A Synopsis Of Apple And Googles Contact Tracing APIs

TLDR

Apple and Google are creating interfaces that allow app developers to use the Bluetooth on your cellphone to anonymously track people you’ve been in proximity too, and to notify those people that you’re in proximity to them. Users can then self-report positive COVID-19 diagnosis, and your phone would check to see if you’ve been exposed to those users. Uptake of these interfaces is dependent on public health organizations developing apps to use them. Apple and Googles approach is both privacy focused and largely decentralized.

In April of 2020 Apple and Google announced a joint effort around COVID-19 contact tracing technology. I wanted to dig in to how they were accomplishing this from a technology standpoint, and provide a bit of a laymen’s explanation.

First Off, A Note On “Contact Tracing”

Contact Tracing is literally the process of tracing who a person has come into contact with over a period of time. During previous disease outbreaks organizations such as the CDC would use contact tracing to determine who’s been exposed to a contagion so that they could isolate and be treated. During ideal times this could take place before a disease outbreak reaches epidemic or pandemic proportions. We kind of missed that phase. We’re now in full pandemic mode, with the question of how do we come out of this, continue to lower the spread, and eventually re-open the world. New York Governor Cuomo has stated he plans on building a contact tracing army, with the help of former NYC Mayer Michael Bloomberg. Tracing is a manual process of interviewing people, then reaching out to those infected.

Clearly, we can use some technology to aid this process. Apple states in its documentation that “The goal of this project is to assist public health authorities in their efforts to fight COVID-19 by enabling exposure notification in a privacy-preserving manner and the system is designed so that the identities of the people a device comes in contact with are protected. “3

Given the fact that many of us constantly carry around Cell Phones, they are a likely aid in this process. We could easily develop technology that simply uses the location services in our phones to determine people’s locations in real time, and compare the overlap. This creates huge privacy issues and concerns, essentially governments would be tracking our every movement. If there’s one thing Apple has touted the last few years, it’s their commitment to privacy.

So how do you safely and securely track who people come into contact with, without privacy concerns? Apple and Google plan to do this using Bluetooth and not GPS/location data from your phone. Essentially no one will track where you’ve been, but rather your phone will track who you’ve been near.

A Two Phased Approach

Apple and Google have will roll this out in two phases.

Phase one is the release of what are called “API”s (Application Programming Interface), basically tools developers can use to build apps. This means you’ll need to download and setup an app to participate. Currently Apple and Google have pledged to only allow Apps from “public health authorities” 3. The APIs were released on April 29^th and May 4^th on Apple and Google also released sample code as reference for developers. Sample code is used to demonstrate how a developer interacts with APIs, and often times can be used as the foundation of new apps.

Phase two will see the technology built directly into iOS and Android, meaning you won’t need to install an app, just turn on a setting on your phone. We’re a little light on details for phase two but I suspect you will still need an app for certain areas of functionality, such as a self-report of a Covid-19 diagnosis. Having the technology and settings at an OS level should still allow you to start participating and collecting data of your possible exposure.

What Will Your Phone Do?

The Apple-Google APIs (let’s just call them “The APIs” for short for now) will allow your phone to broadcasting a Bluetooth signal. These broadcasts will not include any personal data, but instead your phone will transmit a made-up identifier known as a “key”, and this key will change every 15 minutes. Your phone will be listening for other people’s keys, and will store them.

If you come down with symptoms you will be able to report that in app, and only then will the app upload a list of the keys your phone broadcast. Again, there’s no Personally Identifiable Information (commonly referred to as PII) being sent, so privacy is preserved.

For people who aren’t symptomatic, the app will periodically (right now it’s documented as “At least once per day”) download a list of the Keys that have been identified as belonging to people who tested positive for Covid-19. If your device stored one of those keys, it would match it and notify you that you’ve potentially been exposed. Included in this list is “the day the contact occurred, how long it lasted and the Bluetooth signal strength of that contact.”3 This information should aid in determining your risk of exposure.

While Apple and Google’s approach has been called “decentralized” in that your device stores all of the keys it receives, as opposed to transmitting them back to say your government, a centralized server is used when you chose to report you’re positive for COVID. Personally, I’d call this more of a hybrid approach if we want to be 100% technically accurate in how we describe it. In contrast, the centralized approach of some governments means all of your interactions will be transferred back to said government, and they will be able to identify you.

