In the wake of the COVID-19 pandemic, Apple and Google released a Privacy-Preserving Contact Tracing framework, including a Bluetooth specification, cryptography specification, and framework API. This framework aims to create a secure way of performing contact tracing at scale using mobile phones, while still adhering to privacy concerns.

For an in-depth technical evaluation of the framework, I defer to the above link. After reviewing the spec, I highlight and answer common questions non-tech people may ask, provide an overview of the proposed framework, and raise a few outstanding questions of my own.

Common Questions about Contact Tracing

What is Contact Tracing? Contact Tracing is the process of identifying people an individual has previously come in contact with. This can be used in public health to identify an infected individual's historical exposure to other people, who may now be infected due to previous contact with a known infected person.

• For COVID-19, How Will Contact Tracing Be Implemented? Google and Apple's proposed contact tracing framework would work on mobile phones, where a user would likely install and enable a contact tracing app.

• How does the App Know a User Has Encountered an Individual who has Tested Positive for COVID-19? When two users who are both using a contact tracing app come within 10 feet or less from each other, their phones exchange anonymous data. This data is stored for 14 days and repeatedly checked against a contact tracing database of known COVID-19 cases. If a user tests positive for COVID-19, they update their status in the app and users who have come in contact with them can be alerted.

• Is it Possible to Securely and Anonymously Perform Contact Tracing? Yes. Apple and Google's proposed solution does not link an individual's identity or mobile phone to contact tracing data.

• Why Should a User Contact Trace? Contact tracing will allow users to be notified if they have come in contact with a COVID-19 positive individual.

• What Data will be Shared? Anonymous data is shared directly with other mobile phones within 10 feet or less. If a user tests positive for COVID-19, they change their status in the app, which is uploaded to a central server. This data is all anonymous and cannot be linked to the individual or their mobile device.

• How Much Will it Cost? While no number has been proposed, a contact tracing app would likely be free.

• When Will a Contact Tracing App be Released? No release date has been proposed by Apple and Google.

Privacy-Preserving Contact Tracing Framework Overview

Apple and Google's proposed framework uses Bluetooth Low Energy (BLE) beacons to broadcast a unique identifier to other people (i.e. devices) in the area. These beacons contain a Rolling Proximity Identifier unique to an individual. An individual's identity is protected by requiring these identifiers to change every 10-20 minutes, and the identifier's value is created using inputs known only to the individual.

A user stores a record of every identifier they encounter, and periodically checks a server in the cloud for Diagnosis Keys, which are keys associated with an individual diagnosed with COVID-19. Using a Diagnosis Key, a user can recreate every Rolling Proximity Identifier the COVID-19 diagnosed user has broadcasted, and check if any keys of the infected individual have been seen by the device. If the diagnosed user's identifier has been seen, that indicates previous contact with a now-diagnosed COVID-19 individual.

This process requires users to inform the system if they have been diagnosed with COVID-19. Privacy is maintained through this process by the COVID-19 diagnosis only being associated with diagnosis Diagnosis Keys, which have no link to a user's device or a user's identity.

Outstanding Questions that Need to be Answered

• Will a Contact-Tracing App be Mandatory to Install? If only a subset of the population performs contact tracing, the system falls apart.

• How will the System Handle False Diagnosis Claims? What prevents a user from falsely claiming they were diagnosed with COVID-19, potentially forcing those they have come in contact with to unnecessarily quarantine? On a similar note, how does the system handle false positives from COVID-19 tests? Is there a process for reverting a diagnosis within the contact tracing framework?

• What Should a User do With a Positive Test Notification? Will guidance be provided on how to self-quarantine based on a person's exposure?

• Will BLE Signal Strength Be Taken into Account? Apple and Google's framework allows for metadata collection such as BLE signal strength when two nearby phones exchange data. Will this signal strength be used as an indication for how close a person came in contact with an infected individual?

It's a relief to see the two best-positioned mobile OS makers undertake a privacy-focused framework that has never been more relevant. The privacy considerations in this proposed solution are significantly different from the contact tracing that has been performed in China and South Korea, where a user's privacy has been disregarded for the moment. In Apple and Google's proposed framework, contact tracing can be done. The biggest challenge will be convincing users to use it.

Additional Resources

• Privacy-Preserving Contact Tracing

• Safe Paths: A privacy-first approach to contact tracing

• Covid Watch

• Security Now #762: Contact Tracing

• A ‘travel log’ of the times in South Korea: Mapping the movements of coronavirus carriers