Application Security , Geo Focus: The United Kingdom , Geo-Specific

Apple, Google Release Contact-Tracing APIs for COVID-19

Privacy-Centered Approach May Bolster Public Confidence in Contact-Tracing Apps
Apple, Google Release Contact-Tracing APIs for COVID-19
How a public health authority's contact-tracing app that uses Apple and Google's APIs might look. (Mockup: Apple and Google)

Apple and Google have released new APIs designed to support contact-tracing apps being developed by governments to help combat the COVID-19 pandemic.

See Also: ESG Research Report: Securing the API Attack Surface

Application programming interfaces handle interactions between software components. Experts say having the ability to use APIs built by Apple and Google will likely enable developers to build the most seamless, high-performance and usable contact-tracing apps possible for iOS and Android mobile operating systems.

Already, three U.S. states have committed to adopting the APIs, and 22 countries have requested access for testing them, CNBC reports, citing Apple and Google.

The two technology giants announced in early April that they would work together to develop backend technology to support contact-tracing apps. Their involvement could have a strong influence over the privacy and security impact of contact-tracing apps, which vary widely in their implementations.

Eventually, both companies plan to bake the capabilities into their platforms at an operating system level, with plans to remove the functionality once the pandemic subsides.

As of Wednesday, a research team at Johns Hopkins University reported that based on official government statistics, there have been more than 5 million confirmed COVID-19 cases globally and more than 328,000 deaths. The greatest number of COVID-19 deaths have been reported in the U.S., followed by the U.K., Italy, France, Spain and Brazil.

‘Exposure Notification’

Whether smartphone contact-tracing apps will help reduce new COVID-19 infections remains to be seen. But public health experts say such apps could help support and reduce the work of manual contact-tracing teams to better identify individuals who may have been exposed to the disease and alert them to self-quarantine for a specified period of time (see: Digital Contact-Tracing Apps: Hype or Helpful?).

Apple and Google have labeled their project as being Exposure Notification, rather than contact tracing. Any app-based system differs significantly from manual contact tracing, which involves an infected person being interviewed by investigators about their movements and contacts.

Many governments have either rolled out or are trialing contact-tracing apps. Some rely on Bluetooth to record contact logs of nearby contacts, while others also use GPS location data. Some countries, such as South Korea, have gone even further, for example, by tapping into credit card purchase data to track people's locations.

But privacy and security experts have warned that without sufficient protections - including, potentially, new laws to protect people's privacy - contact-tracing apps could pose a range of risks, ranging from facilitating overreaching government surveillance, to discrimination against anyone infected with COVID-19, to mapping a person’s social graph, meaning everyone with whom they come into contact.

Privacy Terms and Conditions

Apple and Google have said their approach prioritizes privacy and security. The APIs will only be available to governments that use Bluetooth for location tracking, rather than GPS or other data. The technology giants' terms and conditions also require that such apps be voluntary to use and collect no personal data (see: Contact-Tracing App Privacy: Apple, Google Refuse to Budge).

The companies have also embraced a decentralized approach to contact-tracing apps, along the lines of the DP-3T project, which is short for Decentralized Privacy-Preserving Proximity Tracing. The approach aims to minimize the chance that a contact-tracing app user can be identified by others by not storing any personal information on a centralized server.

Centralized Versus Decentralized Approaches

Numerous researchers and scientists have urged governments to only employ this type of decentralized approach, warning that doing otherwise will likely lead to reduced adoption, and that governments may only have one chance to get it right. Oxford University researchers have estimated that for maximum usefulness, 60% of a population will need to use these contact-tracing apps, although not everyone will have a smartphone capable of running them (see: COVID-19 Contact-Tracing App Must-Haves: Security, Privacy).

Here's how location tracking works under Apple and Google’s model: Smartphones within a specified proximity to one another, for a certain amount of time, will exchange Bluetooth beacon keys. These keys change several times a day. If someone later tests positive for COVID-19, health authorities can give that person the ability to upload the log of Bluetooth keys that their device recorded.

Other devices running a contact-tracing app can check a list periodically to see if they’ve recorded Bluetooth keys that have been linked to someone with COVID-19. A privacy advantage of this approach is that matching is done on individual devices rather than a central server. No one ever learns anyone else’s identity.

While the Apple-Google model is strong on privacy, it does deprive government health authorities of more granular data, which many have been arguing they need.

Use of the apps based the Apple-Google model is voluntary. Apple and Google will also allow anyone to disable Exposure Notification in their device's settings menu at any time.

Most countries are not mandating that their residents download or use any contact-tracing app, but instead are trying to incentivize users, saying that the apps will help enable the eventual easing of lockdown and social-distancing rules. But according to MIT’s Technology Review, which is tracking different contact-tracing apps as they get deployed, several countries - including India, Bahrain, China, Qatar and Turkey - have made using contact-tracing apps mandatory, at least for certain parts of their population. Such countries would not be eligible to use the Apple and Google APIs.

Australia Tests New APIs

One of the most compelling reasons for governments to adopt the Apple and Google APIs is performance. When Australia tested its contact-tracing app COVIDSafe in late April, for example, poor performance was a significant problem. In part, that's because iOS and Android restrict an app’s access to Bluetooth if the app is running in the background. To compensate, the Australian government suggested that when people are outside, they should leave the app running in the foreground. From a usability and battery-management perspective, however, that didn't appear to be a viable, long-term solution.

On Thursday, Australia's Digital Transformation Agency, which developed the app, said it "has been working with Apple and Google to understand and test the Exposure Notification Framework since it was released to see how it can be applied in Australia," adding that "testing is ongoing."

But Australia's COVIDSafe is based on a centralized model, in which health authorities will know who has tested positive as well as who the person has come into contact with, over the previous three weeks. Users are also required to enter their name, age range and post code. All of those things are forbidden for any apps that use Apple and Google's APIs.

It’s unclear if Australia will switch to a decentralized approach, now that the Google-Apple APIs are ready, because the country has already passed updated privacy laws to accommodate the current version of the app (see: Australia Passes Privacy Law for Contact-Tracing App).

Other countries, however, have made such a shift. Germany, for example, started out pursuing a centralized contact-tracing app project before shifting to a decentralized model on the advice of security and privacy experts.

U.S. Adoption Plans

In the U.S., North Dakota said on Wednesday that it would use Google and Apple’s exposure notification technology in its second attempt to build a contact-tracing app. The first attempt dates from April, when the state launched an app called Care19 that used GPS data. But according to Mashable, users of the app reported problems, including inaccurate tracking, and adoption was lukewarm.

North Dakota’s new app will be called Care19 Exposure. That app will reach “the greatest number of people in a way that protects their privacy,” says Gov. Doug Burgum.

Alabama and South Carolina also plan to launch apps that use Apple and Google's APIs, CNBC reports.

UK Outlook Unclear

The U.K. government has continued to pursue a centralized model. It's testing the first version of its app on the Isle of Wight, as well as responding to third-party analysis of the source code, which has identified several flaws.

The U.K.'s National Cyber Security Center says it's addressing the flaws, as the BBC has reported, and NHSX, the National Health Service’s technology arm, has also acknowledged the concerns and says it's committed to improving the app.

Executive Editor Mathew Schwartz contributed to this story.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.