements depends on Apple and Google. They need to continue to deny advertisers access to the API even after the Coronavirus threat fades.
Will Contact Tracing Apps ask for Location Data?
The API will trace Covid-19 infections based on Bluetooth contacts rather than GPS location data to avoid privacy infringement. But some critics have pointed out that contact-tracing apps that use Google and Apple's Bluetooth-tracing API will inevitably ask for location data anyway.
According to the initial description of Apple and Google's API, the app user's phone would have to download the keys of every newly diagnosed Covid-19 person every day. Instead, apps could better determine the keys need to be downloaded by collecting location data, sending users only the keys relevant to their area of movement.
That doesn't mean some apps won't ask for location data anyway. Representatives from Google and Apple's joint project told if the app asks the users for their region, the general location would allow the app to download a manageable number of keys. The number of keys would depend on the number of cases in the region.
Google and Apple said that it would depend on the app developers. Only developers will have to work towards the most privacy-preserving approach. Every app will need to be judged independently on how it implements that framework.
Can the App itself Identify Covid-19 Patients?
Even if the keys that the app uploads to a server can't identify someone, they could, for instance, be linked with the IP addresses of the phones that upload them. That would let whoever runs the server—most likely a government health care agency—to identify the phones of people who report as positive, and thus their locations and identities.
Through the use of HTTPS encryption, apps can prevent anyone other than the server from spying on those IP addresses and identifying diagnosed users. However, Google and Apple both say the server shouldn't collect those IP addresses as a matter of policy. But it's up to the app developer to follow that policy.