Apple, Google Announce Privacy Changes to Coronavirus Tracing
Google and Apple announced a rare cooperative project recently with the aim of developing a mobile coronavirus contact tracing platform. The companies were slow to release details, but observers still pointed out some potential privacy and security concerns. Today, Apple and Google have released an overview of changes they will make to the upcoming program to assuage those concerns.
The underlying technology powering the contact tracing technology isn’t changing. It’s still reliant on Bluetooth connectivity on your phone, but you won’t have to connect to any other phones for it to work. Phones can register contact with other Bluetooth signals automatically, and the new mobile apps will be able to leverage unique identifiers to determine with whom you’ve been in close contact. The idea is that if someone tests positive for COVID-19, the app can alert those at risk of contracting it.
Apple and Google have started to refer to this system as “exposure notification” technology instead of contact tracing. While this is part of contact tracing, it would be inaccurate to imply it could stand in for the epidemiological work involved with true contact tracing. Previously, the unique Bluetooth identifiers would rotate every 24 hours. Now, the companies say the “tracing keys” will change randomly throughout the day, making it even harder to connect an ID with specific people in real life.
In addition, the metadata associated with the list of Bluetooth contacts will be encrypted with AES technology. Modern smartphones have hardware that can accelerate AES encryption, making the system more efficient and secure. As with the tracing keys, it was theoretically possible to associate digital identifiers with real people. The new encryption should prevent that.
The companies see this technology as a temporary necessity. Once the pandemic has passed, Apple and Google have pledged to disable the exposure notification system. It will also be possible to disable the service on a regional basis based on requests from established health authorities. Any third-party apps built with the eventual API will come with limits on exposure time in five-minute intervals, with a maximum of 30 minutes. This, too, will help to preserve user privacy.
We expect standalone apps to arrive in the Play Store and App Store in the next few weeks. Both companies are also planning to deploy beta versions of their respective mobile operating systems that have the exposure notification technology built-in.