Apple and Google’s new contact tracing tool is almost ready. Just don’t call it a contact tracing tool.

People walk by a poster depicting Leonardo da Vinci’s Mona Lisa wearing a protective facemask in a street of Barcelona on February 18, 2020,

Pau Barrena/AFP via Getty Images

The tech companies’ “exposure notification” tool has more privacy protections.

Open Sourced logo

As contact tracing becomes an increasingly hot topic in the Covid-19 pandemic, details of a new tool built by Apple and Google are coming into focus. On Friday, the companies offered an update that included a closer look at how the tool will work on smartphones, information about additional privacy features, and a new name. Apparently, Apple and Google are backing away from the term “contact tracing.” Their tool is all about “exposure notification.”

As previously reported, the first phase of the rollout will be an application programming interface (API) that will allow iOS and Android devices to exchange anonymized proximity keys using Bluetooth. Apple and Google have now revealed that the Bluetooth metadata from the devices will be encrypted, so it can’t be used to try to identify a device. Public health authorities will then be able to build their own contact tracing apps using this API, and they will set the exposure length, the amount of time the two devices need to be near each other in order to exchange keys. The maximum allowed exposure time will now be 30 minutes. Again, this will make it harder to link a rotating key to a specific user. Apple and Google have not yet revealed which public health agencies they are working with, but the companies did say the API will only be available to them.

The public health authority apps in phase one will be opt-in, meaning users will have to download the apps and give them permission to access certain data. Once the app is installed, the user’s device will generate a daily key every 24 hours as well as keys that change every 10 to 20 minutes and broadcast from the device for contact tracing. These keys will also be randomly generated, the companies now say, rather than derived.

As they already explained, the keys make it possible for someone who tests positive for Covid-19 to quickly alert their recent contacts. They just report their positive test results to the app, which will then inform everyone with whom they’ve recently exchanged keys that they were potentially exposed to the virus.

Apple and Google also revealed new details of the second phase of the tool’s rollout, which involves baking the contact tracing feature into the operating systems of iOS and Android devices. We already knew that this next iteration of the tool, which will be available in the coming months, will allow contact tracing features to run in the background of any device, whether it has a public health authority app installed or not. Now Apple and Google say that alerts about possible exposure will appear in the device’s notification center. There will also be a new interface that will allow the user to turn the Bluetooth beaconing on or off.

In order to prevent abuse and encourage use, Google and Apple have repeatedly said they designed the tool with privacy, transparency, and user control in mind. The tool was already mostly earning praise from privacy advocates for these measures — with a few exceptions — and these updates seem to solve some of the remaining concerns. One of these concerns is related to public health authorities being able to add their own privacy-compromising elements to the apps they build using the Apple-Google API. Company representatives said on a media call that they’re still creating guidelines for public health authorities, but that their apps would be subject to the same terms of service as every other app on their platforms, and that features such as location tracking would require user consent, just as is true for all other apps.

It does seem like Apple and Google’s privacy-first mindset isn’t meshing with some of the countries they hope to serve. France has asked Apple to allow its contact tracing app to run in the background (as in, constantly broadcast and collect Bluetooth keys even if the app isn’t actively being used) while sending that data back to the French government. But the Apple-Google API will only allow this to happen for apps that keep that data on devices, for privacy reasons.

Contact tracing has emerged as part of many countries’ visions for how to safely scale back isolation and social distancing efforts. While traditional contact tracing involves employing people to talk to infected individuals and then trace down those they’ve been close to, digital contact tracing using devices like smartphones is seen as the most efficient way to track the spread of the virus. Different nations around the world have tried different methods to accomplish this, some more privacy-preserving than others. Apple and Google’s tool is widely seen as one of the better efforts here from a privacy perspective, and that’s an attractive selling point for an opt-in feature that works best when everyone is using it.

Oh, and about that terminology. Apple and Google have replaced the “contact tracing” label with “exposure notification.” The companies said they believe it better describes what the tool does, and that it’s only part of a public health authority’s contact tracing program. This seems a bit trivial, but it’s actually a good reminder that these apps and their deployment are run through public health authorities, and it’s up to those authorities to make sure positive test cases are properly vetted. Meanwhile, it’s essential that populations that may not have access to iOS and Android devices are included in their contact tracing programs. Apple and Google aren’t doing this alone.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.


Support Vox’s explanatory journalism

Every day at Vox, we aim to answer your most important questions and provide you, and our audience around the world, with information that has the power to save lives. Our mission has never been more vital than it is in this moment: to empower you through understanding. Vox’s work is reaching more people than ever, but our distinctive brand of explanatory journalism takes resources — particularly during a pandemic and an economic downturn. Your financial contribution will not constitute a donation, but it will enable our staff to continue to offer free articles, videos, and podcasts at the quality and volume that this moment requires. Please consider making a contribution to Vox today.

via Vox – Recode

Check out the Finding Your Identity Podcast!