The Security behind Apple’s and Google’s API for Tracing COVID-19 Infections

Gonzalo Álvarez Marañón    3 June, 2020
The Security behind Apple's and Google's API for Tracing COVID-19 Infections

How to stop the spread of COVID-19? At the moment, there are only partial answers. Among them, contact tracing has proven to be effective since the 19th century: identifying as quickly as possible people who might have been exposed to the virus. Unfortunately, it is a laborious and slow process that relies on face-to-face or telephone interviews and requires delicate detective work.

Aren’t we supposed to live in the 21st century? Why not use the smartphones that everyone carries in their pockets to keep track of potential infections? Let our devices keep track of contacts and, if someone is later found to be infected, automatically notify those who had been near that person.

Everyone Wants Their Own Tracing App

Driven by this idea, governments around the world embarked on a breakneck race to develop apps, services and systems for tracing infections, with greater or lesser respect for privacy.

Concerned about citizens’ rights, several research groups have developed privacy protocols, including the TraceTogether team from Singapore; the Private Automated Contact Tracing (PACT) group, led by researchers from the Massachusetts Institute of Technology (MIT) in Cambridge; and the Pan-European consortium Decentralized Privacy-Preserving Proximity Tracing (DP-3T).

Such is the amount of contact tracing apps and the confusion generated by them that MIT launched the Covid Tracing Tracker project to track the trackers. As of May 22, 25 automated tracing efforts for individual and significant contacts worldwide have been documented, including details on what they are, how they work, and what policies and processes are in place regarding them.

Apple and Google Burst into with Their Technological Proposal for Exposure Logs

In the beginning of this tracing app fever, on April 10th Apple and Google signed an unprecedented agreement to jointly develop a Bluetooth-based tracing technology. The two rivals worked on their API with an unwavering goal: privacy first. They clashed with many governments that did not share their zealous protection of privacy, such as France or the United Kingdom and their Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), who advocate for centralized schemes with geolocation via GPS.

But all their claims fell on deaf ears: either they played according to the rules developed by Apple and Google, or they created their apps on their own. Finally, governments and public institutions had no choice but to surrender to the evidence: no one can compete against the partnership of two technological giants like Apple and Google. So, finally, on May 20th Apple and Google announced that their API was ready for exclusive use by public health agencies and will be used in 22 countries:

«What we’ve built is not an app—rather public health agencies will incorporate the API into their own apps that people install. Our technology is designed to make these apps work better. Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps»

If you have installed the latest update for their respective operating systems, you can check that support for installing apps is already available.

How the Apple and Google Exposure Notification API Works

In this presentation, Apple and Google explain how it works in a simple way:

  • Alice and Bob own an iPhone and Android phone, respectively, both with a health application using the Exposure Notification API. On Thursday, they meet sitting on a bench and chat for a while. During this time, each of their phones is transmitting totally anonymous and changing identifier beacons while collecting the identifier beacons transmitted by the other person. Their phones know that they have been in contact and store that data on the device itself, without transmitting it anywhere else.
  • A week later, Bob shows symptoms of COVID-19, goes to his medical centre and is positively diagnosed for the disease. He opens his health application, verifies his diagnosis by using the documentation from his official health care provider, and his phone uploads the last 14 days of his identifier beacons to a cloud server.
  • Later that day, Alice’s health application downloads a list of all the beacons of everyone who has recently tested positive for COVID-19. Because of her contact with Bob, Alice receives a notification informing her that she has been exposed to someone who has tested positive for Covid-19. Alice does not know that it was Bob who tested positive for COVID-19 because no personally-identifiable information was collected. However, the system knows that Alice was exposed to a COVID-19-infected person for 10 minutes on Thursday, on the basis of the strength of the Bluetooth signal between their two phones.
  • Alice follows the steps provided by the health application, that tells her what to do after exposure to COVID-19. If Alice later gets infected with COVID-19, she will follow the same steps mentioned above to alert people she has been in contact with, allowing everyone to better control their potential exposure.

Restrictions Imposed by Apple and Google for Public Health Apps Using Their API

Do you want to use the Apple/Google Exposure Notification API in your app? You will need to follow a few restrictions if you want to get it approved:

  • Apps must be created by or for a public health agency.
  • Only one app per country is allowed, to ensure that there is no fragmentation and to promote high user adoption. However, different versions per state or province are allowed.
  • Explicit user consent required.
  • Do not collect or use GPS location data from your phone.
  • Bluetooth beacons and keys do not reveal user identity or location.
  • User controls all data they want to share, and the decision to share it (including a positive test result).
  • People who test positive are not identified to other users, Google, or Apple.
  • Apps will only be used for exposure notification by public health authorities for
  • COVID-19 pandemic management.
  • No other use of user data, including targeted advertising, is permitted.
  • It does not matter if you have an Android phone or an iPhone – works across both.

Two Major Challenges Ahead

Beyond privacy concerns, with or without Apple’s and Google’s help, these apps continue to face several difficult challenges that underscore their usefulness and necessity. Two may be stood out:

  • Accurate proximity measurement: A key practical challenge for Bluetooth phone contact tracing is making accurate measurements of how close two devices are. Bluetooth technology measures the distance between devices based on the strength of the signal, but this strength can be affected by many factors, such as phone orientation and indicators of outdoor versus indoor. For example, if two people are standing back to back holding a smartphone in their hands, they may be detected as keeping the established social distance when they are actually touching each other. If we want to use these apps to monitor the coronavirus, we will need much better data to measure distance. At MIT’s Lincoln Laboratory they are carrying out experiments with mobile robots equipped with smartphones to improve the accuracy of distance measurement:
  • Adoption by critical mass of citizens: Another challenge to make the system effective is to ensure that enough people download the application – at least 60% of the population. The problem is that not everyone has an iPhone or an Android smartphone. As a matter of fact, the most vulnerable groups, such as the elderly and the socially disadvantaged, have the lowest adoption rates for such devices.

Technological Mirage or Crucial Weapon in the Fight against the Virus?

Although no one doubts the effectiveness of contact tracing in curbing the spread of pandemics, these apps are born into the controversy, and criticism is heard from all sectors. There are doubts about their effectiveness, their massive adoption, and their guarantee of privacy. However, according to Dr Michael J. Ryan, Executive Director of the WHO Health Emergencies Programme:

«Perfection is the enemy of the good when it comes to emergency management. Speed trumps perfection … The greatest error is not to move. The greatest error is to be paralyzed by the fear of failure. If you need to be right before you move, you will never win».

The next few weeks will show whether these apps are the geek’s dream of a hypertechnized society or an essential partner in the fight against the coronavirus. At the very least, we had to try.

Leave a Reply

Your email address will not be published. Required fields are marked *