Skip to content
Thoughtful, detailed coverage of everything Apple for 30 years
and the TidBITS Content Network for Apple professionals
36 comments

iOS 13.7 Integrates Apple’s COVID-19 Exposure Notifications

Apple has released iOS 13.7 with a new COVID-19 exposure notification system and unspecified bug fixes. The company also released iPadOS 13.7 with equally unspecified bug fixes. Neither iOS 13.7 nor iPadOS 13.7 has CVE security entries. One oddity: the release notes we’re currently seeing in Software Update aren’t for this version and don’t match what Apple has on the Web; pay them no attention. You can install the updates, 159.1 MB on an iPhone 11 and 353.3 MB on an iPad Air, from Settings > General > Software Update, in iTunes, or in the Finder on Macs running macOS 10.15 Catalina or later.

In iOS 13.5, Apple introduced the Exposure Notification API, which it developed in partnership with Google (see “Apple and Google Partner for Privacy-Preserving COVID-19 Contact Tracing and Notification,” 10 April 2020, and “Apple Tailors iOS 13.5 and iPadOS 13.5 to a COVID-19 World,” 20 May 2020). That API could be used by state and national public health agencies to alert you to potential COVID-19 exposures, but they first had to develop and ship an app that took advantage of the API. Governments have been slow to do that, but the second stage of the plan has always been for the companies to build the Exposure Notification API into iOS and Android. Apple and Google have now built a COVID-19 exposure notification system into iOS 13.7 and a future update to Android.

To access the feature, go to Settings > Exposure Notifications and tap Turn On Exposure Notifications. iOS then walks you through selecting your country and region to enable the notifications. If your region doesn’t yet support those exposure notifications, it automatically turns on the Availability Alerts setting, which promises to send a notification once the feature becomes available in your area. The currently supported areas in the United States include Maryland, Nevada, Virginia, and Washington, DC—if you’re in one of those places, please share what the experience is like. We don’t know what the story is in other countries; if you find out more about your country, let us know in the comments.

The Exposure Notification settingSelecting an Exposure Notification region

When the Exposure Notifications feature becomes available in our areas, we’ll be turning it on, and we encourage you to do so as well. Much like wearing a mask in public doesn’t ensure protection for you or from you, participating in the Exposure Notifications system won’t guarantee that you’ll learn about potential exposures or protect others should you fall ill, but it’s one more thing we can all do to help ourselves and others.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About iOS 13.7 Integrates Apple’s COVID-19 Exposure Notifications

Notable Replies

  1. Josh, is there a list somewhere else that can be checked to see if a particular state will be releasing notifications? I’d like to check “off phone” before I decide to allow myself to be tracked by my state.

  2. There is no danger associated with checking. You must download the state app in order to activate the logging and AFAIK, Apple still won’t allow states to track individuals.

  3. This is the screen message for Australia.
    Exposure Notifications Are Not Currently Available.
    Exposure notifications have not been turned on for your region by your public health authority.
    The DONE button takes one back to the Settings –>Exposure Notifications.

  4. FWIW, Virginia is using an app called COVIDWISE for both iOS and Android.

    According to the home page, here’s how it works:

    • The system generates an anonymous token for your device, which changes every 10-20 minutes
    • The app uses BLE to exchange these tokens with any other devices running the app that are within range. Discovered tokens are retained for 14 days.
    • Once per day, the app downloads a list of anonymous tokens associated with known positive cases (as reported to Virginia), comparing the list against all the anonymous tokens discovered during the last 14 days
    • If there is a match, the app tells you who to contact to know what to do next

    Important points from its FAQ:

