Apple and Google are launching a new auto-generated software framework to help states deploy their own contact tracing apps. Developed as an extension of the earlier exposure notification framework, the new system allows public health authorities to avoid the broader development work of launching a standalone app, simply configuring the basic framework to their state’s needs. Existing applications won’t be affected by the new framework, and adopting the framework won’t prevent states from launching more involved apps in the future.
“As the next step in our work with public health authorities on Exposure Notifications, we are making it easier and faster for them to use the Exposure Notifications System without the need for them to build and maintain an app,” Apple and Google said in a statement. “Exposure Notifications Express provides another option for public health authorities to supplement their existing contact tracing operations with technology without compromising on the project’s core tenets of user privacy and security.”
First launched in April, the exposure notification system deployed by Apple and Google left most of the app development work to local public health departments, focusing instead on ensuring privacy and interoperability once notifications were shared. But while 25 states are exploring some kind of app system, only six of those projects have actually launched, in many cases because of the technical burden of building and deploying the app.
“Public health agencies are carrying an extraordinary load in managing the novel coronavirus response,” said Scott J. Becker, CEO of the Association of Public Health Laboratories (APHL), in a statement. “Offering a turn-key solution such as EN Express can greatly reduce their burden and eliminate many of the up-front requirements of building an app and setting up servers.”
The framework allows for interoperability between states, with the ability to notify Virginia app users about exposures from Maryland app users, for example. In July, the APHL launched a national key server to allow more streamlined interoperability between state agencies.
Under the new system, participating health departments will assemble a configuration file, allowing them to set their risk scores, redirect users to their specific health department website, and modify the recommendation for users who have been exposed. Once the configuration is complete, iOS and Android can automatically generate the necessary software, although the two operating systems handle the task differently. In Android, the configuration file will automatically generate a custom Android app, while iOS will incorporate the settings into its OS-level contact system.
The iOS version will be built into iOS 13.7, which is set to deploy on Tuesday. Android is planning to deploy the system later this month to all users with Android 6.0 or higher.
The exposure notification system was initially designed to avoid excess data collection, but the introduction of out-of-the-box apps means slightly more data will be collected by Apple and Google. iOS will still collect general device analytics and crash information (if the users have opted in). The auto-generated Android app will collect de-identified system info including API error calls, but the team says there’s still no collection of data that could identify which specific users have been exposed. Google has also committed to publishing the source code of the auto-generated Android app to enable third-party audits.
Maryland, Nevada, Virginia, and Washington, DC have already committed to deploying the new system, and Maryland Gov. Larry Hogan said in a statement that the new framework will help his state’s ongoing public health efforts. “Exposure Notifications Express will help to save lives, greatly enhance our contact tracing operation, and advance our statewide COVID-19 recovery,” said Hogan in a statement. “We appreciate our collaboration with Apple and Google, and look forward to launching this state-of-the-art technology in Maryland.”
Correction: A previous version of this article stated that the APHL’s national key server had yet to launch. In fact, it launched in July. The Verge regrets the error.