Apple and Google have released contact tracing technology that will allow public health mobile apps to notify users if they’ve potentially been exposed to an individual with COVID-19, the two companies announced on Wednesday. And according to at least one privacy expert, the new technology has ample safeguards to satisfy those who are concerned it could be used by overreaching government organizations and officials to snoop on private citizens and their health status.
The application programming interface (API), called Exposure Notifications, utilizes Bluetooth technology and can be used across iOS and Android devices. It is meant to be downloaded by public health agencies who are creating their own contact tracing apps.
“Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app,” Apple and Google said in a joint statement. “User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps.”
This first release is part of a two-phase plan that Apple and Google announced in April. In the “coming months,” the two tech giants are looking to expand this contact tracing technology on the operating system level, meaning that a user wouldn’t need to download a specific app in order to opt-in to the notification system.
“The system will send out and listen for the Bluetooth beacons as in the first phase, but without requiring an app to be installed. If a match is detected the user will be notified (that they may have been exposed to an infected person), and if the user has not already downloaded an official public health authority app they will be prompted to download an official app and advised on next steps,” the companies said. “Only public health authorities will have access to this technology and their apps must meet specific criteria around privacy, security, and data control.”
Alabama, North Dakota and South Carolina are some of the first states to sign on to using Apple and Google’s technology, according to Forbes. Twenty-two countries — including Ireland, Germany, Italy and the Netherlands — have also requested the API.
Still, many Americans have said they’re skeptical of using the technology. About 60% of U.S. citizens, according to a recent Washington Post-University of Maryland survey, said they’re either unable or unwilling to use a COVID-19 tracking app.
John Verdi, VP of policy for the Future of Privacy Forum, said those fears may be unwarranted. “From a privacy standpoint, the API is very strong,” Verdi told TheWrap. “The truth is, Google and Apple have taken a number of significant technical and policy steps to safeguard privacy.”
First, the “vast majority” of data processing and collection is done on-device, so that very little data leaves a person’s phone, Verdi said. Second, the API is not open to everyone, but limited to a number of “trusted health entities.” Also, because the unique identifiers are frequently refreshed, user locations are not able to be tracked — even by those organizations that have access to the API.
Finally, the API is designed so that when people report they’ve tested positive for COVID-19, that information is not shared with a centralized database, “which could raise privacy concerns,” Verdi said. Instead, phones communicate locally, sharing information on whether someone nearby has tested positive. Overall, the decentralized nature of the API should satisfy those concerned about government overreach, Verdi said.
“The combination of legal and policy protections is what Apple and Google have brought to bear with this API,” he added. “Their view, and the view of many technologists and health experts, is that a decentralized approach can be effective and privacy-conserving at the same time.”