On Friday, Google and Apple joined forces in an ambitious emergency project and created a new protocol to track the ongoing coronavirus outbreak. It is an urgent, complex project with a huge impact on privacy and public health. Similar projects have been successful in Singapore and other countries, but it remains to be seen whether the U.S. health authorities will be able to manage such a project – even if the world's largest technology companies do their bit.
We've covered the basics of the project here, but there's a lot more to explore – starting with the technical documents published by the two companies. They reveal a lot about what Apple and Google are actually trying to do with this sensitive data and where the project is neglected. So we looked at these documents and tried to answer the twelve most pressing questions, starting with the very beginning:
What does it make?
When someone falls ill with a new disease like this year's coronavirus, public health workers try to curb the spread by tracking and quarantining everyone the infected person has come into contact with. This is known as contact tracking and is a crucial tool to contain outbreaks.
The system records contact points without location data
Essentially, Apple and Google have developed an automated contact tracking system. It differs from traditional contact tracking and is probably the most useful when combined with traditional methods. Most importantly, it can operate on a much larger scale than traditional contact tracking, which will be necessary given the prevalence of the outbreak in most countries. Since it comes from Apple and Google, some of these features may also be integrated into Android and iPhones at the operating system level. This technical solution may therefore be available to more than three billion telephones worldwide – which would otherwise be impossible.
It is important to note that Apple and Google work together on a framework and not on an app. They take care of the installation and guarantee the privacy and security of the system, but leave the creation of the actual apps that use it to others.
How does it work?
Basically, this system lets your phone log other phones that were nearby. As long as this system is running, your phone regularly issues a small, unique and anonymous code derived from the phone's unique ID. Other phones within range receive this code and remember it. Make a log of the codes you received and when you received them.
If a person using the system receives a positive diagnosis, they can send their ID code to a central database. If your phone checks this database again, it will perform a local scan to see if any of the codes in its log match the IDs in the database. If there is a match, you will receive a notification on your phone that you have been exposed.
This is the simple version, but you can already see how useful this type of system can be. Essentially, you can record contact points (that is, exactly what contact tracers need) without collecting accurate location data and storing minimal information in the central database.
How do you say you were infected?
The released documents are less detailed on this point. The specification assumes that only legitimate healthcare providers can submit a diagnosis to ensure that only confirmed diagnoses generate warnings. (We don't want trolls and hypochondria to flood the system.) It's not entirely clear how this will be done, but it seems to be a solvable problem whether it's managed through the app or additional authentication before centralizing an infection is registered.
How does the phone send out these signals?
The short answer is: Bluetooth. The system works with the same antennas as your wireless earbuds, even though it is the Bluetooth Low Energy (BLE) version of the specification, which means that the battery won't discharge as significantly. This particular system uses a version of the BLE Beacon system that has been used for years and has been modified to work as a bidirectional code exchange between phones.
How far does the signal go?
We don't really know yet. In theory, BLE can register connections up to a distance of 100 meters. However, this depends heavily on certain hardware settings and can easily be blocked by walls. Many of BLE's most common applications – like pairing an AirPods case with your iPhone – have an effective range that's closer to six inches. The project's engineers are optimistic that they can optimize the area at the software level by “thresholding” – essentially by discarding signals of lower strength – but since there is no actual software, most of the relevant decisions have yet to be made.
At the same time, we are not quite sure which range is best suited for this type of alarm. Social distance rules usually recommend staying a meter away from others in public. However, this can easily change as we learn more about the spread of the novel corona virus. Officials will also be careful to send so many warnings that the app becomes unusable, which could make the ideal range even smaller.
So it's an app?
Type of. In the first part of the project (which should be completed by mid-May), the system will be integrated into official public health apps that send the BLE signals in the background. These apps are created by government health agencies, not technology companies. This means that the authorities are responsible for many important decisions, how to notify users and what is recommended when a person has been exposed.
Finally, the team hopes to integrate this functionality directly into the iOS and Android operating systems, similar to a native dashboard or a toggle in the "Settings" menu. However, this takes months and continues to prompt users to download an official public health app when they need to submit information or receive a notification.
Is it really safe?
Most of the time, the answer seems to be yes. Based on the documents released on Friday, it will be quite difficult to access confidential information based solely on the Bluetooth codes. This means that you can run the app in the background without worrying about compiling something that may be stressful. The system itself does not identify you personally and does not log your location. Of course, if you want to upload your diagnosis to the health authorities, the health apps that use this system will have to know who you are at some point.
Could hackers use this system to make a large list of everyone who has the disease?
This would be very difficult, but not impossible. The central database stores all the codes sent by infected people while they were infectious (which your phone is checking against), and it is quite plausible that a bad actor could get these codes. The engineers did a great job of ensuring that you couldn't work directly from these codes to someone's identity. However, it is possible to imagine some scenarios in which these protective measures collapse.
