Google, Apple lay out strict rules for Exposure Notification API, no GPS data

Today, Google and Apple gave some more details surrounding its Exposure Notification API. Formerly called Contact Tracing API, the development tool is designed to help government organizations create mobile applications that will use the Bluetooth connections of our phones to help inform the public about their own exposures to COVID-19.

When Google and Apple joined together to announce the Exposure Notification API, the question on everyone’s mind was, “How will these companies keep user privacy safe in the face of this ongoing pandemic?” Well, the announcements today (via Reuters and The Verge) should help answer that question.

Related: Watch the coronavirus spread around the world with The Weather Channel’s app

Google and Apple today issued a list of rules that organizations must follow in order to use the Exposure Notification API. It’s a common misconception that Google and Apple are together creating an app to help with COVID-19 exposures. In reality, the two companies are providing the framework for potential future apps, and instead are leaving it to countries around the world to determine how best to use that tool — if they decide to use it at all.

With that in mind, below are the rules developers and countries must follow to use the Exposure Notification API.

Exposure Notification API rules and limitations

• Any apps using the API must be made under the direct supervision of an official government public health authority (PHA).
• Exposure Notification apps using the API should only have one purpose: responding to the COVID-19 pandemic.
• User consent is necessary before apps can utilize the API.
• A user’s consent to share a positive test result is necessary before an app can share any such info with a PHA.
• The information gathered should only be used for the purposes of exposure notification, and under no circumstances should any of the data be used for advertising or other commercial purposes.
• The Exposure Notification API will not give any access to a device’s Location Services (i.e. GPS information). Developers and PHAs cannot even seek permission for such access.
• Any existing applications or apps in development that use Location Services data can do so, but they cannot incorporate the Exposure Notification API.
• There can only be one app per country.*

That last one has an asterisk because it’s not quite rigid. What Google and Apple are trying to avoid is dozens of apps on the Google Play Store and Apple App Store from which users in each area of the world will need to choose. Therefore, the companies are saying there should be one app for each area, and that’s it.

However, if countries want to take a regional approach, that is OK. For example, the United States is one country, but if a PHA wants to make an app that’s just for a single state or collection of states, that is fine. Ultimately, though, Google and Apple will have control over this because they can simply remove apps from their respective stores if PHAs don’t work with them to develop apps that are as streamlined as possible.

Examples of apps based on Exposure Notification API

Below, you’ll find example images Google has created to give you an idea of what an exposure notification app could look like. Once again, Google and Apple are not creating apps, so these are simply mock-ups of what developers could do with this tool.

Google and Apple previously gave an estimate of mid-May for the consumer-facing release of the API. At some point later this year, the tool will be baked into both Android and iOS. The two companies are still committed to that timeline.

Time will tell if countries, nations, and states will opt to use the Exposure Notification API and abide by these rules — or try to do it on their own. Google and Apple are opening the door, but that doesn’t mean PHAs will actually go through it.