Apple and Google announced their intention to work together on a contact tracking project on April 14 to try to tackle the pandemic .
The ultimate goal is to create a complete solution that includes both application programming interfaces (APIs) and operating system-level technology. All while maintaining strong protections on user privacy. The API will be used to develop institutional applications, such as “Arogya Setu” which will be created by Bending Spoons, a company chosen by the Indian government.
Compared to what was initially announced, precisely in order to significantly increase the level of protection of user privacy, Apple and Google have made a series of important changes to the API, the result of feedback and involvement of governments, health authorities and companies that they deal with app development.
CHANGES
One of the main changes concerns the so-called “tracking keys” which will now be generated randomly instead of deriving from a temporary tracking key. This will limit the possibility of a reconstruction of the origin of the identifiers. Second, the metadata associated with Bluetooth will be encrypted to make it more difficult to use to try to identify a person (for example, by associating the transmission power of the Bluetooth signal with a particular phone model).
Another important change concerns the methods in which the “proximity events” will be recorded: the recordings will take place at five-minute intervals and the maximum exposure time will not exceed 30 minutes, a period of time sufficient to detect and determine the quality of a risky encounter.
Developers will also be able to specify signal strength and duration thresholds for exposure events. In this way, public health authorities will be assisted in defining individually what constitutes an “exposure event” for them based on the intensity of the radio signal and the length of time two telephones have been in the vicinity. The apps, therefore, will better determine how close we have been to an infected person and for how long.
Furthermore, updating the APIs will also allow the determination of the number of days that have elapsed since the last exposure event. This feature will allow apps to determine what actions the user will need to take next.
To better describe the functionality of the API, Apple and Google have decided to change the terminology used: from “Contact Tracing”, often misunderstood, we now speak of “Exposure Notification”, notification of exposure. This technology, in fact, aims to inform a person about the potential exposure to an individual tested positive for COVID-19.
Cryptography
As for the encryption of the data collected, as mentioned, the Temporary Tracing Keys – the temporary tracking keys (previously known as “Daily Tracing Keys”) – will be generated randomly and will no longer be derived. This change reflects the fact that their temporary nature is no longer specifically related to a 24-hour period.
To achieve better performance, with less impact on energy consumption, it was also decided to change the algorithm used to encrypt the random identifiers that are frequently exchanged between smartphones: instead of HMAC(keyed-hash message authentication code) AES (Advanced Encryption Standard) will be used, a more popular method for data encryption. In fact, many devices have hardware capable of accelerating AES encryption. In this way, you will obtain greater efficiency that will avoid significantly reducing its autonomy.
Also, the metadata invited via Bluetooth, the information shared between the phones together with their random identifiers, will be encrypted. These metadata include various elements including the level of the transmission power of the devices (to estimate more accurately the distance between two smartphones at the time of contact) and the version number of the protocol running. Encrypting these metadata will make it more difficult to use to identify a person by associating, for example, the power with a particular model.
MORE SECURITY
System security has also been improved to ensure that a temporary tracking key can only be used to generate a rotating proximity identifier on the same day. The framework also tracks only contacts in the past 14 days without continuing after a person has registered as positive for COVID-19.
It will also be possible to know how much time has passed since the last exposure event, which can help an app determine after how long the symptoms may appear. Finally, the possibility has been added, both for the app and for the user, to delete the complete history of the information stored on the smartphone relating to the exposure notification, rotational proximity identifiers and temporary tracking keys.
OPERATION
Changes aside, the operating system will remain unchanged. There will never be any type of location via GPS. When activated (manual deactivation will always be possible), the smartphone will send via Bluetooth LE, at cyclical intervals, a random and encrypted identification signal, and will detect any identification signals sent by nearby smartphones.
In case of contact, the encrypted metadata will be stored in a local database and compared with the identifiers of COVID-19 positive people contained in a list downloaded daily, only in this case, from a remote server. If an identifier should match one belonging to the list, the application that uses the API will inform the user of the paths to be taken. Information that, of course, may vary from app to app.
ANDROID AND IOS
ANDROID AND IOSAs previously announced, APIs that allow interoperability between Android and iOS devices will be released in May. From today, however, they are available in beta for institutional app developers.
The Google Play Services infrastructure is used for Android (therefore excluding the recent Huawei smartphones and those marketed on Chinese territory) which will allow you to update smartphones with Android version 6.0 or higher. Google has confirmed that its update system will apply to both phases of the tracking framework: the initial implementation of the API and the next phase of integration into the operating system. As for iOS, however, the APIs will arrive via an iOS 13 firmware update , the beta version supports iOS devices released in the last 4 years.
