You’ve probably heard a lot about COVID tracking apps and how our phones will be able to alert us if we have been near someone who’d had a diagnosis of COVID-19. What you may be wondering is whether your privacy will be forfeited in order for these apps to work and whether there will soon be an app on your phone that you will be expected to use. Here’s some clarity.

What is Apple doing to help COVID tracing

Apple has partnered with Google to develop contact tracing technology for a programming interface that can be used by COVID-19 contact tracing apps. The application programming interface (API) will be available to public health authorities and governments to develop their COVID-19 tracing apps.

Apple and Google’s solution uses Bluetooth technology. Phones emit low energy Bluetooth signals and when another phone comes in to contact the phones will perform a digital handshake. (It’s similar to the way that Apple is able to trace lost devices for the Find My app).

Google announced further details about its API on 4 May making a version of its Exposure Notifications API available via Github.

Apple’s APIs (the ExposureNotificationFramework) arrived on iPhones with iOS 13.5.

This doesn’t mean that a contact tracing app will suddenly appear on your device, nor will local authorities and health care systems necessarily use it.

Both Apple and Google have restrictions in place that mean the apps that use the APIs and the data those apps are able to gather will be limited. Apple emphasises that its solution will be implemented while "maintaining strong protections around user privacy".

iPhone in public

How is our data kept private?

Strict rules apply, which should mean that only official apps made by or for health authorities are able to use the data. These apps will have to meet certain privacy, security and data protection requirements - even Apple and Google will have no access to the data.

Google’s Terms of Service for developers indicates that the features may only be used for the purpose of combating COVID-19. The specifications from Apple are not yet known, but will probably be very similar.

There are a number of restrictions on data protection that developers have to accept:

  • The user must be asked for consent and must not be asked for personal data.
  • It must also be possible for the user to uninstall the app and switch off notifications.
  • The collection of data on religion, age, sexual orientation and other social groups is not allowed.
  • There are restrictions when dealing with the data recorded via Bluetooth, most of which should remain on the device - only the diagnostic key can be accessed by the app.
  • No additional data such as device IDs may be requested, only data for the purposes of the app may be collected.
  • Third-party services, such as analytics, may not be integrated.

Apple says it will shut down the system when it is no longer needed and that this can be done on a regional basis.

However, it is required that the app provide the user with information about the next steps after contacting an infected person. As a result apps will be able to provide users with information about the next steps if they have been in contact with an infected person.

When is someone considered a match?

It seems that the decisive factor is the proximity and duration of contact with an infected person.

The health authorities will be able to set the minimum duration themselves, but to be saved as a contact, the user must be in the other person's Bluetooth range for at least five minutes. Longer times up to 30 minutes are recorded every five minutes.

The distance is also recorded; the signal strength of the Bluetooth connection is measured - the stronger the signal, the smaller the distance. It is noted that this is not a very exact distance measurement.

When it comes to protecting data, Google and Apple set high requirements which will be popular with users. However, the health authorities must also agree to the restrictions and in the UK - at least initially - the authorities weren't prepared to abide by Apple and Google’s rules. However, that stance has now changed (more on that below).

iPhone COVID match

Why do we need a COVID-tracing app?

When someone receives a positive test result that indicates they are infected with COVID19 they are expected to alert contact tracers with details of people they have come into contact with - family, friends and co-workers. Then contact tracers will contact those people to let them know they should self-isolate.

The issue is that is an infected person has visited a grocery store or travelled on a bus it is a lot harder to locate the people they have come into contact with. In that case the data provided by the phone will help contact tracers locate people who might be infected.

There is a significant difference at this stage between how the Apple/Google version works and how the UK government had hoped their app would work. The Apple/Google version would perform the contact tracing on the iPhone rather than upload the information to a central server, which could be a security risk. Apple and Google's method will protect privacy and lower the risk of data falling into the wrong hands.

Is there a COVID-tracing app in the UK?

In the UK a centralised app was being built by the NHS. This app (more information here) didn't use Apple and Google’s APIs. It seemed that the UK wanted to be able to have access to the data gathered (which Apple and Google’s APIs wouldn’t allow). The government had said that that would give it a useful insight into how COVID-19 is spreading, but privacy advocates weren't happy.

That app was being tested on the Isle of Wight with a view to being launched at some point in May. However the launch never happened.

Now (as of 18 June) the UK government has decided to ditch its own Coronavirus-tracing app in favour of using the Apple/Google option.

The UK government still intends to launch its own app but this won't happen until later in the autumn and that app may only be used to report symptoms and request a test.

Apparently the original app was able to judge the distance between two users, but wasn’t good at identifying iPhones - it was only capturing details from 4% of iPhones compared to 75% of Android handsets.

The Apple/Google option, on-the-other-hand, logged 99% of Androids and iPhones. However, there are still issues - apparently its distance calculations are weaker.

The UK isn’t the only government to have made an about turn and decided to switch to the Apple/Google option - Germany, Italy, Denmark, Latvia and Switzerland have also.

And a former Apple executive (Simon Thompson) is said to have taken over the project, as reported by the BBC.

The government had wanted a centralised tracing app that would provide data about the infected persons phone and those they came into contact with. The Apple/Google version will only provide data about the infected persons phone and that will be limited to protect their privacy. In the Apple/Google version the contact matching takes place on the phone itself, while the government had wanted that information to be uploaded to a national database.

One advantage of using the Apple/Google solution is that the UK app could work with apps in other countries.

How the COVID-tracing app will work

For the tracing app to work, you’ll be asked to allow Bluetooth and Notifications.

The app uses low energy Bluetooth to perform a digital handshake when your iPhone comes into contact with another device running the app. Then if someone you came in to contact with in the past 28 days gets a COVID diagnosis - or reports to the app that they are experiencing symptoms - you will receive a notification.

According to the UK’s National Cyber Security Centre the original app was completely anonymous so you won’t know who got the positive diagnosis. This will also be the case with an app that uses the Apple/Google API.

Should you receive a notification you can then take a test - if you are negative then you won’t have to self-isolate. Similarly if the person who caused the alert eventually tests negative then any restrictions will also be lifted on the other people who had come into contact with them.

The app does not collect any location data - however, in the case of the original NHS app users would be asked for the first part of your postcode so the NHS can plan your local NHS response. It's not clear if this will be the case with the new app.

This article includes some information from this Macwelt report.