Apple and Google announced their partnership two weeks ago to develop contract-tracing via Bluetooth in iOS and Android. Last week we shared details about how it will work and roll out, and today we’ve got answers to frequently asked questions about COVID-19 contact tracing for iOS and Android as well as updates on the Bluetooth and cryptography specifications.
We learned last week how contact tracing will work and roll out as well as how people will be able to participate. Those details should also help to further qualm security and privacy concerns from US Senators as well as the public.
Today we’ve got more details from Apple and Google representatives that cover some of the most frequently asked questions about contact-tracing in iOS and Android, now called Exposure Notification.
How can contact tracing help slow down COVID-19?
- Smartphones can be an important part of slowing down the pandemic as they offer an automated solution that scales to understand when people are exposed to someone who has tested positive for the virus. This gives valuable anonymous data to public health authorities to make the best decisions to slow down COVID-19.
- Contact tracing is being used by public health authorities and governments around the world.
How does the software ensure privacy and security?
- Users have explicit choice whether or not to turn on and use COVID-19 contact-tracing
- Users control all data and if they want to share it
- No location data is tracked, the software works via Bluetooth-based rotating beacons
- Contact-tracing from Apple and Google will only be available to be used by apps from public health authorities
- Apple and Google can turn off COVID-19 exposure notification on a regional basis
Will the government have access to information through contact tracing?
- Approved apps from public health authorities will have access to Bluetooth beacon data that retains user privacy and security.
- Explicit user consent is required for their anonymous data to be shared
Where is contact tracing data stored and who can see it?
- Contact tracing data is only stored on a user’s device
- Contact tracing data is only processed on a user’s device
- Public health authorities will be able to see anonymous Bluetooth beacon data for those who have tested positive for COVID-19 and those that receive exposure notifications
- Data will also include the day the contact occurred and how strong the Bluetooth signal was
Will Apple and Google monetize contact tracing data?
- There will not be any monetization for contact tracing data
- Apple and Google reiterate that the software relies on a user’s device for processing and data storage
Where can you find contact tracing apps for iOS and Android?
- As public health authorities develop and update apps to work with Apple and Google’s contact tracing software they will be made available in the App Store and Google Play Store.
- Apple and Google are partnering with public health authorities to see about ways they might be able to contact users about available apps
- Apple and Google will highlight contact tracing apps when they become available on their app stores.
- We learned that the contact API should become available on April 28th with the apps following from public health authorities in May.
How will the software know if I’ve been exposed to someone who has tested positive?
- Each public health authority will decide how each determines if someone has been exposed.
- Apple and Google’s software supports data that includes how long someone has been in contact with someone who has tested positive
- Health authorities will determine a minimum threshold for the time in contact with someone who has tested positive and Apple and Google will have a 30-minute maximum set to retain user privacy.
Apple and Google representatives highlighted that contact tracing is just one part of the solution for the coronavirus pandemic.
More resources can be found on Apple’s website. There are also updates today on the Bluetooth specification, Cryptography specification, and framework API for the iOS software. These include the API keys being randomly generated, changing the encryption algorithm from HMAC to AES, associated metadata is now encrypted, and more.