Google and Apple have released their API to help public health authorities design what is now being called a COVID-19 exposure notification app to help manual contact tracing.
The Google/Apple effort is one of several actions to leverage Bluetooth-enabled smartphone apps to help notify people that they have been in contact with someone who has tested positive for the disease. It has received a lot of attention because of its decentralized approach to storing data on mobile devices rather than other methods — like Alberta’s — which upload data to a central server so public health authorities can personally call and advise potential coronavirus victims. The Google/Apple concept is that app users who test positive would allow their apps to send a warning to other app owners that had recently been nearby that they should seek medical advice, but no health authority or government would know who those nearby people were.
A number of privacy experts are urging governments to either put the brakes or abandon these apps. However, work goes on in some jurisdictions. The U. S. state of Rhode Island, for example, launched its app on Tuesday.
However, there have been several developments this week that may slow the work:
- This morning on CBC Radio’s The Current, B.C. public health officer Dr. Bonnie Henry said an exposure notification/contact tracing app isn’t important at the moment. “From our perspective right now it doesn’t serve a need that we have, particularly the ones on anybody’s phone. Where we see the importance is one-on-one health investigations. So if there is some application that helps us do that more efficiently, then that’s what we are looking for — how do we collect that information and get into a database that helps us understand what’s going on with our cases. Some of these apps are probably not that helpful. They still require the same amount of public health expertise to interpret what they might actually mean from an individual’s risk.”
- In the U.K., where a trial of a centralized-based app has been going on in the Isle of Wight, health minister Lord Bethell was quoted as saying, “The Isle of Wight programme has been enormously successful and take-up rates have been huge. But it did teach us one important lesson: that people wanted to engage with human contact tracing first, and quite reasonably regarded the app as a supplementary and additional automated means of contact tracing. We have, therefore, changed the emphasis of our communications and plans to put human contact tracing at the beginning of our plans and to regard the app as something that will come later in support.”
Shortly after the centralized app was released, the U.K. began funding work on a decentralized app using the Google/Apple API.
- Privacy experts say Alberta app is flawed
- Canadian privacy commissioner issued guidelines for COVID measures
Meanwhile, in an apparent effort to ease concern in the U.K. that personally-identifiable data collected by its app will end up in the hand of the government, the Ministry of Defence issued a statement saying one of its specialized units will “receive and review the data, removing any information which may inadvertently identify users, ensuring that only symptom and demographic data is included. The data will then be checked for any security issues, with any incorrect or duplicate data also being erased.” Only then will the remaining data will used by the National Health Service for research.
All this is going on as Ottawa, the provinces and the territories review a dozen proposed apps as part of a larger contact tracing strategy.
When Google and Apple first announced their partnership to create an interoperable API for their platforms, it was called technology to enable contact tracing. Now they use the phrase “exposure notification.”
Until now, beta versions of the API have been quietly available to select countries. What was released Wednesday was the first version that developers can work on.
“What we’ve built is not an app,” the two tech giants said in a joint release, but an API public health can incorporate into their own apps for download. “Our technology is designed to make these apps work better. Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps.”
The technology “will enable apps created by public health agencies to work more accurately, reliably and effectively across both Android phones and iPhones.”
Briefly, the apps are aimed at taking advantage of the fact that most people carry smartphones, which can use short-range Bluetooth for issuing and capturing signals. Apps — whether centralized or decentralized — create random encrypted IDs that can be captured when people are close to each other over a specified period of time (in Alberta’s app its 15 minutes over a total of 24 hours, meaning one person beside another for 15 minutes, or, say, several five-minute encounters totalling 15 minutes). In a sense, this mimics the potential of a COVID-19 carrier to spread the virus to someone close by. The devices keep a list of those nearby encrypted IDs. Depending on the app, if a person tests positive for the virus and if they want that list can be uploaded to a health authority, which would have the ability to decrypt the IDs and contact those people for further advice or a warning would go directly to the apps of those on the list.
Last week the Electronic Frontier Foundation added its voice to those insisting that governments only approve decentralized apps after analyzing the pros and cons of both approaches.
The creation and use of COVID-19 apps have raised a wide range of issues. Generally, in Canada and the U.S., voices are loud that government-endorsed apps to help public health bodies must be voluntary and collect a minimum amount of data. Some demand that data be erased when the pandemic ends, although others want health authorities to have access to data for research purposes.
However, some privacy experts fear employers may demand staff to use an app, or they can’t return to the workplace. In some cases, that might cost people their jobs. There are two COVID apps before the U.S. Senate now. This blog notes one of them has an exclusion for employers.