You’ve probably heard a lot about COVID tracking apps and how our phones will be able to alert us if we have been near someone who’d had a diagnosis of COVID-19. What you may be wondering is whether your privacy will be forfeited in order for these apps to work and whether there will soon be an app on your phone that you will be expected to use. Here’s some clarity.
What is Apple doing to help COVID tracing
Apple has partnered with Google to develop contact tracing technology for a programming interface that can be used by COVID-19 contact tracing apps. The application programming interface (API) will be available to public health authorities and governments to develop their COVID-19 tracing apps.
Apple and Google’s solution uses Bluetooth technology. Phones emit low energy Bluetooth signals and when another phone comes in to contact the phones will perform a digital handshake. (It’s similar to the way that Apple is able to trace lost devices for the Find My app).
Google announced further details about its API on 4 May making a version of its Exposure Notifications API available via Github.
Apple’s APIs (the ExposureNotificationFramework) are already available for developers and public beta testers and are likely to arrive on your iPhone with iOS 13.5 very soon.
This doesn’t mean that a contact tracing app will suddenly appear on your device, nor will local authorities and health care systems necessarily use it.
Both Apple and Google have restrictions in place that mean the apps that use the APIs and the data those apps are able to gather will be limited. Apple emphasises that its solution will be implemented while "maintaining strong protections around user privacy".
How is our data kept private?
Strict rules apply, which should mean that only official apps made by or for health authorities are able to use the data. These apps will have to meet certain privacy, security and data protection requirements - even Apple and Google will have no access to the data.
Google’s Terms of Service for developers indicates that the features may only be used for the purpose of combating COVID-19. The specifications from Apple are not yet known, but will probably be very similar.
There are a number of restrictions on data protection that developers have to accept:
- The user must be asked for consent and must not be asked for personal data.
- It must also be possible for the user to uninstall the app and switch off notifications.
- The collection of data on religion, age, sexual orientation and other social groups is not allowed.
- There are restrictions when dealing with the data recorded via Bluetooth, most of which should remain on the device - only the diagnostic key can be accessed by the app.
- No additional data such as device IDs may be requested, only data for the purposes of the app may be collected.
- Third-party services, such as analytics, may not be integrated.
Apple says it will shut down the system when it is no longer needed and that this can be done on a regional basis.
However, it is required that the app provide the user with information about the next steps after contacting an infected person. As a result apps will be able to provide users with information about the next steps if they have been in contact with an infected person.
When is someone considered a match?
It seems that the decisive factor is the proximity and duration of contact with an infected person.
The health authorities will be able to set the minimum duration themselves, but to be saved as a contact, the user must be in the other person's Bluetooth range for at least five minutes. Longer times up to 30 minutes are recorded every five minutes.
The distance is also recorded; the signal strength of the Bluetooth connection is measured - the stronger the signal, the smaller the distance. It is noted that this is not a very exact distance measurement.
When it comes to protecting data, Google and Apple set high requirements which will be popular with users. However, the health authorities must also agree to the restrictions and in the UK it seems that the authorities aren’t prepared to abide by Apple and Google’s rules.
Is there a COVID tracing app in the UK?
In the UK an app has been built by the NHS. The app is currently being tested on the Isle of Wight and will be launched to the rest of the UK after the testing period has been completed.
The UK app (more information here) doesn’t use Apple and Google’s APIs. It seems that the UK wants to be able to have access to the data gathered (which Apple and Google’s APIs wouldn’t allow). The government says that this will give it a useful insight into how COVID-19 is spreading, but privacy advocates aren’t happy.
For the NHS COVID-19 tracing app to work, you’ll be asked to allow Bluetooth and Notifications.
The app uses low energy Bluetooth to perform a digital handshake when your iPhone comes into contact with another device running the app. Then if someone you came in to contact with in the past 28 days gets a COVID diagnosis - or reports to the app that they are experiencing symptoms - you will receive a notification.
According to the UK’s National Cyber Security Centre the app is completely anonymous so you won’t know who got the positive diagnosis.
You can then take a test and if you are negative then you won’t have to self-isolate. Similarly if the person who caused the alert tests negative then any restrictions will also be lifted on the other people who had come into contact with them.
The app does not collect any location data - however, you will be asked for the first part of your postcode so the NHS can plan your local NHS response.
This article includes some information from this Macwelt report.