Apple and Google evolve Exposure Notification to boost privacy, enhance encryption
Apple and Google have refined technical details surrounding the joint COVID-19 exposure notification effort, with the pair releasing not just a FAQ for consumers, but also updating cryptography, Bluetooth communications, and the API framework for developers.
One method to help curb the spread of the coronavirus pandemic is contact tracing — now also called exposure notification — that informs users if they may have been exposed to an infected person. Apple and Google teamed up on April 10 to develop a joint standard to accelerate adoption and interoperability.
Despite both companies stressing that privacy would be protected, the plan raised concerns in the US and also EU authorities. On Friday morning, Google and Apple made a joint announcement about changes they have made, plus further detailing and amplifying technical aspects of the protocol.
Bluetooth use in COVID-19 contact tracing
The pair have made a number of changes to the protocol to how devices communicate. The latest revision provides the power level of the broadcast Bluetooth signal by an infected user's phone. This can be used in conjunction with received signal strength data already available to more accurately estimate the distance between two phones.
Developers can specify signal strength and duration thresholds to trigger an exposure event. For instance, two phones could connect while stationary at a stoplight. The likelihood of exposure is low in this case, assuming windows are closed, so this could be either communicated to the user, or dismissed by the code.
The maximum reported duration for Bluetooth signal strength is limited to 30 minutes to help protect the privacy of the infected person.
Encryption in Apple & Google's exposure notification
Previously, the contract tracing was using HMAC encryption. Friday's technology update changes that to AES, which allows for hardware acceleration of AES encryption to be used, which is already present on many devices.
Apple notes that testing has proven that AES performs better in this particular application of the technology. The companies both note that the change will help mitigate performance impacts that they were seeing from HMAC encryption as well.
Furthermore, the use of temporary tracing keys are now randomly generated, and not derived. This makes it more difficult for attackers to reverse engineer how the keys are derived.
Metadata, like the aforementioned Bluetooth broadcast power, will also be encrypted as well. This will make development of user "fingerprints" much more difficult.
Other changes to the effort
Apple also notes that the framework keeps track of people you have been in contact with for the prior 14 days. It doesn't keep track after a person registers as COVID-19 positive.
The app version can also tell the user how long it has been since the last exposure. This can also assist in educating the user on when symptoms might occur.
And, the app can now clear the full history of the information stored on the phone related to exposure notification at the user's request. It isn't clear if this applies to a phone belonging to someone who is positive for COVID-19, however.
Consumer FAQ for exposure notification
The FAQ details specifically how the system works for users, and how often it is updated. What wasn't specifically clear before is how often the data updates.
The system updates data "at least once per day" by downloading a list of temporary tracing keys that have been confirmed to be associated with users positive for COVID-19. This data comes from what Apple calls the "relevant public health authority."
The comparison of the downloaded data to the contacts is done on-device. If there is a match between the beacons, the user will be notified, and advised on steps to take.
Apple is also clearer on how the system will roll out. Apple and Google will make APIs available in May, allowing apps from public health authorities to be developed for release.
The second phase will integrate the capability into the Android and iOS operating systems. After the update is installed, the user must opt-in to the system. Following the opt-in, the device will listen for Bluetooth beacons and not require an app to be installed to do so.
If a match is detected, the user will be notified by the operating system. The user will then be prompted to download an official app, before they are advised on follow-up steps to take.
Also, perhaps in response to security researchers concerns, coupled with governmental queries and demands for accountability, Apple has detailed specific steps that the system protects user privacy, security, and where the data is stored.
Specific measures that the Apple and Google Exposure Notification system take to protect privacy and security
- Users need to opt-in to the system
- Users can turn the system off at any time
- The system does not collect location data
- Identities of users are not shared with others
- Beacon IDs rotate between 10 minutes and 20 minutes to help prevent tracking
- Exposure notification data is local to the device and not shared or uploaded
- Apple and Google can disable the system on a regional basis when no longer needed
- Access to the technology platform will only be granted to public health authorities
Apple and Google released draft specifications of the underlying technology on April 10. Documentation available includes the Bluetooth specification that will be used to track the spread, the cryptography specification, and a framework API. Apple notes that the trio of documents are subject to modification and extension.
"Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders," Apple and Google said during the initial release. "We will openly publish information about our work for others to analyze."
Apple has already partnered with the CDC to provide a public COVID-19 iOS app, which contains advice on checking for symptoms, plus self-care tips. The app is available across the US, and the majority of its advice is for users in all states. However, Apple has also added state-specific sections which provide access to their regional health departments' coronavirus pages.
The existing Apple COVID-19 app without contact tracing is available for iPhone and iPad. That app presents a advice for users on such subjects as detecting symptoms, and the same information is also available separately on Apple's COVID-19 website, which is also being regularly updated.