Apple-Google contract tracing API promises privacy protection, yet many govts want their own apps

Apple and Google have said that they will not allow use of GPS data along with the contact tracing systems.


In the last part of this series, we looked in detail at the Aarogya Setu app. This is the contact tracing app that has been made by, and is heavily endorsed by, the government of India. Racing towards the 100 million download mark, this is the only digital contact tracing app that has achieved such traction in such a short while. There are even talks of making it mandatory, which is being debated.

The Aarogya Setu app uses a centralised approach to digital contact tracing. When installed and in use, certain parameters or data (Bluetooth IDs and GPS location in this case) are collected and stored periodically on the user’s device. The app also scans the area using Bluetooth and GPS for other users, and stores their IDs as well. If a user declares themselves positive, all this data (virtual Bluetooth IDs of the user and those stored on the user device + GPS locations) are sent to a central server. The stored Bluetooth and GPS data is analysed, and other users of the app — scanned from the positive user’s phone — are sent a notification that they should get tested, or consider quarantining themselves, since they’ve been in proximity of an infected person.

 Apple-Google contract tracing API promises privacy protection, yet many govts want their own apps

Representational image: Tech2

Centralised approach in a nutshell

After taking the consent of the app user, their Bluetooth and GPS data are uploaded to a server, where the matching takes place and eventually notifications are sent from the server to user devices. Decisions are taken at the server side.

(Also read: Aarogya Setu: Whether we like it or not, the app is here to stay, but it's still riddled with privacy issues that need strong answers

A lot of government-driven approaches have gone with this method, as it lets them collect location data to combat the spread of COVID-19. Apart from India, some other countries that are using this approach are Singapore, China, Taiwan, South Korea and more recently, the UK and France. The argument for this method is that it lets authorities identify COVID-19 hotspots and take corrective action.

But the centralised approach is being questioned by privacy activists as a ploy by governments to hoard patient data which could be used beyond the stated purposes of the contact tracing app. The counter to this method is the decentralised approach. 

(Also read: Aarogya Setu app guidelines for data processing issued by centre as privacy concerns pile up)

Decentralised approach in a nutshell

After taking the consent of the app user, only their Bluetooth ID is sent to the server, NOT their GPS data. And this is done only if the user has declared themselves COVID-19 positive. The Bluetooth IDs of other phones which the infected user has been in contact with isn’t uploaded either. Every phone in this decentralised system is also downloading a list of the Bluetooth IDs of COVID-19 positive patients regularly. The matching process of Bluetooth IDs stored on the phone with a COVID-19 positive Bluetooth ID list that’s downloaded daily, takes place on the phone. In other words, decisions are taken on-device.

A decentralised approach also does not rely on GPS data, which is one of the major data points with the centralised approach, and with Aarogya Setu. Communication happens only via Bluetooth handshakes between user devices.

Centralised vs Decentralised: Which approach is the right way to go?

The jury is still out on that, as both methods are yet to see mass adoption or deliver concrete results.

Asian countries including China, Singapore, Taiwan have tried a mix of contact tracing apps and on-ground response. All three have used the centralised approach, and two of these (China and Taiwan) were able to contain the spread - but the on-ground response in both countries was also intensive. The Singapore government was the first to develop a centralised contact-tracing app, but given just 20 percent of the population downloaded this app and a second wave of COVID-19 cases there, it’s not really the best model for studying the centralised approach. South Korea and Taiwan also used CCTV footage and techniques such as electronic fencing - practices which won’t fly in a lot of Western democracies.

Let’s take a look at who is doing what.

What is the Apple-Google approach and how does it work?

One of the unprecedented things that has happened as a result of the pandemic is the collaboration between technology rivals Apple and Google. Both the Valley giants had announced in mid-April that they were working on an application programming interface (API) to assist public health authorities with digital contact tracing. More recently, both companies even shied away from the term contact tracing and began calling their system an ‘exposure notification tool.’

