The Apple/Google contact tracing API

Apple and Google (yes generally understood to be “sworn enemies” 😀 ) jointly developed an API to be used by contact tracing apps and released said API late in May 2020.

Apple and Google’s API follows a decentralized approach, which means that every operation that might involve privacy is carried out on users’ phones, rather than through a central database. At the heart of the concept is the imperative to keep data from being stored, and therefore at risk of being hacked or de-anonymized. Irrespective of the tracing capabilities of the API (some have said the tech is not as reliable as other more intrusive/privacy invading options – seems obvious), the privacy aspect is clear – both Google and Apple have tried to make sure that the API will operate with the minimum amount of privacy concerns as possible.

Apple released the API through the iOS 13.5 update and Google released the API through a Play Store service update (there are certain services on Android phones which are updated through the Play Store rather than through OS updates).

Some Android and Apple users have noticed the new COVID19 options in their devices’ settings areas, and have been concerned about the implications. It’s important to note that the API itself does nothing – it will only ‘start working’ when an app interfaces with the API and uses it. And an app will only use the API if you install the app.

An API makes development of contact tracing apps much easier and cheaper, and this is a very good thing where contact tracing is optional (as it is in most countries). Trying to develop an app from scratch is a big endeavour, as well you now need to do that for 2 platforms. An example of this is the UK having designed their own app from scratch, and reportedly, the app is draining power from iPhones at a rapid rate. This besides the fact that the app is already a month overdue. Note also that the UK’s app is using a centralised approach which raises some serious data privacy questions.

Here’s how it works: a phone running an app that uses the API will periodically use Bluetooth to ping other phones with a random beacon – a string of characters that isn’t connected to the user’s identity information. That beacon changes frequently to increase security, but the phone keeps a list of the beacons that it sends out. It also stores a list of all the beacons that it receives from phones nearby.

If a person tests positive for the virus, they can enter the test result into the public health authority’s app to show it that they’re infected, and give it permission to upload the last 14 days of beacons that their phone has transmitted. Those beacons are stored in the cloud, but they’re the phone’s own. It doesn’t send the beacons that it has collected from other phones.

Each day, phones running an app that uses the API will download a list of beacons from phones whose users have tested positive for the virus. It checks the beacons that it has collected locally from interacting with other phones against that downloaded list. If there’s a match, that’s a good indicator that the user has been in contact with an infected person. No one will know who that is, but the app will notify the user that they’re at risk and tell them what to do next.

All in all, I think this is a pragmatic approach and the best balance between privacy, security and features. As well, Apple and Google having developed the API together means that i* and Android devices can exchange beacons without issue. So compatibility is agreed no matter whether you are an Apple of Google/Android user.

It has however been suggested that you need a usage rate of around 80% for contact tracing to be truly effective. And it’s quite unlikely that we’ll ever get there. So this may all be a theoretical exercise … until the next outbreak.