Apple and Google Strengthen Privacy of COVID-19 Exposure Notification System, Targeting Next Week for Beta Release
As a result of feedback from officials around the world, Apple and Google today have disclosed a series of changes to their upcoming COVID-19 contact tracing initiative, with a focus on even stronger privacy protections and accuracy.
- Apple and Google are now referring to "contact tracing" as "exposure notification," which the companies believe better describes the functionality of their upcoming API. The system is intended to notify a person of potential exposure, augmenting broader contact tracing efforts that public health authorities are undertaking.
- Keys will now be randomly generated rather than derived from a temporary tracing key, making it more difficult for someone to guess how the keys are derived and use that information to try and track people.
- Bluetooth metadata will be encrypted, making it more difficult for someone to try and use that information to identify a person.
- Exposure time will be recorded in five minute intervals, with the maximum reported exposure time capped at 30 minutes.
- The API will include information about the power level of the Bluetooth signal in the data that is exchanged between phones. This can be used in conjunction with the RSSI ("Received Signal Strength Indication") to more accurately estimate the distance between two phones when contact was made.
- Apple and Google will allow developers to specify signal strength and duration thresholds for exposure events.
- The API will now allow for determining the number of days since the last exposure event to better determine what actions the user should take next.
- The API's encryption algorithm is switching from HMAC to AES. Many devices have built-in hardware for accelerating AES encryption, so this change should help performance and efficiency on phones.
Further changes to the API specifications will be made over time based on continued feedback from public health authorities.
Apple and Google are targeting next week for the release of the seed version of iOS and Android operating system updates, which will support these APIs to enable testing by public health authority developers. The software update will support iOS devices released in the last four years, dating back to the iPhone 6s and iPhone 6s Plus.
Apple and Google revealed plans for this exposure notification initiative two weeks ago. The joint effort will use Bluetooth to alert users when they have potentially come in close contact with someone who later tests positive for COVID-19, on an opt-in basis. The companies have shared an updated FAQ for users with more details about the system.