Apple and Google Friday made a series of technical announcements regarding their collaboration to enable Contact Tracing via smartphones, underlining how the two will promote user trust, privacy, and data security principles. Addressing the concerns and feedback from various quarters, the tech giants announced updates to the API framework released on April 10 along with documents that detail cryptography and Bluetooth specifications.
To begin with, anonymous, encrypted identifier keys (a coded series of numbers and letters) will now be randomly generated rather than derived from a temporary tracing key. This makes it harder to guess how the keys are derived and use that information to trace people.
Secondly, Apple and Google announced that the metadata associated with Bluetooth will be encrypted, making it more difficult for someone to try and use it to identify a person, “for example, by associating the transmit power with a particular model of phone” or the version number of the protocol the phone is running.
Many questions have been raised around having metadata accessible to authorities. Metadata essentially means texts, emails, date and time of calls, and internet sessions of a user. As per the change, this metadata will be encrypted, meaning it would be near impossible for authorities to identify a person.
Apart from the focus on privacy, Apple and Google are also making it easier for public health authorities to build great apps. The first version of Apple and Google cross-platform contact tracing API should be available to developers next week. Apple said the seed release will support iOS devices released in the last four years.
Apple and Google are jointly developing an app that would use Bluetooth to track and trace smartphone users’ proximity to other users. The “Contact Tracing” method is very popular in India and other Asian countries to tackle epidemics.
The contact tracing app remains voluntary and neither Apple nor Google are forcing Android and iPhone users to download the app. The data would be stored on each individual smartphone and does not include names or location information, only a “key” identifier exclusive to each nearby contact. These identifiers would be rotated on a randomised basis to prevent long-term tracking. If a smartphone user gets detected by Covid-19, he or she will be diagnosed by their health authority. The system collects no location data from users, including users who are Covid-19 positive.