Apple and Google announced they are developing secure, privacy-focused changes to their mobile operating systems that would allow individuals to receive a notification if they had come in contact with people who later tested positive for SARS-CoV-2, the virus that can result in COVID-19. The two companies released preliminary technical information today, along with a roadmap for how they plan to proceed.
Tracing and notifying everyone who has come in contact with an infected person who has tested positive is a critical aspect of reducing its spread. In some countries, authorities have required cellular carriers and other companies to provide direct access to smartphone locations to identify points of contact and enforce lockdowns and shelter at home orders.
Americans are notably averse to government tracking, no matter the purpose. Apple and Google’s approach might provide enough assurance of privacy to assuage the concerns of dubious citizens in the United States and around the globe while also serving a critical public-health purpose.
The two companies said in a joint press release that the service will be opt-in and will require the use of apps to be developed and released by public-health authorities. In a briefing on 13 April 2020, company representatives said they had consulted researchers and examined existing frameworks around the world in developing their approach.
This rare collaboration came together quickly. TechCrunch reports that it started just two weeks ago with a group of engineers from both firms. The preliminary documents are sketchy in parts and contain typos, a rare situation with Apple, emphasizing the speed with which they were assembled.
In the first stage, Apple and Google will make private APIs (application programming interfaces) available in mid-May 2020 strictly limited to health agencies. These APIs will work identically across both iOS and Android and let public-health authorities modify existing apps or build new ones that leverage the tracing features. The companies will also build simple model apps that governments could either put their own logos on or substantially modify.
A second stage will appear “in the coming months,” and will build the tracing approach into Android and iOS at the operating system level. Enabling tracing and receiving a basic notification can happen without even installing an app, company representatives said in the briefing. An app will be required for someone to register a diagnosis of COVID-19.
Security expert Ashkan Soltani, former chief technologist at the FTC, said in a tweet that an authoritative source told him Apple and Google would provide access to the stream of data only to a restricted set of organizations, not generally. Apple and Google representatives confirmed in the briefing that only government-recognized public-health organizations could use the tracing APIs and access the stream of diagnosis data required to alert people.
First, let’s look at where some of the underlying techniques come from.
Find My Provides a Model
The new system bears a close resemblance to crowdsourced device-tracking systems already in wide use, like Apple’s Find My service, updated last year, and the Community Find feature from the RFID tracking add-on company Tile. These device-tracking systems require opt-in as well. (Apple’s option is called Enable Offline Finding. In iOS, it’s in Settings > Your Name > Find My > Find My iPhone. In macOS 10.15 Catalina, it’s found in the Apple ID preference pane in iCloud settings; click Options next to Find My Mac.)
Find My’s crowdsourcing feature requires two or more devices associated with the same iCloud account to be linked together, much like iCloud Keychain syncing. In the field, it works when an Apple device detects it has no Internet connection. It then begins broadcasting a Bluetooth beacon at regular intervals. The beacon has an encrypted value relying on key information shared among its set of devices. To prevent others from tracking the device via that beacon, the encrypted value changes routinely using shared information among its device sets.
Any other Apple user in the vicinity with a new-enough operating system detects the Bluetooth beacon automatically, combines it with its location information, and uploads that data to Apple. Apple lacks the cryptographic pieces necessary to extract details.
From another device registered with the same iCloud account, a user marks a device lost, and their device contacts Apple and provides enough information for Apple to return any matching uploaded bundles. The user’s device then decodes the packages from Apple and charts where and when a device was seen. The identity of users who participated in crowdsourcing isn’t revealed, nor do they know the contents of what their device is uploading.
Now let’s look at the new system proposed by Apple and Google.
Tracing Contacts without Breaking Privacy
The COVID-19 Contact Tracing Bluetooth system relies on the broad outlines of what Apple did with Find My. Instead of broadcasting over Bluetooth in limited circumstances, apps that use the new APIs will transmit a Bluetooth beacon at regular intervals, at least more frequently than every five minutes, based on preliminary specifications.
The API will generate a unique tracing key for each device that’s stored only on the device and never revealed. To protect privacy and prevent tracking, the system will create a separate tracing key every day that’s derived cryptographically from the device key. That, in turn, is the basis of creating a fresh proximity ID about every 15 minutes that’s broadcast over Bluetooth to be picked up by other people’s equipment. Listening devices store that proximity ID along with a timestamp. To preserve battery life, it relies on the Bluetooth Low Energy standard, so this recurring activity consumes a minuscule amount of power.
However, unlike Find My, the spec doesn’t require location information. It’s a possibility, but it’s optional, and the companies say any location sharing must have explicit consent:
The Contact Tracing Bluetooth Specification does not require the user’s location; any use of location is completely optional to the schema. In any case, the user must provide their explicit consent in order for their location to be optionally used.
People may be much more likely to participate in contact tracing if their location isn’t shared, despite assurances about how private the data is and how it will be used.
All these details become important only when someone tests positive for the SARS-CoV-2 coronavirus. At that point, the infected person will need to choose to report their infected status by tapping a button or scanning a QR code in an app developed by a government health agency. Company representatives said that authorities may develop unique methods in their apps of validating a positive diagnosis to avoid people claiming they have the disease without a test or other criteria. (As testing remains constrained in many countries, some public-health officials include in their counts and use contact tracing for anyone who exhibits the typical combination of symptoms.)
However the test results are verified, once a user indicates they have a positive diagnosis, their app will upload the last 14 days of daily tracing keys to a “diagnosis server.”