    • If you are diagnosed positive, you will get a PIN code (from Virginia) that you can use to inform the app of the diagnosis. This will let the system know that your anonymous tokens (for the day the PIN is submitted and 14 days prior) correspond to a positive diagnosis. This PIN prevents people from submitting bogus reports.
    • If you are not a Virginia resident, the app can track if you were exposed to someone where a positive diagnosis was reported to Virginia, but your own diagnoses can’t be submitted to the app without somehow sending that diagnosis to Virginia for processing. So it’s really not useful for residents of other states.
    • Tokens generated after the PIN is entered are not considered a positive diagnosis, so there is no need to “clear” the system after a sick person recovers
    • “Exposure” is based on the CDC’s definition (currently within 6’ for at least 15 minutes). Distance is approximated, based on Bluetooth signal strength.
    • The app does not track location and does not use personally identifiable information. If it detects exposure, you receive an alert that the exposure occurred, but no information about where or who exposed you.
  5. Unfortunately, I don’t know of a central resource. You’d have to check with your state’s health department.

  6. OK, thanks. A central resource would be better as those traveling could check and see which states or parts thereof would be tracking them.

  7. Apple’s settings treat Ontario as part of “region” Canada, although Canada is larger than the USA and not all of the Provincial governments have adopted the Covid app. It is used where I live, so the Covid app looked redundant, so I deleted it. After it was gone, the settings showed exposure-testing to be off. I selected “region” Canada. Apple’s app sent me to the app store, to download the Covid app. In short, the feature is utterly useless here.

  8. Exposure notification is enabled in New Zealand, through the Ministry of Health’s “NZ COVID Tracer” app.

    All businesses and public places in NZ are encouraged to show a prominent QR code, which you can simply scan using the app as you arrive—it literally takes half a second.

  9. Again, there is no tracking involved when using the iOS provided API with a state or local app. Information exchange is totally controlled by you and exposures are only placed in a log on your phone.

    Read through David’s review of the Virginia app as an example. All the apps that use the API are going to perform identically to what Virginia has outlined.

  10. It seems that Apple building the feature into iOS doesn’t obviate the need to get a government-provided app—it’s complementary, not a replacement.

    That makes sense, I think, since you would need some UI to be able to register yourself as infected, if you tested positive, and that process is going to vary by locality.

  11. As I understood the press releases, Apple (and Google, for Android) have not developed any applications. They developed frameworks that various government agencies may use to implement tracking as required by their respective laws and medical systems.

  12. That’s pretty close. Apple and Google developed API’s to interface with macOS that agencies may use in an application to log (not track) encounters with self-reporting infected users.

  13. It seems to me that the CDC should have an app using the Apple/Google protocol and it should be coordinating things in the USA.

  14. That would have made sense from a centralization and speed of execution approach, for sure, but for reasons we won’t get into here, many such policies have been left to the individual states.

    Is anyone aware of a state implementing an exposure notification or contact tracing app that doesn’t use the Apple/Google technology?

  15. And it would have covered the entire USA. Isn’t it true that with State-specific apps you could report a positive test in one state and residents of other states whom you have been in contact with won’t know, even if they are registered in an app in their State?

  16. My understanding of the Apple/Google system is that it will notify anyone who has the system enabled of a positive exposure regardless of what state you’re in or which state’s app you have installed. For the system to discriminate by state, it would have to know which state you’re in when your iPhone reports your contacts, and it’s a big deal that it not collect any such identifying information.

  17. So government entities report all positive contacts to Apple/Google and Apple/Google has a global database? It seems like it would need to be global. Imagine an asymptomatic flight attendant who is in contact with people from all over the world and then tests positive and reports it in their country.

    Unfortunately, those of us who don’t live in a State with an app are left out and I’m not sure why that is.

  18. It’s far more complicated than a central database, which is necessary for privacy reasons. Glenn explained it well in an article a while back.

    But yes, it’s too bad that more states aren’t issuing the necessary apps or that the CDC didn’t at least come up with a reference app that the states could customize.

  19. While we aren’t going to discuss it here, I think it’s a strange notion that one person’s privacy should be allowed to trump another person’s life. COVID-19 isn’t going to wipe out the species, as it turns out, but it’s certainly within the realm of possibility that another virus could pose such a threat. Will privacy be allowed to take precedence over the survival of humankind?

