Earlier today, Apple and Google announced a Bluetooth-based COVID-19 contact tracking platform that could alert people if they have been exposed to the new corona virus. Contact tracking is a huge part of ending massive pandemic ‘stay-at-home’ orders, and while phone tracking can’t replace traditional methods like interviews, it can complement them.
Google and Apple use Bluetooth LE signals for contact tracking. When two people are around each other, their phones can exchange an anonymous identification key, which records that they have been in close contact. If one person is later diagnosed with COVID-19, they can share that information through an app. The system notifies other users so that they can quarantine themselves if necessary. Ideally, this means that you don’t have to reveal your name, location or other personal information.
However, beyond that foundation, there are many questions about how people will actually use the system. This is what we know so far.
The first phase is app-based and will start next month
Apple and Google are launching the program in two phases, starting with an application programming interface (API) in mid-May. This API allows iOS and Android apps to track users regardless of which operating system they use. But it will be limited to official apps released by public health authorities in the iOS App Store and Google Play Store.
During this first phase, you will need one of these apps to join the program. We don’t know who is currently working with Apple and Google and what the apps will look like. It seems likely that they are somehow interoperable – in other words, a phone with app A can exchange a key with app B, as long as they both use the API. We could hypothetically see a national government or many small local authorities launch their own apps, or governments approve something built by a third party like a university. Google and Apple haven’t released much details yet, so we’ll be looking forward to that in the coming weeks.
No matter what the apps look like, you have to proactively add them to your phone, which will almost certainly reduce the number of people using them. But in the months after the launch, Google and Apple are working on a more permanent solution.
The second phase adds opt-in tracking to iOS and Android
After the API, Google and Apple want to add contact tracking as a core feature for iOS and Android. The method is a bit sketchy now, but the goal is for you to sign in through something like your phone settings. This would enable the digital key exchange without needing a third party app. Then if you are exposed your phone will somehow indicate this and urge you to download an app for more information.
This raises a number of questions. For example, we don’t know much about that transfer process: do you get a vague pop-up notification or something with more details? We’re also not sure how Android’s fragmented ecosystem can complicate its release. Google could plausibly push a quick update through the Play Store instead of waiting for the providers to roll it out, but it would still have to deal with huge variations in hardware options. We also don’t know if individual government apps may ask for more invasive permissions like location tracking, even if the core Google and Apple system doesn’t use it.
Of course, if you have a phone without Bluetooth LE, none of these apps will work. But iOS has been providing support since the iPhone 4S from 2011, and the Android platform added support in 2012. So unless you have one very old phone, you’re probably fine.
What happens if you are infected?
If you test positive for COVID-19, the system should upload your last 14 days of anonymous “keys” to a server. Other people’s phones automatically download the key lists and if they have a matching key in their history they will receive an exposure notification.
However, the app must ensure that people are really infected – otherwise a troll could cause chaos by falsely claiming to have COVID-19. We don’t know exactly how this will work. COVID-19 tests are currently managed by professionals and registered with health authorities, so perhaps Apple and Google can follow that process to validate the tests. But it is a huge problem and they need a satisfying answer.
Either way, sharing your keys is voluntary. That seems to mean approving an upload, not only giving general permission when you install the app, but the exact process is something else we’re waiting for.
What happens if you are exposed?
If people share their data as described above, your phone will check the list once a day and look for important matches, then be notified if it is found. Google’s sample warning is pretty simple – it just says, “You’ve recently been exposed to someone who tested positive for COVID-19,” and provides a link with more information. That information is provided by the health authority that offers the app, and we don’t know what it means – although it will at least explain COVID-19 symptoms and self-quarantine guidelines.
Exposure is not a simple binary process: the more time you have spent with an infected person, the greater the risk. The documentation contains references to the duration measured in 5 minute intervals. It could, in theory, send that information directly to users, or it could provide an overall risk assessment without an exact number, which would provide a greater degree of anonymity.
As we mentioned earlier, none of this replaces the traditional interviews for contact detection. If done properly, it can add a platform-level system that is easy to use and does not overly compromise privacy. We are still waiting for many details on how that will work.