Apple and Google’s research teams have joined forces to establish a collaborative communication monitoring tool that will help individuals decide if they have been introduced to anyone with COVID-19.
Contact tracing is a valuable method that helps public health officials monitor the spread of the disease and warn those possibly exposed so that they can be checked. It does so by recognizing and “following” people who have come into contact with a COVID-19-affected person.
The first phase of the project is an API that public health organizations can incorporate into their own applications.
The next step is a machine-level communication monitoring program that will run on an opt-in basis through iOS and Android devices.
The program uses on-board radios on your computer to relay an anonymous ID over short ranges — using the Bluetooth beacon. Servers will distribute the last 14 days of revolving IDs to other apps that are looking for matches. Match is calculated on the basis of the time limit spent and the distance held between the two computers.
If a match is identified with another user who told the program that they had tested positive, you will be informed and can take measures to check and self-quarantine.
Contact tracing is a well-known and well-discussed method, but one that has been adopted by health authorities and universities working on multiple projects like this.
One such example is MIT’s attempts to use Bluetooth to construct a privacy-conscious communication monitoring device that was inspired by Apple’s Find My program. The businesses state that the organizations found technological obstacles that they were unable to resolve and asked for help.
Our own Jon Evans pointed out the need for a larger tracking system a week ago, along with the idea that you’d need a buy-in from Apple and Google to make it work.
The project began two weeks ago by engineers from both companies. One of the reasons for the company’s involvement is that there is low interoperability between systems on different manufacturer’s devices.
With touch monitoring, any time you break up a program like this between multiple devices, its effectiveness is greatly reduced. You need a huge amount of adoption of the one-touch monitoring system to function effectively.
At the same time, you’re faced with technological issues such as Bluetooth power-sucking, privacy concerns about centralized data collection, and the sheer effort it takes to get enough people to install apps to be successful.
Google and Apple have teamed up to create an interoperable API to allow the largest number of users to implement it, if they choose.
The first step, the private proximity communication detection API, will be released by Apple and Google in mid-May for use in iOS and Android apps. In a briefing today, Apple and Google said that the API is a simple one and will be fairly easy to integrate with current or planned software.
The API will allow apps to ask users to opt-in to contact tracing (the whole framework is opt-in only), enabling their device to send an anonymous, rotating identifier to devices that the individual “meets.” This will allow tracing to be done to warn anyone who might come into contact with COVID-19 to take further action.
The importance of touch tracing will continue past the initial phase of the pandemic and into the time when self-isolation and quarantine restrictions are relaxed.
The second step of the project is to make the tracing method even more effective and accepted by taking it to the level of the operating system.
There would be no need to download the software, users would only opt-in to the tracking right on their phones. Public health applications will continue to be funded, but that would target a much broader range of users.
How it works
A quick example of how a system like this might work:
- Two people happen to be near each other for a period of time, let’s say 10 minutes. Their phones exchange the anonymous identifiers (which change every 15 minutes).
- Later on, one of those people is diagnosed with COVID-19 and enters it into the system via a Public Health Authority app that has integrated the API.
- With an additional consent, the diagnosed user allows his anonymous identifiers for the last 14 days to be transmitted to the system.
- The person they came into contact with has a Public Health app on their phone that downloads the broadcast keys of positive tests and alerts them to a match.
- The app gives them more information on how to proceed from there.
Privacy and transparency
Both Apple and Google agree that privacy and accountability are important to public health campaigns like this and that they are committed to providing a program that does not compromise personal privacy in any way. It is a concern raised by the ACLU, which cautioned that the use of cell phone surveillance to track the spread of COVID-19 would entail strict privacy controls.
There is no use of location data, which includes users who report positive. This method is not about where the people affected are, but rather how they have been around other people.
The system works by assigning a random, spinning ID to a person’s phone and transmitting it to nearby devices through Bluetooth. This code, which rotates every 15 minutes and contains no personally identifiable information, will pass through a simple relay system that can be run by health organizations worldwide.
Since then, the list of identifiers that you’ve been in touch with doesn’t leave your phone unless you want to share it. Apps that have a positive check will not be associated with other apps, Apple or Google. Google and Apple will fully disable the broadcasting system when it is no longer required.
All match detection is performed on your computer, enabling you to see — within a 14-day window — whether your computer was similar to the device of a person who self-identified as having tested positive for COVID-19.
The system as a whole is opt-in. Users must know at the start that they are involved, whether in the app or at the system level. Public health agencies are interested in notifying users that they have been in touch with the person concerned.
The American Civil Liberties Union seems to be cautiously positive about this.
“No touch monitoring app can be fully successful unless there is widespread, free and rapid testing and equal access to healthcare. Such systems can’t be successful if people don’t trust them, “said ACLU surveillance and information security advisor Jennifer Granick.
“To their credit, Apple and Google have introduced an strategy that attempts to minimize the worst risks of privacy and centralization, but there is still scope for progress. We must remain cautious to ensure that every contract monitoring software remains voluntary and open and can only be used for public health purposes and only for the duration of this pandemic.
Apple and Google say that they will openly publish information about the work that they have done for others to analyze in order to bring the most transparency possible to the privacy and security aspects of the project.
“All of us at Apple and Google agree that there has never been a more critical time to work together to solve one of the world’s most urgent problems,” said the company in a statement. “Through close cooperation and partnership with developers, governments and public health organizations, we aim to leverage the power of technology to help countries around the world slow down the spread of COVID-19 and promote the return to daily life.” More detail on the communication tracking API can be found on Google’s post here and on the Apple website, including the specification.
Updated with an ACLU statement.