Apple and Google have sought to improve their COVID-19 contact-tracing plans following criticisms from governments.
Contact-tracing apps are being hailed as key to returning to some degree of normality. The apps use Bluetooth to keep track of everyone an individual passes in order to notify that circle if a COVID-19 diagnosis is made so they can isolate and get tested before spreading the virus further.
Naturally, however, many governments are wary about putting the data of their citizens potentially in the hands of two American tech giants. Some countries reportedly want that data themselves, while others have sought further privacy assurances.
On Friday, Apple and Google released an updated FAQ which explains their plan to use a “privacy-preserving identifier” consisting of a string of numbers which change every 20-30 minutes and isn’t linked to a person’s identity. It’s a welcome step up in privacy over the previous plan to assign a key to each device.
Apple and Google have long made it clear that their solution is specifically designed to be decentralised in order to prevent governments abusing the system for draconian population-tracking.
The decentralised approach is said to have caused a conflict with the UK’s NHS as the service is said to have wanted the data to pass through a centralised government database.
Apple and Google have reiterated that no data will reach either the companies themselves, or any public health authority, until a person is diagnosed with COVID-19 and consents for an anonymous alert to go out.
Apps using the API will check government databases of self-confessed carriers on a daily basis so, presumably, if there’s a match then an alert will go out to contacts automatically. How this will work when identifiers are supposedly anonymous isn’t entirely clear.
The companies involved are taking a two-phase approach to their contact-tracing rollout. The first phase will see an API, interoperable between iOS and Android devices, made available in May to national health authorities to build their own apps.
In their FAQ, the companies explain:
“Access to the technology will be granted only to public health authorities. Their apps must meet specific criteria around privacy, security, and data control. The public health authority app will be able to access a list of beacons provided by users confirmed as positive for COVID-19 who have opted in to sharing them. The system was also designed so that Apple and Google do not have access to information related to any specific individual.”
“The public health authority will define the way in which the app determines if someone has been exposed. To support this the system provides and the app can use both an estimate of time the user has been in contact with someone who has tested positive for COVID-19 and the approximate distance between the users. Public health authorities will set a minimum threshold for time spent together, such that a user needs to be within Bluetooth range for at least 5 minutes to register a match. If the contact is longer than 5 minutes, the system will report time in increments of 5 minutes up to a maximum of 30 minutes to ensure privacy.”
A second phase of the rollout, due in a few months, will see a contact-tracing app built into the operating systems themselves for greater reach.
