Apple and Google release marks ‘watershed moment’ for contact-tracing apps

Apple and Google release marks ‘watershed moment’ for contact-tracing apps

Apple and Google have released a software tool

that will make it possible for nations to release coronavirus contact-tracing apps that adopt the firms’ privacy-centric model.

It offers developers access to added Bluetooth functionality to solve a problem existing apps have of iPhones sometimes failing to detect each other.

Android and iOS device owners will have to carry out system upgrades.

But some countries – including the UK – are pursuing a different approach.

“The release of these APIs [application programming interfaces] along with the operating-system updates will be a watershed moment for the development and adoption of proximity-tracing apps,” said Marcel Salath√©, an epidemiologist at the Swiss research institute EPFL.

He added that apps that adopted the protocol should be able to be made “interoperable” – meaning that citizens can continue to be contact-traced as they cross from one region and/or country to another. That could potentially help reduce travel restrictions imposed because of the virus – at least for those using the apps involved.

Contact tracing graphic

Apple and Google said public health agencies from 22 countries and some US states had already asked to test the system.

The app was not “a silver bullet” – but “user adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use”.

On-device matching

Contact-tracing apps are designed to automatically log when two people come into proximity to each other for a significant amount of time.

If one is later diagnosed with the coronavirus, the other can be given an alert, which might suggest they self-isolate and/or request a medical test of their own.

But the authorities believe adoption has been hampered by two factors:

  • concerns the technology poses a privacy risk
  • restrictions Apple places on third-party apps’ use of Bluetooth in the background

In theory, the new system should address both of these issues.

Its “decentralized” approach locates contact-matching on devices themselves rather than a centrally controlled computer server.

And this aims to cut the risk of either hackers or the authorities using the database of who met whom and for how long for other purposes.

But the UK’s NHS and its counterparts in France, Norway, and India say the centralized approach gives them greater insight, making it easier to tweak the risk model that decides who receives which type of alert.

Graphic explaining difference between centralised and decentralised apps

Apps that adopt Apple and Google’s API can customise it within certain limits.

But they will not be able to log, for example, a phone’s global positioning system (GPS) coordinates.

“Not collecting some kinds of data, such as location, is a policy decision, not an engineering one,” technology consultant Benedict Evans said.

“But Apple-Google have to build something for every phone on Earth, [potentially] including China and Iran, and think about how it could be abused.

“How much you need the extra data and whether it’s worth the privacy risks is a matter of opinion.”