A diagram from the white paper on cryptography that explains the three key levels
To explain why, we need to be a little more technical. The cryptography specification contains three key levels for this system: a private master key that never leaves your device, a daily trace key generated from the private key, and then the sequence of "proximity IDs" generated by the daily key. Each of these steps is performed using a cryptographically robust one-way function. You can therefore generate an approximation key from a day key, but not vice versa. More importantly, you can see which proximity keys come from a particular day key, but only if you start with the day key in hand.
The log on your phone contains a list of proximity IDs (the lowest key level), so they are not very good in and of themselves. If you test positive, share even more and publish the daily keys for every day you were contagious. Now that these daily keys are public, your device can calculate and tell you whether one of the proximity IDs in your log comes from this daily key. If this is the case, a warning is generated.
As cryptographer Matt Tait emphasizes, this leads to a significant privacy restriction for people who test this system positively. Once these daily keys are public, you can find out which proximity IDs are associated with a particular ID. (Remember that the app is supposed to do just that to confirm the exposure.) While certain applications can limit the information they share and I'm sure everyone will do their best, you're now outside of strict protection encryption. One can imagine a malicious app or Bluetooth sniffing network that collects proximity IDs in advance, associates them with specific identities, and later correlates them with daily keys that have been removed from the central list. It would be difficult to do this, and it would be even more difficult to do for every person on the list. Even then, you would only get the codes from the server for the past 14 days. (This is all that is relevant to contact tracking, that is, all central database storage.) But it would not be completely impossible, which is normally the case in cryptography.
To sum it up: it is difficult to absolutely guarantee the anonymity of a person when they say that this system has tested them positively. However, to defend the system this is by no means a difficult guarantee. We limit all our personal contacts with social distance. So when you learn that you were exposed on a particular day, the list of potential vectors is already quite short. Add the quarantine and sometimes hospitalization associated with a COVID-19 diagnosis, and it is very difficult to fully maintain medical privacy while continuing to warn people who may have been exposed. In a way, this compromise involves contact tracking. Technical systems can only mitigate this.
The best method of contact tracking we currently have is for people to interview you and ask who you were in contact with. It is fundamentally impossible to build a completely anonymous contact tracking system.
Could Google, Apple, or a hacker use it to find out where I've been?
Only under very specific circumstances. If someone collects your proximity IDs and tests you positively and decides to share your diagnosis and does all of the rigamarole described above, they may be able to tie you to a specific place where your proximity IDs are in the wild were discovered.
However, it is important to note that neither Apple nor Google shares information that you could place directly on a card. Google has a lot of this information and the company has shared it at an aggregate level, but it's not part of this system. Google and Apple may already know where you are, but they don't link this information to this record. An attacker can access this information, but knows less than most apps on your phone.
Could someone use this to find out who I was in contact with?
This would be much more difficult. As mentioned above, your phone keeps a log of all received proximity IDs, but the specification makes it clear that the log should never leave your phone. As long as your specific protocol remains on your specific device, it is protected by the same device encryption that protects your texts and emails.
Even if a bad actor stole your phone and managed to break that security, they would only have the codes you received and it would be very difficult to find out who those keys came from. Without a daily key to work, they would have no clear way to correlate one proximity ID with another. Therefore, it would be difficult to distinguish a single actor in the chaos of Bluetooth trackers, let alone find out who is meeting with whom. It is crucial that the robust cryptography makes it impossible to derive the associated day key or the associated personal ID number directly.
What if I don't want my phone to do this?
Do not install the app. If the operating systems are updated in the summer, just leave the "Contact tracking" setting disabled. Apple and Google insist that participation is voluntary. If you don't take proactive steps to participate in contact tracking, you should be able to use your phone without getting involved.
Is that just a veiled surveillance system?
This is a difficult question. In a sense, contact tracking is monitoring. Public health work is full of medical surveillance, simply because it is the only way to find infected people who are not sick enough to go to the doctor. The hope is that given the catastrophic damage the pandemic has already caused, people are ready to accept this level of surveillance as a temporary measure to curb the spread of the virus.
A better question is whether this system does fair or helpful surveillance. It is very important that the system is voluntary and it is very important that it does not share more data than it needs. All we have now is the protocol, and it remains to be seen whether governments will try to implement this idea in a more invasive or arrogant manner.
When the protocol is implemented in certain apps, many important decisions are made about how it is used and how much data is collected outside of the protocol. Governments will make these decisions and they can make them poorly – or worse, they cannot make them at all. Even if you're excited about what Apple and Google have outlined here, you can only throw the ball – and it depends a lot on what governments do after they catch it.