  20. It’s a strange notion to me as well, but the reason we’re not going to discuss it further here is that such theoretical conversations—is privacy more important than human life?—never stay theoretical and quickly devolve into political debates that make me crazy. There are other places for such things.

  21. Apple and Google will apparently generate apps for states now.

    It’s interesting that the first sentence of the article refers to exposure notification apps while the headline calls them contact tracing apps. To me, this is another example of how the media repeatedly mischaracterize the system developed by Apple and Google. Either the system is useless because it does too little, or it’s too intrusive so no one will want to use it. It’s not surprising to me that adoption has been slow.

  22. Woo—that’s big news, and I hadn’t heard about it before this. @glennf, any word from your contacts at Apple about this?

    It is frustrating how many in the media have failed to distinguish clearly between contact tracing and exposure notification. It’s a really big difference, and the Apple-Google system is tremendously well-designed to protect privacy. See what @das wrote about that in

  23. After the update the “Exposure notification” showed me “Exposure Logging status” ACTIVE and “Active Region” SWISSCOVID, which is correct. Here in Switzerland the government introduced the SwissCovid app a couple of month ago based on the Apple-Google API.

    So exposure notification had correctly identified that I had an CoVid exposure app installed. I assume with will be the same in many other European countries as most use the the Apple-Google API.

  24. No. Apple nor Google have a global database.

    It’s very simple:

    • Your phone generates a random ID. I think it is 64 bits long. It’s long enough that it’s almost impossible for two people to generate the same ID. The ID cannot be used to track the phone or person and it’s generated every fifteen minutes.
    • When you are near another phone for a certain period of time that have contact tracing turned on, they exchange these random IDs.
    • If someone is tested and is positive, they are given a PIN. Using that pin, they can let their phone know they’ve been tested positive.
    • Apple and Google use their notification system to send all the random IDs that phone generated in the last two weeks.
    • Your phone receives the notification and checks it against a list of all IDs it exchanged over the last two weeks.
    • If there’s a match, your phone alerts you that you have been in contact with someone who tested positive.

    Note that no one knows which phone is associated with which IDs. Note that the states aren’t collecting any data associated with this API. Note that not even Apple not Google can determine which phones are associated with which IDs.

    It is possible that Apple and Google could be collecting these random IDs when someone tests positive. But…

    1. You must give permission to allow Apple or Google to collect these IDs via the PIN. Simply having these apps on your phone does nothing.
    2. There’s no associated data with the IDs. Google and Apple can collect them, but they’re meaningless.
    3. Apple and Google already have ways they can track your every move. Google especially collects data about your phone and location and apps you use and download and almost every webpage you visit. They don’t need this API to do it.
    4. The states get nothing. They don’t even get the IDs.
  25. Is that right? I was under the impression that the database of “IDs that correspond to positive tests” was managed by each state via their respective apps. I thought it’s Apple and Google that don’t get any information.

    But maybe my assumption is wrong. Most of what I know is based on the documentation from Virginia’s app. I haven’t actually reviewed the APIs used by the app.

  26. The IDs wouldn’t help the states. It could be that the states’ apps report on the user, but the states get that information when someone tests positive whether or not that person uses the app. Apple and Google prohibits contact tracing apps from giving governments any information on whereabouts of people using the app.

    Which phones are using which generated IDs is unknown to even Google or Apple. Your phone generates one every fifteen minutes.

    When you test positive, and you allow your app to do so, your phone sends Apple and Google the streams of IDs it used. No personal information is transmitted. Apple and Google send out via their notification system that steam of data to their phones. Your phone looks at this and if one of those IDs match, you’re phone will notify you. Apple nor Google know which phones report back a positive contact and neither do the states.

    It is my understanding this works across state and national boundaries. If two people from two different states or countries using two different contract tracing apps come in contact with each other, the notification system will still work.

    All of this was done out of a concern for privacy and the hopes that if everyone understood the privacy build into API, they would be less concerned about being “tracked” by their government.