Some of the guiding principles behind the Apple-Google decentralised approach are:

  • Explicit user consent required
  • Doesn’t collect or use location data from your phone
  • Bluetooth beacons and keys don’t reveal user identity or location
  • User controls all data they want to share, and the decision to share it
  • People who test positive are not identified to other users, Google, or Apple
  • Will only be used for exposure notification by public health authorities for

COVID-19 pandemic management

  • Doesn’t matter if you have an Android phone or an iPhone - works across both

The basic operating principles are the same as contact tracing apps. If you have downloaded an app made by your regional public health authorities, which uses the Apple-Google API, your phone will send out a beacon via Bluetooth LE, which will have a random Bluetooth identifier called a ‘Temporary Exposure Key’. This is, basically, a string of random numbers that aren’t tied to a user's identity and changes every 10-20 minutes for added privacy protection. Other phones in your vicinity will be listening to your beacon as well as broadcasting their own. Every user receiving this beacon will record and securely store it on their device. At no point is any Bluetooth key stored on your phone able to identify a specific user.

Once every day, each phone will download a list of keys for the beacons which have been identified as belonging to people who are COVID-19 positive. These keys are called ‘Diagnostic Keys’ which are a subset of the Temporary Exposure Keys. These Diagnostic Keys are uploaded to the cloud after gaining consent from an infected user. Temporary Exposure Keys of the other phones stored on the device are not uploaded to the cloud. The app, which is built atop this API, will have a means to record a COVID-19 positive status.

The downloaded Diagnostic Keys are constantly checked against the list of keys that are already stored on the device. If there is a match between the keys stored on the device with the keys that have been identified as COVID-19 positive, then the user is notified and health authorities advise on the next steps. This PDF illustrates the process quite well.

How long should you have been in the vicinity to be given the notification for getting tested? Google and Apple have left that decision up to the health authorities who are building their apps atop the API.

“Public health authorities will set a minimum threshold for time spent together, such that a user needs to be within Bluetooth range for at least 5 minutes to register a match. If the contact is longer than 5 minutes, the system will report time in increments of 5 minutes up to a maximum of 30 minutes to ensure privacy. To approximate distance, the system compares the Bluetooth signal strength between the two devices in contact. The closer the devices are, the higher the signal strength recorded,” says the white paper by Google and Apple.

A common API by Apple-Google means that irrespective on which mobile OS you use, the apps will be able to communicate with each other while protecting user privacy. In the first phase, users will need to download an app which is built atop this API.

In the second phase, the API will be baked into Android and iOS at the OS level to enable broader adoption. After you have consented to the use of these APIs in the second phase, the phone will send out Bluetooth beacons as it did in the first phase. It’s just that in the second phase, you may not need to download an app built on the API.

“If a match is detected the user will be notified, and if the user has not already

downloaded an official public health authority app, they will be prompted to download it and advised on next steps. Only public health authorities will have access to this technology and their apps must meet specific criteria around privacy, security, and data control,” says the whitepaper.

Both Apple and Google have said that privacy and preventing governments from using the system to compile data on citizens was a primary goal. The system uses Bluetooth LE signals from phones to detect encounters. Apple and Google have said that they will not allow use of GPS data along with the contact tracing systems.

The countries that have expressed interest in the Apple-Google API approach include Switzerland, Germany, Austria, Latvia, Estonia, Finland, Ireland, Canada as well as Italy. Germany, after backing a centralised approach along with France, changed its stance at the last moment to go with a decentralised, privacy-first approach.

 While this method has been appreciated by a lot of countries in Europe, some such as the UK and France remain skeptics, as they want more location-centric data to guide their response.

 UK’s NHS and France’ StopCovid have decided to go ahead with the centralised approach

 The UK has already rolled out a beta version of its app, NHS Covid 19. Health workers, council members and volunteers in the Isle of Wight — an island located south of the mainland with a population of 141,000 — have been asked to download and start using this app. This app will send details of the logged Bluetooth IDs to a UK-based computer server managed by the National Health Services (NHS) which will do the contact matching, according to a report in the BBC. This is a centralised approach, where data is being shared with a central authority. In principle, this is somewhat similar to what the Aarogya Setu app is also doing.

