Google, Apple Reveal More Contact-Tracing DetailsDescribe Limits on How APIs Can Be Put to Use for Apps
Google and Apple on Monday released privacy and security guidelines for their jointly developed contact-tracing infrastructure. The tech companies note that apps developed using their APIs can only be developed by or for public health authorities – and solely to collect limited information to help trace COVID-19 infections.
The APIs developed by Google and Apple will not use location tracking data, according to the developer guidelines released Monday. Users of the apps buit with the APIs will be able to turn off the contact-tracing technology at any time. Plus, the apps must limit how much data they can collect from the physical contacts of other app users who report that they are infected.
The two tech giants have been jointly developing their contact-tracing infrastructure, now called Exposure Notification, since March. On Monday, they released the first samples of the APIs to developers, who will use them to create apps.
The Exposure Notification system will enable Android smartphones and iPhones to use Bluetooth signal strength as a way to estimate the distance between two devices. Google and Apple hope contact-tracing apps will augment the manual process of tracking individuals who have tested positive for COVID-19 by attempting to notify everyone with whom an infected individual may have come into contact. Through these apps, users could also self-report symptoms and seek medical advice.
Some healthcare and technology experts, however, have argued that contact-tracing technology would still need manual processes to be effective (see: Digital Contact-Tracing Apps: Hype or Helpful?).
The developer guidelines released Monday seek to address some concerns raised by privacy advocacy groups, such as the Electronic Frontier Foundation, which recently raised concerns about how personal data from these apps might be abused (see: Contact-Tracing Apps: Privacy Group Raises Concerns).
"Google and Apple put user privacy at the forefront of this exposure notification technology’s design and have established strict guidelines to ensure that privacy is safeguarded," the companies said.
The developer document also addresses other concerns about how the technology will work. For example, the random Bluetooth identifiers that help measure the distance between devices will rotate every 10 to 20 minutes to help prevent tracking by a third party, according to the document.
Only one contact-tracing app per region will be supported, but Apple and Google say in a statement that they'll also support countries that have "opted for a regional or state approach."
The companies will disable the Exposure Notification system on a regional basis when it's no longer needed, according to the document.
The companies are also sticking with their earlier announced "decentralized approach," which avoids collecting data in a central location, such as a government database. This means that all data will be stored locally on the device and only shared with public healthcare authorities if the user chooses to share.
"If a user decides to participate, exposure notification data will be stored and processed on the device. Other than the random Bluetooth identifiers that are broadcast, no data will be shared by the system with public health authority apps," according to the developer document.
Some nations, including Australia, France, Singapore and the U.K. - as well as several U.S. states - back a centralized approach. This would enable governments to track individuals, including their location, as well as who they came into contact with and for how long.
How Data Is Shared
Apple and Google described two scenarios for sharing data with a third party.
The first is if a user receives a positive diagnosis of COVID-19 and wants to share that information with public healthcare authorities. The second is if the user comes in contact with someone who has received a positive diagnosis.
"In keeping with our privacy guidelines, Apple and Google will not receive identifying information about the user, location data, or information about any other devices the user has been in proximity of," according to the document.
Google and Apple also stressed that neither company has plans to monetize any data collected through the Exposure Notification system.
"Consistent with well-established privacy principles, both companies are minimizing data used by the system and relying on users’ devices to process information," according to the developer document.