  27. David:

    Given the algorithm you describe (in wonderful detail), why doesn’t Apple/Google allow all of their users to opt in, regardless of whether they have access to a government app? The algorithm you describe doesn’t need an app to report to users that they have been in contact with someone who tested positive.

    What you describe is a global distributed database, which Apple/Google do (potentially) have access to (via their respective OSes), though they may have decided not to take advantage of their privileged access.

    If you report a positive test from your phone, doesn’t the server that receives the report get your IP address, and doesn’t that (potentially) ID you?

  28. There’s a puzzling sentence in that Fast Company article: “To make sure the system catches exposures across state lines, Apple and Google are working with the Association of Public Health Laboratories on setting up a national server.”

    The system requires a server. It doesn’t just work on your phone, which explains why Apple can’t just turn it on for everyone.

    https://developer.apple.com/documentation/exposurenotification/supporting_exposure_notifications_express

  29. In his TidBITS article, David Shayer makes a point that the servers are controlled by Apple and Google, but based on Apple’s documentation of the exposure notification system, I don’t think that’s actually the case. The documentation says that a public health authority (PHA) needs to set up two servers: a test verification server and a key server for exchanging IDs. The verification server obviously needs to be run by the PHA, but it appears the key server is as well.

    https://developer.apple.com/documentation/exposurenotification/setting_up_a_key_server

    This would explain the sentence Duane noticed about the national server. The PHA’s server would likely only work within a state, so a national server would be necessary for the system to be useful across state borders.

  30. Exposure Notification Express does exactly this. If users enables Exposure Logging, they can be notified of exposure even without having an app as long as their PHA is set up for it.

    https://developer.apple.com/documentation/exposurenotification/supporting_exposure_notifications_express

  31. If my state (Texas) doesn’t support Exposure Notification Express (just as it doesn’t support an app), then I’m still out of luck.

    There’s another strange thing about the way the Apple/Google system works. When you try to turn on Exposure Notifications, you get this message: “Your public health authority’s guidelines determine if an exposure is significant enough to notify you and provide next steps.”

    Since the system is currently run by the States, rather than the National government, the guidelines could vary from one state to another. In the USA, we could potentially have 50 different guidelines! What do you do if you are exposed while standing on the borderline between two states with conflicting guidelines? :wink:

  32. I just tried Turn On Exposure Notifications, selecting United Kingdom. “Exposure notifications have not been turned on for your region by your public health authority”.

  33. I updated to iOS 13.7 on Friday morning and I just turned on Exposure Notifications for Belgium. I received a message (translated from Dutch): “You have already added this region. This public health authority had already been authorized to send you exposure notifications”. So I’m guessing that this was done by default for the whole country: the release of the Belgian app has been announced for this month.

  34. I’ll be skipping this IOS update, and turning off auto update.
    Apple and Google assisting overreaching state governments to track us, what could go wrong?
    It’s’opt-in’ they say? Sure it is, until the next ‘update.’
    NO.

  35. I don’t know where you got these conspiracy theory ideas, but they are completely and have been proven to be untrue. I suspect I won’t be able to change your outlook on this, but it’s important that nobody else think this way.

    First of all, it’s in no way a “tracking” capability, rather it’s a “contact logging” feature. In order for it to do anything at all you would need to do all these things:

    • Install iOS 14
    • Install an application provided by a state or local public health organization
    • Opt-in or at least not opt-out

    Then you would have to be within a certain distance for a minimum amount of time to a self-reported infected person within a prescribed number of days. Or, if you are found to be infected, enter that information into the application so that others who have been logged as in your proximity recently can be notified of that fact (anonymously).

    I’m in touch daily with security experts and hackers who have so far assured me that no information whatsoever is communicated anywhere without an activated application. Even between individuals.

    So far, all of the very few apps that have been released appear to behave as advertised, but each one will need to be checked in order to verify they aren’t leaking any identification information and to whom.

Join the discussion in the TidBITS Discourse forum

Participants