On Friday, April 10, news broke that Google and Apple would team up to provide contact tracing solutions for both Android and iOS operating systems to help in the fight against the COVID-19 pandemic. Limited details were announced initially, though a simplified overview of the system was released to help shed some light on just how these tech giants would build this system into Android and iOS.
Now, Google and Apple have slightly pulled back the curtain on how this system will be implemented and what precautions they’re taking to ensure user data remains safe.
First, what are you talking about?
Before you continue reading here, go back and read the brief overview of what Google and Apple announced on Friday. Google and Apple want to use our smartphones to help stop the spread of COVID-19 by letting users know if they’ve come in contact with someone who has tested positive for the virus. The method with which Google and Apple will be tracking users is through a process called contact tracing.
Contact tracing is the identification and follow-up of persons who may have come into contact with an affected contact. To simplify it more, if you come in contact with someone who has been confirmed to have been diagnosed with COVID-19, Google and Apple want you to be notified as soon as possible so you can take the necessary precautions.
Google and Apple envision the following scenario to occur once the contact tracing system is in place:
- Two people (Person 1 and Person 2) have a conversation together, face-to-face, for 10 or so minutes.
- During this time, both parties’ phones are in close vicinity to one another, communicating through privacy-preserving beacons via Bluetooth LE.
- Later, Person 1 gets the news that they’ve been diagnosed with COVID-19.
- With Person 1’s consent, the phone will push the last 14 days of keys for their broadcast beacons to a remote server.
- Meanwhile, Person 2’s phone periodically checks broadcast beacon keys to see if anyone they’ve come in contact with has tested positive for the virus.
- Person 2’s phone downloads all positive broadcast beacons and finds a match with Person 1.
- Person 2 then gets a push notification saying that they have been in contact with someone who has tested positive for COVID-19.
- From this notification, Person 2 can click on a link to get more information on what to do next.
Android and iOS are very, very different ecosystems, though, so it’s not as easy as building a single app, letting everyone download it, and calling it a day. In order to ensure user privacy, interoperability between both ecosystems, and device-specific issues (like the effect these solutions might have on phones’ battery life) are kept in check, Google and Apple are working to build contact tracing into Android and iOS on a system level.
How does this system work?
Google and Apple held a press briefing Monday that helped answer some of our most important questions on how this system will work.
First thing’s first: Google and Apple aren’t making an app. They’re making an application programming interface (API) that enables third parties to utilize certain functions within an operating system. Google and Apple make the API, roll it into Android and iOS, and third-parties (in this case, public health authorities) use that API in their own apps to help identify and track affected users and the people they may have come in contact with.
In mid-May, Google and Apple will both release an API that third parties will be able to use in their apps. This API will be interoperable between Android and iOS at a device level.
Eventually this functionality may be built into Android and iOS at a device level, but that will take months. Even then, users will likely need to download third-party public health apps to submit any information.
What about Android fragmentation?
As mentioned, Google and Apple are very different operating systems. When Apple issues an OS update, most of its users are able to receive that update within a week or so. Android is different, in that there are so many Android devices from different manufacturers, it would be near impossible to roll out an OS update that could work on all Android devices.
That’s why, in mid-May, Google will be releasing an update to Google Play Services that will bring support for the new contact tracing API. At the same time, Apple will release a full-fledged iOS update for iPhones.
What happens then?
The API is only part of the battle. Once the API has been published, individual public health authorities will need to build it into their applications. Google and Apple will provide sample apps for public health authorities to use as a starting point if they don’t already have an app of their own.
Using (or not using) these sample apps from Google and Apple will ensure each public health authority’s app can be as customized or as bare-bones as they’d like. Essentially, public health authorities can choose to simply reskin Google/Apple’s sample apps or do a full-on rewrite of the apps to ensure it works for them.
Once the apps are developed by individual public health authorities, users will need to download those apps from the Google Play Store and Apple App Store. This is the tricky part. Enough users need to trust the service to the point that they turn over their personal information, otherwise the whole system won’t work very well.
How are Google and Apple ensuring user privacy?
It sounds like Google and Apple are doing this to collect your data, so I wouldn’t blame you for feeling like this is a violation of your privacy. However, that’s not really the case here.
This contact tracing implementation will be completely opt-in, so users need to deliberately say yes to this permission if they want their information to be tracked. In a perfect world, everyone who downloads their public health authority’s application would opt-in to contact tracing, but neither Google nor Apple will be making this mandatory.
No matter which operating system or app you use, there is absolutely zero geolocation use. Google and Apple literally aren’t collecting that data. Also, the entire list of people you’ve come in contact with does not leave your phone unless you choose to share it. Everything stays locally on your smartphone, so you don’t need to worry about your sensitive location data being stored in a remote server.
Speaking of servers, the Google spokesperson we spoke with made it a point to ensure all data servers are decentralized, meaning there isn’t just one server with all contact tracing information stored on it. Governments can even run their own servers if they’d like.
Also, we might not even want to think of “servers” in the traditional sense. The servers which house this data should really be thought of more as broadcast mechanisms. They contain only enough information to broadcast data to individual applications, and data is only stored for 14 days.
Google and Apple made it clear that they are working day in and day out to implement this API on time. We will have more time to talk with Google and Apple representatives in the future, but for now, we hope some of this information helped clear things up.