1. Details about Apple/Google Launch

Yesterday (May 20, 2020), Apple and Google launched software that will allow public health authorities to create mobile applications that notify people when they may have come in contact with people who have confirmed cases of COVID-19, while purportedly preserving privacy around identifying information and location data. People who have updated their phones with the latest software will be able to share their Bluetooth signal, logging when the radio recognizes other people who have downloaded an app that uses the software.

Their public launch means that health agencies can now use the API in applications released to the general public. To date, Apple and Google had only released beta versions to help with the development process.  (To be clear, Apple and Google are not themselves creating an exposure notification or contact tracing application – but the launch means that developers working on behalf public health agencies can do so.)  This “exposure notification” tool uses Bluetooth radios within smartphones, and will be part of a new software update the companies will be pushing out Wednesday. State and federal governments can use it to create contact tracing applications that citizens can download via the Apple Store or Google Play store.

Many U.S. states and 22 countries across five continents have already asked for, and been provided access to, the API to support their development efforts, and they anticipate more being added going forward. So far, Apple and Google say they have conducted more than 24 briefings and tech talks for public health officials, epidemiologists and app developers working on their behalf.

The exposure notification API uses a decentralized identifier system with randomly generated temporary keys created on a user’s device (but not specifically tied to personally identifiable information). Public health agencies can define parameters around exposure time and distance, and can tweak transmission risk and other factors according to their own standards.

The applications are allowed to combine the API and voluntarily submitted user data provided through individual apps to enable public health authorities to contact exposed users directly to make them aware of what steps they should take.

Apple and Google have incorporated various privacy protections, including: (a) encryption of all device-specific Bluetooth metadata (e.g., signal strength, specific transmitting power), and (b) explicitly barring use of the API in any apps that also seek geolocation information permission from users.  Because many public health authorities developing contact tracing were considering using geolocation data, this privacy measure has prompted some to reconsider their approach.

Apple and Google provided the following joint statement about the API and how it will support contact-tracing efforts undertaken by public health officials and agencies:

One of the most effective techniques that public health officials have used during outbreaks is called contact tracing. Through this approach, public health officials contact, test, treat and advise people who may have been exposed to an affected person. One new element of contact tracing is Exposure Notifications: using privacy-preserving digital technology to tell someone they may have been exposed to the virus. Exposure Notification has the specific goal of rapid notification, which is especially important to slowing the spread of the disease with a virus that can be spread asymptomatically.

To help, Apple and Google cooperated to build Exposure Notifications technology that will enable apps created by public health agencies to work more accurately, reliably and effectively across both Android phones and iPhones. Over the last several weeks, our two companies have worked together, reaching out to public health officials scientists, privacy groups and government leaders all over the world to get their input and guidance.

Starting today, our Exposure Notifications technology is available to public health agencies on both iOS and Android. What we’ve built is not an app — rather public health agencies will incorporate the API into their own apps that people install. Our technology is designed to make these apps work better. Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps.

Today, this technology is in the hands of public health agencies across the world who will take the lead and we will continue to support their efforts.

Google and Apple are also releasing draft technical documentation including Bluetooth and cryptography specification and framework documentation.

2. Privacy Reactions and Concerns Regarding Contact Tracing Applications

Many within the privacy community are focused on whether these types of applications meet the principles of “Privacy by Design”, with much emphasis being placed on using decentralized tracing rather than location data stored in central databases. The UK data protection authority (UK ICO) concluded on April 17, 2020 that proposals for the contact tracing framework itself “appear aligned with the principles of data protection by design and by default”, based on certain assumptions.  At the same time, France asked Apple to remove the limitation that Apple’s operating system prevents contract tracing apps using its Bluetooth technology from running constantly in the background if that data is going to be moved off the devise, a limit designed to protect user’s privacy, but which France said was standing in the way of the type of app that France wanted to build.

It is important to recognize that technology (in the form of a contact tracing application) is only a part of the solution, and that many security and privacy issues arise not only from the technology itself, but in the purpose, process, and manner in which it is used. For employers considering the use of contact tracing technologies or applications leveraging the Apple/Google APIs, a number of questions need to be addressed. For example:

  • Will you require employee consent and on what conditions? Will the contact tracing app continue to monitor after work hours are over?
  • How will you handle external requests (e.g., law enforcement, state/local government, hospitals, health authorities, nonprofits, etc.)?
  • Will your process be forward- or backward-looking? Will you penalize those who violate social distancing requirements based on this information to prevent infection? Or simply wait until positive testing results indicate a positive infection, and then look back at contact history to notify those in contact with the individuals?  The Apple and Google API appears to favor more of a backwards looking approach.
  • How will you ensure confidentiality among colleagues? South Korea and Israel’s approaches were more publicly accessible, which led in some cases to protests, vigilante reactions, and social stigma. Think through how to avoid social stigma towards any employees – even when not testing positive, there may be questions or rumors based on employer efforts to preserve confidentiality.  Policies should be clearly explained and emphasized to mitigate such misunderstanding and disproportionate reactions.
  • Also consider how to handle false positives and false negatives. If you lift the lockdown with the idea that an app can control the infection, you could create a false sense of security that, once compromised, eventually gives way to ignoring the technology itself. One examples is Singapore where, despite using a widely credited tracing app, still had to return to lockdown. Their app examined whether an individual had been within two meters of someone with COVID-19 in the past 30 minutes. If so, they receive a signal that they are possibly infected, as well. This is both over-inclusive (Bluetooth through glass walls and windows) and under-inclusive (viral transmission through kissing or intimate contact for less than 30 minutes).

Many of these applications attempt to address many of these privacy concerns by simply notifying the app users themselves (instead of the employer or public health agency), to encourage responsible behavior.

Much remains to be seen about how our society will balance the tension between privacy rights and public health and safety needs as it pertains to application of contact tracing technologies. Nonetheless, yesterday’s release marks a significant event in this continuing conversation.