Google and Apple partnered to launch their COVID-19 exposure tracking and notification system on May 20, raising a lot of questions in the process. People want to know how the system works, what it will mean to individuals, where and how data is stored and shared, and so much more.
Here's all of the information you need to know about Google and Apple's new COVID-19 exposure tracking system.
What is this system, and what is an API?
Google and Apple created the Exposure Notification API. It is designed to help the process of contact tracing, which has the goal of tracking the movement of an infectious disease between people to slow its spread. Public health agencies are often in charge of contact tracing, employing hundreds or thousands of people to track known infected persons and then inform others who may have become infected, so that they can quarantine themselves and prevent further spread. Obviously this is top of mind given the ongoing spread of coronavirus.
This API is just a tool — it's up to countries and states to make apps that use it.
With a system such as this Exposure Notification API, contact tracing can be done with your phone, automating much of the process so that it can involve dramatically more people in the public and fewer people in the health agencies.
The Exposure Notification API is a framework for using your phone to facilitate contact tracing; it is not a complete contact tracing system. An API is simply a socket in your phone that an app developer can plug into to interact with a specific part of your phone directly and in a standardized way. (For example, there's an audio API on your phone that apps use in order to play audio from the app.) In this case, the Exposure Notification API is the same across all Android phones and iPhones, which is important to making it more effective for this type of use.
The Exposure Notification API is being pushed out to all Android phones through an update to Google Play Services, which happens automatically, and to all iPhones through the latest version of iOS 13.
How does it work?
At the highest level, this API facilitates contact tracing. First, you must install an app on your phone that uses the Exposure Notification API — there aren't yet any apps that do so, but Google and Apple will vet and approve them to be distributed through Google Play and the App Store. The apps will come from a public health authority associated with your local or federal government.
Once installed, the app will use Bluetooth LE (Low Energy) to identify nearby Bluetooth LE devices running the same app, and both phones will keep a log of the unique Bluetooth keys they see. This is called "beaconing." The Bluetooth LE key changes frequently (roughly every 15 minutes), meaning an individual can't be associated with, or tracked by, a single key. Bluetooth LE only works over a relatively short range, and Google and Apple have chosen a signal strength the Bluetooth radio should use in order to hopefully only exchange keys with devices close enough to be associated with a coronavirus transmission.
If someone who has the app installed tests positive for COVID-19, they enter that result into the app. The app then uploads the last 14 days of keys saved on the phone, identifying them as potentially being contagious for that period. Every other phone with the app installed periodically downloads this list of known infected persons' keys, compares it against its list of keys it has stored, and informs the user that they could have been close to someone who was contagious. The public health authority making the app will choose how it messages the notification, contacts the person, and advises them on what to do with the information.
What data is collected, and who gets to see it?
It's mostly explained in the section above. With an app installed, your phone will both broadcast and collect Bluetooth LE keys of people who also have the same app installed. The app keeps a store of those keys (which once again rotate every 15 minutes), and if you choose to identify yourself as infected, the app will upload the previous 14 days of keys to the app's cloud service.
The API doesn't provide anyone with your location, and other app users receive no personal information.
Identifying yourself as infected does not tell other app users who you are or that they may have been exposed to you specifically — it only reveals to them that someone who has tested positive was near them in the prior 14 days.
The API does not use GPS, cell tower triangulation or any other location services to identify your phone's location — it only uses Bluetooth LE beaconing to indicate the phone's proximity to another phone with the app. You have the choice of whether to install the app that uses the Exposure Notification API. You also have the choice of whether to tell the app that you have tested positive. The API, simply by being on your phone, does not make the phone store Bluetooth LE keys or make any of your data available to other apps or services. Neither Google nor Apple receive the data from your phone.
Does it drain my phone's battery?
Bluetooth LE is, by design, a very low-energy technology. You probably keep Bluetooth turned on on your phone 100% of the time already, and may already use Bluetooth LE for a smartwatch. Your phone is also already regularly scanning for devices using Bluetooth LE throughout the day. Bluetooth beaconing is used for many other functions, and we all know that even using Bluetooth for high-powered transmission — such as streaming music to a speaker or headphones — isn't a big battery drain.