Why is the UK using a centralised approach? According to Prof Christopher Fraser, an epidemiologist advising the NHS, this approach will help in auditing the algorithms and adapting the system more quickly, as scientific evidence accumulates, he told the BBC. He claims it’s easier to only inform those who are at the most risk using a centralised system. The UK also hopes to spot geographical hotspots where the disease is spreading fast with this approach.

Things aren’t as rosy according to others. “The creation of the “COVID-19 datastore” — a centralised government database — means that the UK government, the National Health System (NHS), and a group of tech companies are collecting, aggregating, and mining confidential and sensitive data of UK citizens on an unprecedented scale,” said Forrester senior analyst Enza Iannopollo. According to her, the leaked documents of the COVID-19 datastore point to the fact that the amount of data collected ”are disproportionate compared to the stated purpose of the project.”

The company which is behind the software for this app is Palantir, a government-friendly big data operator, which is going to work with Faculty, a British AI startup, to consolidate government databases to help ministers deal with the pandemic. While the NHS claims that no data will be shared with outside entities, Palantir and Faculty will be dealing with anonymised datasets for data analysis. Given Palantir’s track record with regards to surveillance, the partnership between it and NHS has struck privacy activists as odd.

France is another European nation which is going with a similar approach and has discarded the Apple-Google decentralised method. France is planning to launch the StopCovid app on 2 June. It had requested Apple to allow it to let the app access the iPhone’s Bluetooth radio in the background, but Apple hasn’t been forthcoming on that front. As a result, France has accused Apple of not being co-operative and its digital minister has even gone so far as to say that France will remember this when the time comes.

Translation: Apple will face the consequences of not cooperating with the French government.

If governments are already sending out these passive-aggressive signs even before the apps are launched, what’s to prevent them from going back on their privacy-related stand in the future?

“While AI and technology can contribute to design and implement better responses, governments must develop approaches that encompass people, processes, and measures that allow them to control the virus. The lessons we learned so far from Germany, Hong Kong, and few others show us just that,” said Iannopollo.

Even in the US, certain states such as New York, California, and Massachusetts, have decided to go with their own apps with a larger focus on manual contact tracers rather than relying on Apple-Google’s decentralised APIs.

Feature phone users have been left out of the loop completely

The centralised and decentralised approaches both assume that the end user will have a smartphone which has the Bluetooth Low Energy feature. But large swathes of the populace do not own a smartphone to begin with. In India, for instance, around 500 million people use feature phones which have no GPS or Bluetooth functionality. According to the BBC, the UK figures stand at 12 percent of mobile users.

Globally, around 2 billion phone users won’t be able to participate in either centralised or decentralised contact tracing as their phones either don’t have GPS, Bluetooth, or if they are smartphones, they are on older versions of the smartphone OS and don’t have the latest Bluetooth LE chip. According to Neil Shah from Counterpoint Research, “Most of these users with the incompatible devices hail from the lower-income segment or from the senior segment, which actually are more vulnerable to the virus.”

In India, JioPhone users (around 90-100 million in number) which are using smart feature phones based on KaiOS platform, could soon be getting a contact tracing app which is under development, according to MyGov CEO Abhishek Singh. For other feature phone users, there’s a round-about way of calling an IVRS number and answering questions for the process of self assessment.

Bottomline: Contact tracing apps are an experiment in progress

Which method wins out will only be determined as time goes by and these apps see mass adoption. Also, this is a rapidly evolving situation and just like Germany did, any country may decide to switch its approach from centralised to decentralised, or vice versa.

The question that remains is: Will we have to let go of certain privacy privileges as digital contact tracing becomes more mainstream?


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.