Apple and Google have announced that they are working together to help track the movement of COVID-19 infections by creating a history of where we've been and who we have been in contact with.
How each company is doing it is through an API that can expose the right data, provided the user — that's us — has installed an app on their phones. These APIs are expected in May. For the first round of the API updates, Google is distributing them through Google Play Services so that leaves out phones that aren't running a Google-approved version of Android.
Later, in the coming months, Apple and Google will roll out a complete Bluetooth contact tracing platform that can collect data about where we have been and who else has been there baked directly into the operating system. Both methods work on the same principle: if you become infected with COVID-19, your data can be referenced against other people's data to find out who else was in contact with you.
This sounds like a great idea, even if it might be too little and too late. It has a few problems, though. First off is that it's voluntary. It should be voluntary because it's literally tracking who we're in contact with, but being voluntary means a lot of people aren't going to install an app or opt-in to Bluetooth-based tracking. Some because of privacy concerns, but mostly because people just won't know what it is and how to do it.
How will it work?
Apple and Google will release APIs that allow an app to use what's known as contact tracing. It sort of keeps track of you and your movements, but not by location.
These new APIs will use Bluetooth LE to create a service with its own unique identification "code" which can be broadcast whenever the app is active. Other devices within range can listen for this broadcast (while also broadcasting their own presence), and if two signals find each other, a log entry is created.
No apps are sharing your actual phone contacts or tracking your location.
This log is uploaded and (data is downloaded to your phone) to a central server once every 24 hours, but the Bluetooth broadcasts happen about five times per second. To help keeps things secure, the unique ID for your phone changes every 15 minutes or so. The central server can still keep track of all the other phones you were in close proximity with, as long as the app is installed on both. To limit the amount of data being sent each day, these apps can filter out duplicates.
Let's say I'm visiting the grocery store and running the app on my phone. Maybe there are 100 other people close enough during my travels to score as a hit for the app, and 25 of those people also have the app running on their phone. At the end of the day, my log and the logs of those other 25 people all get uploaded to a server.
If I test positive for COVID-19, my phone generates another unique ID that's also uploaded to the server once the app is aware. Those 25 people I came into contact with will download this diagnosis ID to their phones, where the app will be able to see if they were in contact with me by checking against the unique ID of my phone. The app could then inform those people that they came in contact with someone who tested positive and proceed to explain what they should do next.
Right now, we don't know who will be building any apps that use these APIs. Since the operating system does all the work on our phone, and the API is the only way to hook into it, anyone could build an app that uses the service. While public health officials may be overseeing the making of an "official" app, that's not necessary — any competent app developer could likely build one that would work as advertised.
What about privacy?
Privacy is always a concern, and this is no different; in fact, since this data is about our health, privacy is even more important.
The system was built with privacy in mind.
The APIs were built with privacy in mind, but nothing is foolproof. Most of the work matching you to the people you've come in contact with is done on your phone, and what is uploaded and downloaded are sets of cryptographic keys. It's improbable that anybody could hack this system to track your movements.
Even if someone were able to hack the centralized servers, the data stored isn't of much use because it amounts to a list of keys tied to phones with no data about who they belong to or where they have been. The APIs don't use location tracking of any type, so there is no location information that could be included.
The one big privacy hole here is that these APIs are public, meaning any app can use them. That means the Walgreen's app or the Target app or even a Bluetooth beacon could grab the diagnosis ID your phone generates if you tell an app you tested positive and use it to build marketing lists or target advertising over an electronic display in-store for those who were in contact with you — if I get diagnosed, and you came into contact with me, you are now on a list.
We also don't know who will be running the centralized servers, and that's important. Even though the data can't really be traced back to any particular phone or person, this is sensitive data that should never be exposed to the public or misused. Apple, Google, and the government will likely work together to set these servers up and lock them down tightly.
I value my privacy, but I value my health just as much.
I'm a very privacy-centric person. I read all those long software EULAs and never tap OK on something I didn't read and understand first. I also read the full privacy statements from any company with a product I'm thinking about buying. It's safe to say I'm only inches away from wearing a tinfoil hat. But I plan to enable or install anything I can to help this effort.
And I urge you to do the same here. Whether the projected death count is 60,000 or 150,000 or 1,000,000, it's going to be far too many. We've reached the point where an actual pandemic is on the loose, and it's easy to sit back and point fingers at who is to blame, but that doesn't help save a single life. Tracking how COVID-19 works its way through society will help. Knowing that you've been in contact with someone who came down with the disease will help. Knowing where you traveled before you showed any symptoms will help.
We don't know all the details of this joint-venture yet, but they will be coming. We will be telling you everything you need to know about them, and hopefully, every other media outlet will be doing the same. You should never blindly trust any tech company when it says it's tracking anything about you, but when the time comes where you can install an app or opt-in to a service to help fight COVID-19, I urge you to give a little to help us all.