Apps using Apple and Google’s contact tracing solution, due out soon, will be able to encrypt metadata associated with smartphones and randomly generate keys for identifying phones to make it harder to identify an individual or track people. A seed version of the app will be released Tuesday for iOS users, supporting Apple devices released within the last 4 years, in order for public health authorities to begin testing it.
Apple and Google spokespeople, as well as privacy advocates, insist that high levels of user trust are needed for a voluntary app approach to succeed. Those spokespeople said the updates are the result of conversations with key stakeholders around the world.
As part of other updates introduced today, contact events will now be recorded in five-minute intervals for a maximum of 30 minutes. The update will also let developers making apps for public health officials customize signal strength and duration thresholds to define which contacts are dangerous and who receives a smartphone alert after a person tests positive for COVID-19.
Agreement about what level of signal strength or duration of contact can result in COVID-19 transmission and thus merits a contact event is not uniform, and allowing local control of what constitutes a credible threat allows local officials to deem what’s best, not Apple or Google.
Standards for what constitutes a dangerous exposure could change based on new knowledge or local conditions. For example, recorded interactions may be able to increase sensitivity in areas where outbreaks are particularly bad.
On April 10, Apple and Google, creators of the most popular mobile operating systems in the world, announced an unprecedented partnership to create a common API for Android and iOS smartphone apps to exchange and record contact events. Rather than use cell phone tower triangulation or GPS, the method relies on Bluetooth Low Energy signals and carries out compute and stores contact events locally on smartphones in what’s called a decentralized process. Many privacy advocates and the makers of privacy-conscious apps in the U.S. and EU agree that decentralization, or tracking without the use of a centralized repository, does away with the prospect that a single hack can reveal sensitive user information for all participants.
Members of the TCN protocol, a group of about a dozen organizations working with cryptology, AI, and Bluetooth experts that believe in decentralized contact tracing, have collaborated with Apple and Google since the tech giants agreed to work together about a month ago.
The update will include more detailed Received Signal Strength Indicator (RSSI) information. Apps using the Apple-Google API will also be able to record the number of days since an exposure event has occurred.
Also part of the update today: Apple and Google will now refer to the solution as an exposure notification app instead of a contact tracing app.
In phase II of the partnership, due out in the coming months, smartphones using Android or iOS will automatically track contact events. Users will have to update their phones and then opt-in to participate. Using this approach, people won’t have to download the app. But if a person tests positive, a doctor can suggest they download the app to alert people who might have been exposed.
European Union officials earlier this week asserted that contact tracing apps must surpass a 60% installation threshold in order to be effective. Apple and Google spokespeople last week declined to predict what level of app download is effective.
Dissenters to the idea identify high levels of COVID-19 spread by asymptomatic users as a major reason why the Apple-Google solution and others like it could fail, while supporters say such tracking is essential to reopening society and economic activity.
Privacy and public health officials say ample testing availability is essential if contact tracing apps, working along human contact tracers, are to play an effective role in fighting COVID-19.