Google and Apple release contact tracing API

The federal government is now testing Apple and Google’s framework for contact tracing, but its COVIDSafe app would likely need to be fundamentally altered in order to be compatible with it, a number of software developers have warned.

Apple and Google released an “exposure notification” framework and API for COVID-19 on Wednesday, with the tech giants saying 23 countries have already requested access to it, including Australia.

The model put forward by Apple and Google would overcome the issues that many contact tracing apps, including Australia’s COVIDSafe, have encountered on iOS devices with Bluetooth strength when the app is in the background, improve interoperability between Android and iOS devices, and provide the opportunity for cross-border contact tracing.

The two companies announced plans last month to team up to produce a model for contact tracing on Android and iOS devices that could be incorporated into the apps produced by governments around the world.

The companies have now changed the wording to “exposure notification technology” and made it clear that the tool is on offer to compliment the contact tracing work of public health authorities, and not as a silver bullet.

The Australian government previously indicated that it has been in discussions with Apple and Google on using the API, and Digital Transformation Agency officials told a Senate committee this month that it would be “one of the first adopters” of the API in the world.

The DTA is now testing the Google and Apple API, a spokesperson said.

“The DTA and Department of Health have been working with Apple and Google to understand and test the Exposure Notification Framework since it was released to see how it can be applied in Australia. That testing is ongoing,” the spokesperson told InnovationAus.

But it’s unclear whether COVIDSafe complies with Apple and Google’s strict privacy requirements for public health authorities to use the technology, with the tech giants pushing for a decentralised model that requires the collection of no personal data, such as a phone number, from users.

Several local software developers who have analysed the COVIDSafe app and its source code since it was released say that the app would have to be fundamentally changed for it to be compatible with the Apple and Google model
.
COVIDSafe’s centralised model makes it incompatible with Apple and Google’s API, cryptography expert and Thinking Cybersecurity chief executive Vanessa Teague said.

“The Apple-Google system does the computation of whether you’ve been exposed on your own phone, and then gives you the option of telling the authorities,” Dr Teague told InnovationAus.

“COVIDSafe, as a centralised system, does that computation centrally. The central service learns that you might have been exposed, then they tell you. They can’t use it without switching to a fundamentally decentralised architecture.”

Spokespeople for the DTA and Government Services Minister Stuart Robert declined to comment on whether COVIDSafe would need to be altered to incorporate the Apple and Google API.

Privacy experts have commonly advocated for a decentralised model, which sees no contact or other information passed on to governments, with all contact tracing done within a user’s device.

But many governments, including Australia, preferred a centralised model as it allows public health contact tracers to be involved in the process and potentially infected people to be personally notified.

The Australian government opted for a centralised model for contact tracing: a user who tests positive for COVID-19 consenting to upload all of their own unique identifiers and those they have been in contact with to a national database, hosted by Amazon Web Services, with this information then sent to the relevant state or territory health authority to conduct contact tracing.

Under the Apple and Google decentralised model, users would be notified through the app if they have been in contact with another user who has later been diagnosed with the virus, with their device regularly checking against a list of confirmed cases’ unique, randomised identifier.

If a user is tested positive for COVID-19, only their own unique identifiers would be uploaded to the server, if they choose to allow this.

Users will also be allowed to choose to send certain information to public health authorities under the Google and Apple model, and these authorities will be able to customise at what levels a contact is considered risky for contracting the virus.

COVIDSafe requires users to provide their name, phone number and postcode to use the service. This would likely have to be changed to be voluntary if the Australian version is to comply with the rules set out by Google and Apple, which allow for the collection of extra data to assist with contact tracing, but only on a voluntary basis.

The tech giants’ model involves a device’s unique identifier rotating every 10 to 20 minutes, whereas with COVIDSafe it is changed every two hours. The model also requires the stored keys of other users a device has been in contact with to be deleted after 14 days, while COVIDSafe stores them for 21 days.

COVIDSafe should be altered so it can incorporate the Google and Apple framework, Dr Teague said.

“I think Australia should pivot to it. There are pros and cons, but the huge advantage of removing a central authority with knowledge of infected people’s detailed face-to-face contacts is important enough to make it worthwhile for Australia,” she said.

The biggest benefit in incorporating the Apple and Google API would be improved functionality of the Bluetooth signals on iPhones.

COVIDSafe received an update last week that went a long way to fixing its performance issues on Apple devices though. This was done by using new code from the UK’s National Health Service app that “improves the COVIDSafe app’s Bluetooth performance on iOS devices, including when the device is locked”.

“We continue to work with Apple and Google on further enhancements that will improve COVIDSafe’s performance,” the DTA said last week.

Apple and Google have been working with several governments around the world and will be individually approving each app against its privacy guidelines.

“Access to the technology will be granted only to public health authorities. Their apps must meet specific criteria around privacy, security and data control. The public health authority app will be able to access a list of beacons provided by users confirmed as positive for COVID-19 who have consented to sharing them,” the companies said.

“The system was also designed so that Apple and Google do not have access to information related to any specific individual. Apps will receive approval based on a specific set of criteria designed to ensure they are only administered in conjunction with public health authorities, meet our privacy requirements and protect user data.”

In a joint statement, Apple and Google said updates would soon be rolled out for Android phones and iPhones, and that the exposure notification technology would “enable apps created by public health agencies to work more accurately, reliably and effectively across both Android phones and iPhones”.

“What we’ve built is not an app – rather public health agencies will incorporate the API into their own apps that people install. Our technology is designed to make these apps work better,” they said.

“Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app.

“User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps. Today, this technology is in the hands of public health agencies across the world who will take the lead and we will continue to support their efforts.”

*Photo credit: Daria Nipot / Shutterstock.com

Do you know more? Contact James Riley via Email.