What’s important to note about these APIs is that they will work in the background, meaning you don’t need to leave your phone on and a specific app open. Your device will handle everything even if the screen is off and it’s in your pocket. This represents a slight digression from previous Apple functionality that’s geared towards security/privacy, and as such Apple and Google have also stated they will sunset the functionality when it’s no longer needed.

It’s noteworthy to point at that this work seems to be influenced by/based on the PACT protocol envisioned by MIT as well as the European DP-3T Protocol. 7, 15

Issues With This Approach

Bluetooth is a versatile technology, that’s already present on hundreds of millions of devices, but it’s still based on radio waves. Some building materials can easily obstruct these waves while others will allow these signals to pass through walls. So, while your device may pick up someone else’s Key broadcast, you could be in a completely different room, or possibly in a car near them. Recording the strength and duration of the can mitigate some of, but not all of, this concern. You could also be the case that you come with in 10 feet of someone who tests positive, but you’re both wearing masks, and thus have a lower chance of an actual exposure.

As well, for phase one Apple states “Public health authorities will set a minimum threshold for time spent together, such that a user needs to be within Bluetooth range for at least 5 minutes to register a match. “3 So it’s up to health officials to determine what’s considered a potential exposure and when to notify a user.

Another Issue we could see is some level of App fragmentation. Currently, no federal government entity in the US has come forward as saying they’ll implement this in an app, so these apps may exist in some states but not others.

Governmental Response

Thus far the reaction from governments has been mixed. Some countries have chosen to use the Apple and Google APIs while others have opted for their own solutions.

Here in the US the CDC ‘s guidelines for “Preliminary Criteria for the Evaluation of Digital Contact Tracing Tools for COVID-19“. A quick review seems to fall in line with Apple and Googles approach thus far, although the CDC guidelines include more clinical “Case Management”, essentially managing Positive Patients. What’s interesting here is by publishing these guidelines for other “health departments” to utilize, it does suggest that the CDC themselves may not take the lead for this at a national level and publish their own app. As I’m writing this Utah is releasing an app of their own, which records and reports users locations instead of using the Apple and Google API.

In Canada, the Province of Alberta has released their own app. The initial version of the app does not use the Apple and Google APIs but they have stated the next version will adopt them.

In the UK the government has opted to not use the Apple and Google approach and corresponding APIs. Instead they created their own app that will use Bluetooth for proximity, but will utilize more of a centralized database to track interactions. CNN Posted that this was to comply with privacy laws, however, I haven’t seen anything that demonstrates why Apple and Googles solutions were not compliant (I’m not a GDPR expert but the APIs seem to be compliant). The app also seems to suffer from the limitation that it will need to be open and on a user’s screen to function properly. The app is initially being rolled out for the Isle of Wight.8 The Guardian notes that there are some concerns that the app won’t be adopted by UK citizens out of privacy concerns. 14

France likewise has created their own app similar to the UKs, and even went so far as to call Apple out (but not Google…) for not changing iOS’s Bluetooth security model to suit their app. 9

Germany was initially working on their own centralized system but then announced they would utilize the Apple and Google solution. 10 However, it was announced in an effort lead by Switzerland that a number of European nations, including Germany, Italy, Austria, Estonia, Finland, and Portugal, would be working together on a solution. Due to the laws that allow Citizens of European Union members to freely move between nations this is an important coalition.

Note: I want to research Background Bluetooth limitations in iOS some more before I speculate or comment. There’s a lot of conflicting information about how iOS and Bluetooth behave if you close the app. It’s worth noting that iOS 13 added additional permissions that a user has to opt into to allow certain Bluetooth interactions to occur in the background (mostly location services that work via Bluetooth beacons). Screenshots for the UK app indicate the request of background Bluetooth permissions.8 From what I’ve researched you can receive Bluetooth data but not transmit it while the app is in the background.

Conclusion

Right now, I think we need all the help we can get in the fight against COVID. Using mobile technology to aid in Contact Tracing, even if it’s not perfect, is a powerful tool to fight the spread of the virus. Apple and Google’s privacy focused approach goes a long way to alleviate concerns about governments tracking their citizens. As soon as Phase 1 apps, and Phase 2 OS settings are available I recommend everyone downloads and sets them up. We really are all in this together, and the more we can trace new infections, the more we can self-isolate and contain the spread of this virus.