The app will then launch daily for the next 14 days and send the previous day’s tracing key. That 28-day window will provide backward and forward tracing capability across the currently understood period of incubation in which symptoms may not be fully present and after someone is ostensibly no longer contagious—or has been admitted to a hospital for COVID-19 healthcare.
To preserve privacy for people who may have been in the proximity of the diagnosed person, their devices don’t push the information they possess to a server. Instead, the diagnosis server regularly pushes all reported daily tracing keys to every person with tracing enabled. (Access to the feed of keys will be tightly controlled.)
That might seem like a huge load, but even if hundreds of thousands of people reported themselves infected per day, the keys are relatively small and the data load will be distributed across time. Security researcher and Signal app creator Moxie Marlinspike speculated on Twitter that the tracing keys might be loosely location tagged to reduce the amount of data potentially several billion smartphones would need to download. That seems like a detail that will be hashed out as development progresses.
Checking daily tracing keys happens only on people’s individual devices. Each device uses a cryptographic transformation on the list of daily tracing keys to check each key against the rotating proximity IDs it grabbed over Bluetooth. If any match, that means that those two devices were in close proximity at some point, and the matching party’s device knows the timestamp of any recorded matches.
This clever technique preserves both anonymity and privacy. Only the person diagnosed possesses their daily tracing keys up to the point at which they are uploaded. Only devices in the proximity of that person would have received rolling proximity IDs derived from those daily keys. No other party should therefore be able to make a match. (Marlinspike did note that some advertising tech companies have Bluetooth-sniffing gear in retail establishments, making it possible that they could de-anonymize people who marked themselves infected. However, that would require direct access to the feed of daily tracing keys.)
This process also works to prevent errors and attempts to subvert the system, since each device knows the sequence and time at which it captured proximity IDs.
In the first phase expected to be released in mid-May, people will need an app installed to broadcast proximity IDs, receive and process matches, be alerted of a contact who has been infected, and report a diagnosis. In the second phase, users will be able to opt-in at the operating system level for everything other than reporting a positive test result.
(While this is the description in the joint cryptography API draft specification, company representatives in the briefing described a version that omitted the daily tracing key. I have been unable to get clarification as to the difference at publication time.)
Since the announcement appeared, many people have raised the concern that Bluetooth signals could reach far enough to cause significant false positives. Those who live in multi-unit buildings or in houses in close proximity often see Bluetooth speakers and headphones appear when they try to pair their own gear.
However, Apple and Google representatives said in a briefing that multiple markers would be used to ensure proximity. By measuring signal strength and capturing multiple proximity IDs, the contact-tracing framework would try to identify only people within a few feet for around 10 minutes. They said the system would follow metrics developed by epidemiologists on how the virus spreads over distance and time.
Alice and Bob Explain Contact Tracing
Here’s how we would explain the Apple/Google proposal in typical cryptographic analogies using Alice and Bob as examples.
Alice and Bob are in a grocery store at the same time. Alice’s iPhone receives several proximity key identifiers from Bob’s Android phone and dutifully records them. Two days later, Bob is diagnosed and uses the app to update his status. His daily tracing keys are uploaded.
Alice’s iPhone, in one of the regular updates it receives of diagnosis tracing keys, matches Bob’s key against proximity IDs it stored and enumerates all the matches with their timestamps.
The final version of the spec might perform additional checks: was Alice within an estimated 1 meter of Bob for two successive proximity ID captures? Were Alice and Bob close together for more than 5 minutes measured by timestamps? Did Alice receive 1000 proximity ID captures with weak signals, indicating they were merely neighbors and not immediately adjacent? Or is the signal so strong and appears so often that Alice and Bob likely live or work together?
Depending on the app and country and analytical details, Alice might be able to see various information about the match—potentially as simple as “you were in contact with a diagnosed party on 3 April 2020”—or have the option to disclose those details to a public-health agency.
The Right Path Forward
Together, Apple and Google can reach billions of smartphone owners worldwide and simplify the process for public-health officials to trace infection vectors. That could play a huge role in helping society move towards a greater sense of normality after the number of infections drops precipitously.
Adoption could be hampered by the large variety of devices in use, however. Apple and Google representatives said in a briefing that they intend to distribute the APIs and system updates across as many operating system releases as possible but don’t yet know how far back that will go.
Government authorities and political pundits have been calling for compulsory tracing of individuals by device, and some countries have rolled that out already. That’s bad, even during a crisis, because powers asserted by government to reduce our freedom from surveillance are rarely freely relinquished. However, many countries already have the legal power in a public-health emergency to obtain tracing information through in-person interviews, phone-call records, credit-card and transit purchases, and the like, and they have used it solely for that purpose in past outbreaks.
There could of course be flaws in the specification or the eventual implementations, although the fact that it comes from two of the most technically capable companies on the planet is a plus. Apple and Google are accustomed to their platforms being under constant attack. They also have special abilities when it comes to pushing updates. Couple all that with the fact that this proposed system is entirely opt-in, allowing those who aren’t comfortable with it to bypass it entirely, and it feels as though this may finally be an example of the tech giants bringing their unique skills and resources to bear on the pandemic, as Adam Engst suggested in “How Can Tech Step Up for Humanity?” (6 April 2020) .
We’ll be living with the SARS-CoV-2 coronavirus for some time. This privacy-oriented proposal from Apple and Google appears to offer the right balance for social good and personal privacy.