Earlier today, Apple and Google announced a Bluetooth-based COVID-19 contact tracking platform that could alert people if they have been exposed to the new coronavirus. Contact tracing is a huge component of ending massive pandemic “stay home” orders, and while telephone tracing cannot replace traditional methods like interviews, it can complement them.
Google and Apple are using Bluetooth LE signals for contact tracking. When two people are nearby, their phones can exchange an anonymous identification key, registering that they have had close contact. If a person is later diagnosed with COVID-19, they can share that information through an app. The system will notify other users with whom they have been close so that those people can be quarantined if necessary. Ideally, this means that you will not have to reveal your name, location or other personal information.
However, beyond those basics, there are many questions about how people will actually use the system. This is what we know so far.
The First phase is application based and begins next month:
Apple and Google are launching the program in two phases, starting with an application programming interface (API) in mid-May. This API will ensure that iOS and Android apps can track users regardless of the operating system they use. But it will be restricted to official applications launched by public health authorities on the iOS App Store and Google Play Store.
During this first phase, you will need one of these applications to participate in the program. We don’t know who is working with Apple and Google right now, or what the apps will look like. It seems likely that they are interoperable in some way; in other words, a phone with application A could exchange a key with application B, as long as they are both using the API. Hypothetically we could see a national government or many small local agencies launch their own applications, or governments could approve something built by an outside party like a university. Google and Apple have not publicly clarified many details, so we will see them in the coming weeks.
No matter what the apps look like, you will have to proactively add them to your phone, which is sure to reduce the number of people using them. But in the months after launch, Google and Apple will work on a more permanent solution.
The second-phase adds opt-in tracking to iOS and Android:
After the API, Google and Apple want to add contact tracking as the main feature of iOS and Android. The method is a bit vague for now, but the goal is for you to go for something like your phone settings. This would activate the exchange of digital keys without requiring a third-party application. Then, if exposed, your phone will indicate this in some way and prompt you to download an app for more information.
This raises some questions. We don’t know much about that transfer process, for example: are you getting a vague popup notification or something with more details? We’re also not sure how the fragmented Android ecosystem could complicate the launch. Google could push a quick update through the Play Store instead of waiting for operators to implement it, but it would still face wide variations in hardware capacity. We also don’t know if individual government apps could request more invasive permissions, like location tracking, even if Google and Apple’s central system don’t use it.
If you have a phone without Bluetooth LE of course none of these apps will work. But iOS has included support since the iPhone 4S 2011, and the Android platform added support in 2012. So, unless you have a very old phone, it’s probably fine.
What happens if you get infected?
If your result is positive for COVID-19, the system is supposed to upload its last 14 days of anonymous “keys” to a server. Other people’s phones will automatically download the key lists, and if they have a matching key in their history, they will receive an exposure notification.
However, the app will need to make sure that people are actually infected; otherwise, a troll could cause chaos by falsely claiming to have COVID-19. We don’t know exactly how this will work. COVID-19 tests are currently administered by professionals and registered with health authorities, so perhaps Apple and Google could take advantage of that process to validate the tests. But it is a big problem and they will need a satisfactory answer.
Either way, sharing your passwords is supposed to be voluntary. That seems to really mean approving a load, not only granting general consent when you install the app, but the exact process is something else we’re waiting to see.
What if you are Exposed?
If people share your data as described above, your phone will check the list once a day and search for key matches, then notify you if it finds one. Google’s sample alert is pretty simple: It simply says, “You’ve recently been exposed to someone who tested positive for COVID-19,” and offers a link with more information. That information will be provided by whatever health authority is offering the app, and we don’t know what it might include, although at least it will likely explain COVID-19 symptoms and self-quarantine guidelines.
Exposure is not a simple binary process: the more time you spend with an infected person, the greater the risk. Documentation includes references to duration measured in 5-minute intervals. Theoretically, you could send that information directly to users, or you could offer an overall risk assessment without an exact number, which would provide a higher level of anonymity.
As we’ve said before, none of this replaces traditional contact tracing interviews. However, well done, you could add a platform level system that is easy to use and doesn’t compromise privacy too much. We are still waiting for a lot of details on how that will work.