Developers who create contact tracing apps using a joint technology from Apple and Google will not be able to track the location of users. On Monday, the two archrivals now working together released guidelines for the API (application programming interface) of what they’re calling Exposure Notification. Designed to be integrated into iOS and Android, the platform will allow developers to build apps to monitor and alert people of coronavirus exposure. However, the developers will have to do that without the assistance of GPS location tracking.
SEE: How tech companies are fighting COVID-19 with AI, data and ingenuity (TechRepublic)
The guidelines specifically state: “A Contact Tracing App may not use location-based APIs, may not use Bluetooth functionality (excluding Bluetooth functionality included in the Exposure Notification APIs), and may not collect any device information to identify the precise location of users. In addition, Contact Tracing Apps are prohibited from using frameworks or APIs in the Apple Software that enable access to personally identifiable information (e.g., Photos, Contacts), unless otherwise agreed by Apple.”
Alice and Bob meet in person for a conversation. Their phones exchange anonymous and frequently-changing identifier beacons. Bob is later diagnosed with COVID-19 symptoms and uses an app from a public health authority to enter his test results. With Bob’s consent, his phone uploads the last 14 days of beacon keys to the cloud.
Alice’s phone downloads the beacon keys of everyone who’s tested positive for COVID-19 in her region, and a match is discovered with Bob’s identifier beacons. Alice then receives an alert on her phone telling her that she’s recently been exposed to someone who has tested positive for COVID-19. The alert gives her instructions on what to do next.
In their implementation, Apple and Google will first develop APIs that would help public health authorities design apps with contact tracing capabilities. These apps would be available in both Apple’s App Store and the Google Play store. In the second phase, the two companies would build the necessary Bluetooth-based contact tracing platform into their operating systems, a more robust solution than an API, according to Apple. The initial version of the API was released for developers last week. A final version is expected before the end of May.
Several countries have already been using contact tracing to try to stem the tide in COVID-19 infections. But concerns have arisen that such technology could be used to monitor the location of people, thus violating their privacy. That information could be used to brand people who’ve caught the virus or possibly been exposed to someone who’s caught it. Such data could prove a powerful weapon, especially among countries with restrictive or totalitarian governments.
To ease the privacy fears, Apple and Google have promised certain restrictions:
- User consent would be required.
- The technology won’t collect personally identifiable information or user location data.
- The list of people with whom you’ve been in contact would never leave your phone.
- People who test positive are not identified to other users, to Google, or to Apple.
- The technology can only be used by apps from public health authorities for COVID-19 pandemic management.
The challenge, however, will be to create a technology and apps that prove effective at stopping the growth of the coronavirus while at the same time protecting the privacy of the users.
“Tracking how we move and who we meet is extremely sensitive information, and from that point, would have had to be done with extreme caution,” said Heikki Nousiainen, CTO at cloud technologies provider Aiven. “Contact tracing can, however, have a profound impact on how we can deal with COVID-19 while at the same time minimize the impact from the quarantines and other restrictions. Extreme care has to be taken to ensure the correct balance on collecting, storing, and processing this information, so that it is not used for any other purpose than the stated one.”
As Apple and Google collectively own most of the global smartphone market, a joint technology from the two would reach the largest number of people. However, other companies and developers have been working on their own systems. One approach that might better address privacy concerns would to use open source.
“Developing and releasing such solutions as open source, in my view, could enable external validation on the type and means of information collected, how it is processed and reported, and thus help in reassuring the general populace that the expectations on strict privacy would be met,” Nousiainen said. “An open source model would allow external parties also to later verify and reassure the population that the collection is ceased when the pandemic situation can be declared over.”