New policies have been revealed for Apple and Google’s Exposure Notification API, which uses Bluetooth for active, anonymous contact tracing. BRYAN TURNER explores the cross-platform technology.
Almost two months after COVID-19 was declared a pandemic, Apple and Google are still scrambling to release a unified platform for Android and iPhone devices to be used in active contact tracing. While they have announced what the Exposure Notification API will look like and how it can work, it’s not yet available for developers to deploy in applications. This long wait has led to government in Australia and the UK developing and deploying proprietary apps for contact tracing, minus the Exposure Notification API.
Health experts agree that each day counts in fighting the pandemic, and Google and Apple appear to have missed the boat with the Exposure Notification API. While this isn’t great for the current crisis, this toolkit will be a great asset in fighting pandemics to come.
Apple is the privacy company, which means it won’t be developing tools that compromise privacy by turning iPhones into GPS tracking devices for governments to use. On the other hand, Google’s ad model would be strengthened by collecting user data like GPS location. We suspect this conflict between providing a service for free and providing a service that makes money has been an issue within this partnership.
Fortunately for the rest of us, they have agreed to use one of the best methods for contact tracing that respects user privacy. An application that uses the contact tracing API may not request GPS data, so users will have to choose between using this API or using GPS data. This ensures that no location data is taken by developers while they conduct contact tracing.
Instead of using GPS, the API will use Bluetooth identifiers for contact tracing, because it’s virtually impossible to personally identify someone by their Bluetooth address, despite it being unique to every device. It works by constantly scanning the area around a device for other Bluetooth devices and recording how strong their signals are – the stronger the signal, the closer the other device. This constant scanning is something a Bluetooth-enabled phone does anyway because it needs to know when it can connect to an available Bluetooth device.
If someone reports they are COVID-19 positive in the app, their Bluetooth address will be matched to Bluetooth addressed on other user’s smartphones. If users have been close to the infected person, they will be notified via a notification that does not (and technically cannot) disclose the identity of the person who may have shared the virus with them.
In addition to not using GPS services, applications that use the Exposure Notification API must follow these guidelines:
Google and Apple say the target for this release is mid-May but, for now, healthcare developers can get a taste of sample resources from the API, which they can use to prepare their applications for deployment when the API goes live.
This API will likely become a standard on the next major releases of iOS and Android, which will be released later this year. Future features of the API will include having to disclose a test identifier, like the serial number of the test, to be able to notify a user that they had been tested with a faulty testing kit, among other issues that may arise.
World news – THAT – Apple, Google, scrap GPS for contact tracing