Almost two months after COVID-19 was declared a pandemic, Apple and Google are still scrambling to release a unified platform for Android and iPhone devices to be used in active contact tracing. While they have announced what the Exposure Notification API will look like and how it can work, it’s not yet available for developers to deploy in applications. This long wait has led to government in Australia and the UK developing and deploying proprietary apps for contact tracing, minus the Exposure Notification API.
Health experts agree that each day counts in fighting the pandemic, and Google and Apple appear to have missed the boat with the Exposure Notification API. While this isn’t great for the current crisis, this toolkit will be a great asset in fighting pandemics to come.
What’s the hold–up?
Apple is the privacy company, which means it won’t be developing tools that compromise privacy by turning iPhones into GPS tracking devices for governments to use. On the other hand, Google’s ad model would be strengthened by collecting user data like GPS location. We suspect this conflict between providing a service for free and providing a service that makes money has been an issue within this partnership.
Fortunately for the rest of us, they have agreed to use one of the best methods for contact tracing that respects user privacy. An application that uses the contact tracing API may not request GPS data, so users will have to choose between using this API or using GPS data. This ensures that no location data is taken by developers while they conduct contact tracing.
Instead of using GPS, the API will use Bluetooth identifiers for contact tracing, because it’s virtually impossible to personally identify someone by their Bluetooth address, despite it being unique to every device. It works by constantly scanning the area around a device for other Bluetooth devices and recording how strong their signals are – the stronger the signal, the closer the other device. This constant scanning is something a Bluetooth-enabled phone does anyway because it needs to know when it can connect to an available Bluetooth device.
If someone reports they are COVID-19 positive in the app, their Bluetooth address will be matched to Bluetooth addressed on other user’s smartphones. If users have been close to the infected person, they will be notified via a notification that does not (and technically cannot) disclose the identity of the person who may have shared the virus with them.
In addition to not using GPS services, applications that use the Exposure Notification API must follow these guidelines:
- Only government public health authorities may use this API
- The API can only be used to respond to COVID-19.
- Users must consent to the use of the API before it can be used.
- Users are required to consent to having their positive test result used in contact tracing. This is a crucial point of the API.
- Developers should only gather the minimum amount of info necessary for the purposes of exposure notification.
- Apps are explicitly forbidden from using information collected by the application for advertising or purposes outside of COVID-19 contact tracing.
- Apps are forbidden from accessing or attempting to access a device’s location services or GPS.
- There can only be one app per country to avoid the case of a user having to download several apps for contact tracing.
Google and Apple say the target for this release is mid-May but, for now, healthcare developers can get a taste of sample resources from the API, which they can use to prepare their applications for deployment when the API goes live.
This API will likely become a standard on the next major releases of iOS and Android, which will be released later this year. Future features of the API will include having to disclose a test identifier, like the serial number of the test, to be able to notify a user that they had been tested with a faulty testing kit, among other issues that may arise.