If you choose to install an app that uses the Exposure Notification API, there's very little chance that you will notice any amount of battery drain from it. And of course, if you don't install an app that uses the API, it won't do anything.
Are there potential privacy concerns?
There will always be privacy concerns with anything that is theoretically collecting data about your phone, even if it is rudimentary. But as I noted above, apps using the Exposure Notification API do not receive any GPS or other location information — only rolling Bluetooth LE keys, which do not actually identify you. That would be a big privacy concern, but it is not the case here.
There are no privacy concerns here — you have full control over whether you provide data.
Google and Apple have of course put even more thought into this. The Bluetooth LE keys are cryptographically randomized, making sure that any two keys can't be associated with one another, so it is near-impossible to actually link together these 15-minute rolling keys to provide a timeline of where a phone was. And it's exponentially more difficult because once again the only way to "locate" a key is its close proximity to another person's key, which is also changing every 15 minutes.
How well will this system work?
The primary answer to this question is "it depends" — which is frustrating, I know.
It first and foremost depends on how quickly an app (or apps) is made that uses the Exposure Notification API. If it's an app designed by a country, the possibility of it being widely used is higher; if apps are handled on a state-by-state or region-by-region basis, adoption may be much slower. And in either case, since this is an opt-in decision, adoption rates will likely be low.
This system can work, but it requires an app to be deployed, and people to download it.
Many U.S. states have said they either have no plans to make an app, or explicitly will not make an app. A few states have indicated they will use the Exposure Notification API — one of which being North Dakota, which already made an app.
Secondarily, even if there is high adoption of the public health authority app(s), there are inherent issues with relying on Bluetooth LE signals as the sole way you determine your proximity to someone. Experts explain and research shows that coronavirus spreads through prolonged close proximity to people who are contagious — but this system doesn't have the precision necessary to make that determination.
If you simply pass someone walking on the sidewalk, stand behind someone in line at the store, or meet a delivery driver at your door, you have technically been in "contact" with that person. But in each of those situations, your chances of actually becoming infected with coronavirus are very low. The system also has no context for whether you or the other person were wearing a mask at the time of contact, which dramatically reduces your chance of infection.
Just like in-person contact tracing, the information is imperfect and will have false positives.
The system also can't account for situations in which you're "close" to someone but not actually with them, such as when they're on the other side of a window, wall or barrier. If you're driving a car and sitting at a stoplight, you're technically within 6 feet of the person walking on the sidewalk or in the car next to you, but you're not actually in danger of spreading or contracting the virus. The same situation applies if you're talking to a store clerk behind a plastic barrier. People who live in apartments are also likely within 6 feet of others at times, even when each person is in their own home.
And of course, this app does absolutely nothing to account for the fact that you could pick up the coronavirus by touching a surface, such as a shopping cart, doorknob or handrail. But that situation isn't really handled by contact tracing of any sort.
Knowing all of that, how well do I think the Exposure Notification API will work? It can help, but it's nowhere near a silver bullet. In areas with dense populations, apartments and widespread public transit use, there will be considerable "noise" in the data that will produce an abundance of false positives as being close to one another is just a part of daily life. And in any case, the data itself can't stop the spread of coronavirus — those public health agencies, and the general public, have to act appropriately given the knowledge provided.
Can I opt-out?
Yes! In fact, using the system is opt-in to begin with. You can simply choose not to install an app that uses the API, and none of the Bluetooth data will be generated by your phone or identify other phones.
As for the opt-out process with the public health authority app(s), that is currently unknown. Each app will have its own data retention policy and opt-out process.
We're here to answer your questions
If you have a specific question about something not addressed above, be sure to leave a comment and we'll be there to answer. We'll also be regularly updating this article with additional information as the updates are pushed out to phones and apps become available that use the Exposure Notifications API.