Here Is How Apple and Google’s COVID-19 Contact Tracing Framework Will Work
Ever since Apple and Google announced their collaboration for a COVID-19 contact tracing framework which will work between both iOS and Android devices, people have been raising questions regarding privacy and security concerns. Does this new framework open a can of worms towards an Orwellian future where Big Brother tracks everyone you come across? No, it doesn’t. Read on to find out more details.
What is contact tracing?
Contact tracing is the process in which people who an infected person in touch with are tracked down and diagnosed to find out if they have also been infected by the virus. This process was initially made popular in Singapore through a government-backed app called TraceTogether, which was later open-sourced, to help with community-driven contact tracing. The app relies on Bluetooth to keep a log of other TraceTogether users that it comes in close contact with. If the user is tested positive for COVID-19, the app log is provided to relevant government authorities, which includes interaction data with other TraceTogether users. One limitation of the app on iOS is that it has to be kept in the foreground at all times to function properly, due to the operating system’s restrictive nature.
This same idea was also implemented in various other places around the world, and is now being implemented at a system level by Apple and Google.
How is Apple and Google’s framework different?
The simple basis for Apple and Google’s COVID-19 framework is to ensure that system-level APIs, that work between iOS and Android devices, allow app developers to create solutions that can be used to perform contact tracing. If a user of an app that relies on the COVID-19 contact tracing framework is tested positive for the virus, select healthcare providers will mark it in a system which will send notifications to all other users who had come in contact with the infected person. The framework will only maintain data from the last 14 days. Anyone a user had come in contact with, before the last 14 days, would not be in the database.
The aim is to make this possible without sacrificing privacy and security of the users. Nobody wants such a tool to be used by governments or people with malicious intent, to find out who anyone has been in touch with.
What are the security precautions in place?
The framework proposal makes it clear that there are three different keys being used:
- Tracing Key, which stays on the device
- Daily Tracing Key, which is a unique key generated every day from the tracing key
- Rolling Proximity Identifier, generated by the daily tracing key
Instead of any personally identifiable data, the framework will keep the proximity identifiers in the list to maintain the contact tracing log. None of this data will be linked to the user’s Apple or Google accounts, or Apple Maps or Google Maps location data.
However, if a person is tested positive for the virus, the security measures will reduce slightly. The daily tracking keys of the infected person are posted to the server, allowing the framework to notify users if the proximity identifiers on their devices were generated from those daily tracking keys.
Unless someone has a log of a user’s proximity identifiers through some complex Bluetooth LE sniffing tool, and the daily tracking key, the system cannot easily be hacked.
Will Apple, Google or the Government have access to the data?
No, the data is not being saved to Apple’s or Google’s servers, therefore, it will not be packaged and provided to any government organization either. The proximity identifiers log will always remain on the user’s device.
“But I’m paranoid and still want to secure my data”
You will not be forced to use the framework. It will be completely optional through the apps, and through the operating level settings that iOS and Android will gain in future updates. However, despite not participating in the contact tracing program, which is aimed to stop the spread of COVID—19 to countless other people, you will still be asked by authorities, in person, if you are tested positive for the virus. The only thing the framework will do is make the contract tracing accurate and easier.
Stay in the loop
GET A DAILY DIGEST OF LATEST TECHNOLOGY NEWS
Straight to your inbox
Subscribe to our newsletter