Apple and Google announced their intention to work together on a contact tracking project on April 14 to try to tackle the pandemic.
The ultimate goal is to create a complete solution that includes both application programming interfaces (APIs) and operating system-level technology. All while maintaining strong protections on user privacy. The API will be used to develop institutional applications, such as "Immuni" which will be created by Bending Spoons, a company chosen by the Italian government.
Compared to what was initially announced, precisely in order to significantly increase the level of protection of user privacy, Apple and Google have made a number of important changes to the API, the result of feedback and involvement from governments, health authorities and companies that deal with app development.
One of the main changes concerns the so-called "tracking keys" which will now be generated randomly instead of deriving from a temporary trace key. This will limit the possibility of a reconstruction of the origin of the identifiers. Secondly, the metadata associated with Bluetooth will be encrypted in order to make it more difficult to use it to try to identify a person (for example, by associating the transmission power of the Bluetooth signal with a particular phone model).
Another important change concerns how the "proximity events" will be recorded: recordings will take place at five-minute intervals and the maximum exposure time will not exceed 30 minutes, a period of time sufficient to detect and determine the quality of an encounter at risk.
Developers will also be able to specify signal strength and duration thresholds for exposure events. In this way, public health authorities will be assisted in defining individually what constitutes an "exposure event" for them based on the intensity of the radio signal and the length of time two telephones have been in the vicinity. The apps, therefore, will better determine how close we have been to an infected person and for how long.
Furthermore, updating the API will also allow the determination of the number of days that have passed since the last exhibition event. This feature will allow apps to determine what actions the user will need to take next.
To better describe the functionality of the API, Apple and Google have decided to change the terminology used: from "Contact Tracing", often misunderstood, we now speak of "Exposure Notification", exposure notification. This technology, in fact, has the purpose of inform a person about the potential exposure to an individual tested positive for COVID-19.
As for the encryption of the data collected, as mentioned, the Temporary Tracing Keys – the temporary tracking keys (previously known as "Daily Tracing Keys") – will be generated randomly and will no longer be derived. This change reflects the fact that their temporary nature is no longer specifically related to a 24-hour period.
To obtain better performance, with less impact on energy consumption, it was also decided to change the algorithm used to encrypt random identifiers which are frequently exchanged between smartphones: instead of HMAC (keyed-hash message authentication code), AES (Advanced Encryption Standard) will be used, a more common method for data encryption. In fact, many devices have hardware capable of accelerating AES encryption. In this way you will obtain greater efficiency that will avoid significantly reducing its autonomy.
Also metadata invited via Bluetooth, the information shared between the phones together with their random identifiers will be encrypted. These metadata include various elements including the level of transmission power of the devices (to estimate more accurately the distance between two smartphones at the time of contact) and the version number of the protocol running. Encrypting these metadata will make it more difficult to use to identify a person by associating, for example, the power with a particular model.
System security has also been improved to ensure that a temporary tracking key can only be used to generate a rotating proximity identifier on the same day. The framework also only tracks contacts in the past 14 days without continuing after a person has registered as positive for COVID-19.
It will also be possible to know how much time has passed since the last exposure event, which can help an app determine after how long the symptoms may appear. Finally, the possibility has been added, both for the app and for the user, of clear the complete history of the information stored on the smartphone relating to exposure notification, rotating proximity identifiers and temporary tracking keys.
Changes aside, the operating system will remain unchanged. There will never be any type of location via GPS. When activated (manual deactivation will always be possible), the smartphone will send via Bluetooth LE, at cyclical intervals, a random and encrypted identification signal, and will detect any identification signals sent by nearby smartphones.
In case of contact, the encrypted metadata will be stored in a local database and compared with the identifiers of COVID-19 positive people contained in a list downloaded daily, only in this case, from a remote server. If an identifier should match one belonging to the list, the application that uses the API will inform the user on the paths to be taken. Information that, of course, may vary from app to app.
ANDROID AND IOS
As previously announced, APIs that allow interoperability between Android and iOS devices will be released in May. From today, however, they are available in beta for institutional app developers.
For Android Google Play Services infrastructure is used (therefore excluding the recent Huawei smartphones and those marketed on Chinese territory) which will allow you to update smartphones with Android version 6.0 or higher. Google has confirmed that its update system will apply to both phases of the tracking framework: the initial implementation of the API and the next phase of integration into the operating system. As for iOS, however, the APIs will come via a firmware update of iOS 13, the beta version supports iOS devices released in the last 4 years.