CDC contact tracing criteria give nod to Apple-Google approach

In its publication, titled "Preliminary Criteria for the Evaluation of Digital Contact Tracing Tools for COVID-19" (PDF link), the CDC details guidance on "minimum" and "preferred" criteria to be implemented in contact tracing apps and platforms. The information was pulled from "preliminary research" and discussions with contact tracing and informatics experts.

As noted by CNBC, the CDC recommends organizations rely on the "PACT" protocol to facilitate bidirectionally anonymized Bluetooth-enabled proximity tracking. Apple and Google took inspiration from PACT, an open-source protocol developed with help from the Massachusetts Institute of Technology, when developing their joint exposure notification APIs.

In addition to anonymous reporting and notifications, preferred tools can be configured for real-time synchronization of data with public health authorities, support data export when opt-in consent is received, provide automated reminders to exposed contacts, support OAuth-secured programmatic data transfer, and allow users the ability to delete or revoke consent at any time. Further, the CDC recommends an open source architecture with offline data entry and cross-platform compatibility, much like Apple and Google's project.

Similar to other methods currently under evaluation around the world, the Apple-Google initiative seeks to track the spread of a disease, in this case COVID-19, by maintaining a history of who an infected person has come into contact with over set a period of time.

Importantly, the system allows for anonymous automated notification based on history of proximity to an index patient, or someone who has tested positive for the virus. Opt-in participation, secure local databases and anonymized device identifiers work together to create a secure, private platform for proximity-based notifications.

A key aspect of the Apple-Google solution is decentralization, with users able to store gathered contact information — anonymized Bluetooth identifiers — on their phones and compare that data against up-to-date exposure broadcast keys pulled from a PHA server. Those keys come from infected users who elect to upload a list of their recent contacts, which are held for a 14-day period.

Some countries, like the U.K., France and Norway, are pushing for a centralized network that stores user information on a server maintained by government authorities. Others, like Germany and Italy, are on board with the Apple-Google format.

The CDC falls short of recommending one method over another and instead suggests what appears to be a hybridized system. For example, the minimum criteria for contact follow-up notes PHAs should be able to "initiate direct, manual follow-up with known contacts," suggesting a centralized solution. However, as CNBC notes, the aforementioned contact notification criteria stresses implementation of an "anonymous automated notification" feature that would see integration in a decentralized method.

Along with the CDC outline, Apple and Google's system might soon face regulatory hurdles under the Consumer Data Protection Act, a proposed bill that aims to "provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data."

Apple and Google this week released initial APIs for their exposure notification system ahead of a public launch in mid-May.