Apple and Google exposure notification system: all you need to know

Here are all the info on the exposure notification system of the two companies.

Apple, in the beta version of iOS 13.5 has introduced the first version of the exposure notification API, which will allow apps from public health authorities and governments around the world to help people understand if they have been exposed to COVID- 19 and, if so, what measures to take to minimize the spread of the virus.

Explanation of the exposure notification

The exposure notification started as a contact track, an Apple-Google initiative that was announced in early April to limit the spread of COVID-19.

Apple and Google have created an API designed to allow iPhones and Android smartphones to interface with each other for contact tracking purposes, so if and when we are in the vicinity of someone who is subsequently diagnosed with COVID-19, we can receive a notification and take appropriate measures to self-isolate and obtain medical attention if necessary.

To determine if we have come into contact with someone will be our iPhone, which, using the exposure notification API, interacts with other iPhones and Android smartphones via Bluetooth whenever we are close to someone else who also has a smartphone, exchanging anonymous identifiers.

Apple and Google are developing the underlying APIs and Bluetooth functionality, but are not developing the apps that will use those APIs . Instead, the technology will be incorporated into apps designed by public health authorities around the world, who will be able to use the tracking information to send exposure notifications and follow up on the recommended next steps.

The APIs were created with privacy, security and use of the apps in mind and is opt in instead of mandatory.

How exposure notification works

Almost everyone has a smartphone, making them ideal for determining who we came in contact with. The exposure notification has a self-explanatory name and, in a nutshell, the function is designed to notify us if we have been in close proximity to a person who has been diagnosed with COVID-19.

Here is a detailed procedure on how it works:

  1. Two people, Fabiano and Francesco, are both in the same grocery store shopping on a Tuesday afternoon. Fabiano has an iPhone and Francesco has an Android phone, both with a health app that uses the exposure detection API.
  2. Fabiano and Francesco stand in line together for about 10 minutes. During this time, each of their phones is transmitting completely anonymous identification signals and detecting identification signals transmitted by the other person. Their phones know they have been in contact and store that information on the device itself.
  3. A week later, Francesco presents COVID-19 symptoms, visits a doctor and is diagnosed with the disease. He opens his health app, checks his diagnosis using the documentation of a healthcare professional and touches a button that uploads the identification beacon to a centralized cloud server.
  4. On the same day, Fabiano’s health app downloads a list of all recent beacons of people who have contracted COVID-19. Fabiano then receives a notification because he has been in contact with someone who has COVID-19 because of his interaction with Francesco at the supermarket.
  5. Fabiano does not know that Francesco contracted COVID-19 because no personally identifiable information was collected, but the system knows that on Tuesday he was exposed to COVID-19 for 10 minutes and that he was close.
  6. Fabiano follows the steps of the health app on what to do after exposure to COVID-19.

Apple and Google also created a graphic practice explaining the process, which we described above:

What do I need to do to use exposure notification?

Apps that use Apple’s exposure notification API will be available when the company releases iOS 13.5 .

Exposure notification is a feature enabled by default in the iOS 13.5 beta version and can be enabled automatically when the update is released, but in reality using the API requires downloading an app from an authority health checked. Many countries are developing country-specific apps that we can download.

At the moment, there are no apps that use the Apple API, but once released, we will have to download one and consent to use it before the exposure notification becomes functional on your smartphone.

Without downloading an app and agreeing to use the tracking system, the exposure notification API on iPhone does not work.

Cross-platform app communication

Apple and Google have both worked to create APIs for exposure notifications that work together so that iPhones and Android smartphones can interface with each other.

Opt-in exposure notification

In the beta version of iOS 13.5, the function is active by default, but the use of the function is still opt-in rather than opt-out because it is necessary to download an app and agree to register for the exposure notification system .

If, at some point, we contract COVID-19, there is a separate consent process to anonymously notify the people we have been in contact with. The app needs explicit consent to inform others of the diagnosis and does not send any data automatically.

Exposure notifications can be turned off in the Privacy section of the Settings app. As you can see in the demo screenshot below, users will have to click on “ Allow ” after installing an app to allow the app to collect and share random IDs with nearby devices.

Verification of exposure notification

When a person is diagnosed with COVID-19, before an alert is sent to the people they have been in contact with, apps that use the Apple and Google exposure notification APIs require verification that a person has tested positive to disease.

This will prevent people from using the system in a dangerous way to trick others into believing that the exposure occurred when it really isn’t.

For example, a person who tests positive for COVID-19 might receive a QR code with the test results, which could be scanned into an exposure notification app for verification purposes. The verification process will vary by region, according to Apple.

How exposure notifications will work

As explained above, with a health app that uses the installed exposure notification API, the smartphone exchanges anonymous identifiers with each person you come in contact with who also has an app that uses the API.

