While debate rages around the potential privacy implications of the coming Apple/Google ‘Exposure Notification’ API, which aims to slow the spread of COVID-19 by alerting people when they’ve been in proximity to someone that’s later found to have coronavirus, both companies are now moving forward with the next stage of the plan.
This week, Google and Apple have released more information on exactly how the process will work, along with example screenshots of the tracing app in action – while the companies also recently opted to change the name of the API from ‘Contact Tracing’ to ‘Exposure Notification’ to help ease anxieties around the process.
As reported by TechCrunch, Apple and Google have provided a new set of code resources to enable developers to get started on their app development processes this week. Through the API, developers in each region, working on behalf of relevant government agencies, will be able to build their own exposure tracing apps that will enable Android and iOS devices to communicate with each other via Bluetooth signals.
The process, for users, will look something like this:
First off, users will download an app from their regional health authority – replace ‘Sample Public Health Authority’ with your local health body in these examples.
As you can see, you’ll then be asked to turn on notifications for the app. The key benefit of the API is that it will enable both Android and iOS devices to communicate, which will essentially enable cross-tracing between more than 97% of mobile devices in the world.
But that, of course, is also where the concerns lie. A system that can trace virtually all phones, and determine which other devices they’ve been in proximity to would be very valuable to, say, a law enforcement agency, the the the IRS, or many other authority groups. It’s important to note here that no personal information is exchanged in this process. The system tracks data through “anonymous identifiers” which change constantly, so your device has a log of other devices that its been in contact with, but no one else has the same information access (more in-depth explanation here).
Once the system is up and running, you’ll be eligible for alerts if someone you’ve been near tests positive.
While if you test positive for COVID-19, you’ll be able to share that in your app – and note here that users will only be able to create an alert via a special code provided by health officials in the instance of a positive test, which should ensure that people can’t fake reports in order to cause panic.
Users will be able to control their notifications and data usage settings via their phone tools.
It’s a good system, and it will no doubt help to contain the spread of COVID-19.
It’s also much better than the current workaround processes being used in some regions – in Australia, for example, the new ‘COVIDSafe’ app, which traces contact with other phones via a more rudimentary Bluetooth process, has been downloaded 4.5 million times after being launched just days ago. The Australian Government has been pushing the take-up of the app as a key condition in its decision making around easing lockdowns, and while the app can certainly help in alerting people to potential exposure, there are some significant flaws which will limit its effectiveness.
According to reports, the app only works when your device is unlocked and the app is open on the screen, while it’s also had difficulties operating in regional areas due to network limitations and system configuration differences. Some of these issues can be resolved with relevant updates, but really, the only way to ensure that the app is effective is to keep it open on your phone as you walk around. Like playing Pokemon Go, but now you’re hunting – or more, not hunting – for infected people, and you won’t know that they’re infected till days after the fact.
That’s where the Google/Apple API will be of benefit, because it will be baked into the OS code on each, which will ensure that it can trace your potential exposure even when you don’t open the app. And eventually, you won’t even need a separate app at all, as it will be built into the back-end process on your device.
That will, theoretically, make it much more effective, but again it will also mean that there’s a system out there that can trace all devices, and their proximity to each other, at all times. Which will be very effective during a pandemic, but likely a significant concern at all other times.
There are various privacy protections built in, so it’s not as simple as this – government officials won’t suddenly be able to flip a switch and trace everywhere you’ve been. But it will facilitate an increased level of cross-device tracking, which will remain a concern.
But still, as we’ve noted previously, both Google and Apple are individually tracking the location data of most users already, via location services – they technically have most of this data already, whether you like it or not. That’s one of the more confusing elements of the backlash, or maybe a less informed concern – Apple, Google and Facebook all have access to a heap of location-tracking data on you already. If they wanted to, they could probably trace every place you’ve been, right now.
The difference would be that it’s not being passed onto Government officials, and it technically won’t be through this new process either. But while such an advanced tracing system exists, so too does the potential for misuse. As such, it’s to our benefit that privacy advocates are keeping a close eye on each element, which will help to stop our data from falling into the wrong hands.