Earlier today, Apple and Google announced a Bluetooth-based COVID-19 contact tracing platform that could alert people if they’ve been exposed to the novel coronavirus. Contact tracing is a huge component in ending mass pandemic “stay-at-home” orders, and while phone tracking can’t replace traditional methods like interviews, it can supplement them.
Google and Apple are using Bluetooth LE signals for contact tracing. When two people are near each other, their phones can exchange an anonymous identification key, recording that they’ve had close contact. If one person is later diagnosed with COVID-19, they can share that information through an app. The system will notify other users they’ve been close to, so those people can self-quarantine if necessary. Ideally, this means you won’t have to reveal your name, location, or other personal data.
Beyond those basics, though, there are a lot of questions about how people will actually use the system. Here’s what we know so far.
The first phase is app-based, and it starts next month
Apple and Google are launching the program in two phases, starting with an application programming interface (API) in mid-May. This API will make sure iOS and Android apps can trace users regardless of which operating system they’re using. But it will be restricted to official apps released by public health authorities on the iOS App Store and Google Play Store.
During this first phase, you’ll need one of these apps to participate in the program. We don’t know who’s working with Apple and Google right now, or what the apps will look like. It seems likely they’ll be interoperable in some way — in other words, a phone with App A could swap a key with App B, as long as they’re both using the API. We could hypothetically see a national government or lots of small local agencies launch their own apps, or governments could approve something built by an outside party like a university. Google and Apple haven’t publicly nailed down many specifics, so we’ll be watching for those in the coming weeks.
No matter what the apps look like, you’ll have to proactively add them to your phone, which will almost certainly reduce how many people use them. But in the months after they launch, Google and Apple will be working on a more permanent solution.
The second phase adds opt-in tracking to iOS and Android
Following the API, Google and Apple want to add contact tracing as a core iOS and Android feature. The method is a little vague for now, but the goal is that you’d opt in through something like your phone settings. This would turn on the digital key-swapping without requiring a third-party app. Then, if you’re exposed, your phone would signal this somehow and urge you to download an app for more information.
This raises a few questions. We don’t know much about that handoff process, for instance: do you get a vague pop-up notification, or something with more detail? We’re also not sure how Android’s fragmented ecosystem might complicate the release. Google could plausibly push a fast update through the Play Store instead of waiting for carriers to roll it out, but it would still be dealing with huge variations in hardware capability. We also don’t know if individual government apps might ask for more invasive permissions like location tracking — even if Google and Apple’s core system doesn’t use it.
If you’ve got a phone without Bluetooth LE, of course, none of these apps will work. But iOS has included support since the 2011 iPhone 4S, and the Android platform added support in 2012. So unless you’ve got a very old phone, you’re probably all right.
What happens if you’re infected?
If you test positive for COVID-19, the system is supposed to upload your last 14 days of anonymous “keys” to a server. Other people’s phones will automatically download the key lists, and if they have a matching key in their history, they’ll get an exposure notification.
The app will need to make sure people are really infected, though — otherwise, a troll could cause chaos by falsely claiming to have COVID-19. We don’t know exactly how this will work. COVID-19 tests are currently administered by professionals and logged with health authorities, so perhaps Apple and Google could piggyback on that process to validate the tests. But it’s a huge issue, and they’ll need a satisfactory answer.
Either way, sharing your keys is supposed to be voluntary. That seems to mean actually approving an upload, not just granting blanket consent when you install the app — but the exact process is another thing we’re waiting to see.
What happens if you’re exposed?
If people share their data as described above, your phone will check the list once a day and look for key matches, then notify you if it finds one. Google’s sample alert is pretty simple: it just reads, “You have recently been exposed to someone who has tested positive for COVID-19,” and offers a link with more information. That information will be provided by whichever health authority is offering the app, and we don’t know what it might include — although at the very least, it will probably explain COVID-19 symptoms and self-quarantine guidelines.
Exposure isn’t a simple binary process: the more time you’ve spent with an infected person, the greater the risk. The documentation includes references to duration measured in 5-minute intervals. It could theoretically send that information to users directly, or it might offer a general risk assessment without an exact number, which would provide a greater level of anonymity.
As we’ve said before, none of this replaces traditional contact tracing interviews. Done right, though, it could add a platform-level system that’s easy to use and doesn’t overly compromise privacy. We’re just still waiting on a lot of details about how that will work.