The phone maintains a list of these identifiers on it and this list remains on the device – it is not loaded anywhere. The exception is if we are diagnosed with COVID-19 and therefore we follow the steps to send notifications to smartphones that have been in contact with ours.

In this situation, the list of random identifiers to which ‌iPhone‌ has been assigned over the previous 14 days will be sent to a centralized server. Other people’s iPhones control this server and download that list, comparing it with the identifiers stored on their devices. If there is a correspondence, they are notified of the exposure with further information on the next steps.

Matches are made on the device rather than on a server in a central location, which preserves privacy while ensuring that people are aware of possible exposures.

For a simpler explanation, here is a detailed procedure on how it works:

  1. Fabiano and Francesco interact at the supermarket. During this interaction, Francesco’s Android phone has a random identification number, 12486, which is unique to Francesco’s phone (and which changes every 15 minutes).
  2. Fabiano’s iPhone records Francesco’s random identification number, 12486, and sends the latter his random identifier, 34875. Both Fabiano and Francesco are in contact with a dozen people in the supermarket, so their smartphones download random identifiers. from all these phones.
  3. Francesco contracts COVID-19, confirms his diagnosis in the app and agrees to upload all the identifiers used by the phone in the last two weeks (including 12486) on a central server accessible from Fabiano’s COVID-19 app. At this point, Francesco’s identifier is shared with a central database, but these random identifier numbers are not associated with any personal information and do not include location data.
  4. Fabiano’s phone downloads the list of identifiers of people who have been diagnosed with COVID-19, which includes Francesco’s identifier, 12486, and compares it with the list of identifiers that have been stored based on the interactions of Fabiano.
  5. A correspondence is made, then Fabiano receives a notification that he has been in contact with someone who has the COVID-19 and receives information on what steps to take.

Health apps will have access to information that includes the amount of time Fabiano and Francesco’s phone was in contact and the distance between them, as determined by the strength of the Bluetooth signal, which can be used to estimate distance.

Based on this information, the app can send personalized notifications to Fabiano, perhaps letting him know his level of exposure and the potential danger based on these factors. The system will know the day it was exposed, how long the exposure lasted and the Bluetooth signal strength of that contact. No other personal data is shared.

When data is shared

For the most part, the exposure notification system works on our device. The identifiers are collected and matched entirely on our smartphone and are not shared with a central system. There are two exceptions to this:

When a user is diagnosed with COVID-19 and chooses to report this positive diagnosis to the contact tracking app, the most recent identification beacons (from the last 14 days) will be added to the list of positive diagnoses shared by a public health authority. to allow others who came in contact with that identifier to be notified.
When a user is notified through his app that he has come into contact with a person who has tested positive for COVID-19, the day the contact occurred, how long it lasted and the intensity of the Bluetooth signal of that contact will be shared.

Privacy details of exposure notifications

First, full privacy details on exposure notification are available on the Apple website , but some important privacy FAQs are described below.

  • No identifying information : our name, Apple ID and other information is never shared or associated with apps that use the exposure tracking API.
  • No location data : the app does not collect, use or share location data. Exposure notification is not to track where people are, but to determine if a person has been around another person.
  • Random identifiers : the iPhone is assigned a random identifier (a string of numbers) which is transmitted via Bluetooth to other nearby devices. Identifiers change every 10-20 minutes.
  • Operation on the device : the identifiers with which the phone comes in contact or the phones that come into contact with the identifier are stored on the device and are not loaded anywhere without consent.
  • Sharing based on consent : If you get a positive result at COVID-19, the people you have been in contact with will not receive a notice without express authorization.
  • Identifier correspondence on the device : if you contract COVID-19 and agree to share this information, the list of identifiers of the last two weeks will be uploaded to a central server that other devices will be able to verify to identify a correspondence on their iPhone.
  • Opt-in : the exposure notification is entirely opt-in. You don’t need to use the feature and it doesn’t work unless you download an app that uses the API. It also doesn’t work if you turn off the Exposure Notifications option in the Settings app.
  • Sharing data with Apple / Google : Apple and Google will not receive identifying information about users, location data or other devices that the user has been close to.
  • Data monetization : Apple and Google will not monetize with the exposure notification project.
  • Verified Health Apps Only : Apple APIs can only be used by verified public health apps from health authorities around the world. Apps must meet specific privacy, security and data control criteria. The apps will be able to access a list of beacons provided by users confirmed to be positive for COVID-19 who have chosen to share them, but personal identification information is not included.
    Disabling exposure notification : Apple and Google can disable the exposure notification system on a regional basis when it is no longer needed.

More information

Both Apple and Google have dedicated websites with more information on exposure notification.

Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.