Recently, my colleague authored a resource (the 101 version of this “course,” for the academically inclined) to answer questions about European COVID-19 proximity tracing and exposure notification applications and to construct a best-practices framework for such apps. Now, we pivot our focus to the United States, where efforts to rally behind a unified digital contact tracing regime gained momentum in recent weeks. That’s largely due to Apple and Google’s announcement last month that the two companies joined forces to create a unified exposure notification application programming interface (API) that will be interoperable between Apple iOS and Google Android devices. The joint venture marked a turning point in the United States’ quest to coalesce around a single approach to digital contact tracing, which had previously been muddled by duplicative and often discordant efforts.

With the Apple and Google framework now enjoying the lion’s share of attention, congressional leaders on both sides of the aisle have stepped in with guidelines for how to manage the privacy risks inherent to digital contact tracing efforts.  With that in mind, we believe now is a good time to assess the Google and Apple approach from a privacy standpoint and answer some questions about the path ahead in the United States.

What exactly are Apple and Google proposing?

Apple and Google have built an interoperable API to allow third-party developers to create mobile applications that notify users when they have crossed paths with someone who has tested positive for COVID-19. The idea is that users can voluntarily download the app and then, if they receive a positive diagnosis confirmed by a partnering public health authority, can choose to share their diagnosis, anonymously alerting those who recently came near them. Conversely, app users will receive notifications if they were in close proximity to someone who tested positive for COVID-19.

The two companies believe that by joining forces, they can leverage widespread use of their products (together, iOS and Android comprise approximately 98 percent of the U.S. smartphone operating system market) to reach a greater number of individuals than either company, or any other entrant, could alone. Together, the companies hope to achieve the mass uptake of digital contact tracing apps that some public health officials believe can help flatten the curve in a more expeditious manner.

How will it work?

The Apple and Google proposal adopts the decentralized approach described in Proximity Tracing 101. Once installed, the application will use a device’s Bluetooth capabilities (instead of any geolocation data) to periodically send out, and listen for, a Bluetooth beacon with a random identifier that other nearby devices with the app installed will send out and listen for as well. For a phone to register a beacon from another device, the two devices will need to remain within a certain distance for a certain amount of time (these thresholds are to be set by the issuing public health authority). If the phones satisfy these thresholds, the random identifier from the other phone will be logged and stored on the device. In order to preserve privacy, the random identifier linked to a device will change every 10 to 20 minutes so that there is no way to track a device over time using a single identifier.

In addition to scanning for nearby Bluetooth beacons, a device with the app downloaded will periodically query a centralized database with the list of identifiers known to belong to individuals who have tested positive for COVID-19. If any of those identifiers match an identifier stored on the device, the device holder will receive a notification alerting them that they have crossed paths with someone who has tested positive.

Importantly, Apple and Google do not intend to build their own exposure notification apps. Instead, they plan to make their back-end technology available to local public health authorities to build their own applications that users in each locality would then voluntarily download to their devices.  Developers will need to agree to the terms of service Apple and Google offer in their respective app stores and will be prevented from requesting user contact lists or background access to location data.

What are the limitations?

First, some experts don’t believe that contact tracing apps, even using capabilities provided by both Apple and Google operating systems, will reach the requisite number or highest-risk groups of people. Second, while most experts seem to approve of the privacy-protective features of the software, some are worried that the data will be too anonymized for use by public health authorities. There are also questions regarding the efficacy of Bluetooth itself, which can be spotty even in perfect conditions. Bluetooth can be interrupted by physical barriers or competing frequencies, even though the latter would not bear on transmission of the virus.

Both companies readily admit that digital exposure notification apps are not meant to replace in-person contact tracing. However, the digital approach can help supplement traditional, in-person contact tracing in a few important ways. For instance, the app can help in circumstances where you might have been exposed to a stranger who had contracted COVID-19 or where you might have gone out in public after unknowingly contracting the virus yourself. Normally, people wouldn’t maintain a log of all the strangers they pass on the street, making traditional contact tracing and notification impossible for these types of situations. Digital contact tracing allows for automation of these difficult aspects of in-person contact tracing, providing public health authorities one more weapon in their arsenal of preventative measures, though with some important caveats to bear in mind.

What happens next?

Apple and Google have just publicly released the finalized API, meaning app development can now begin in earnest. The number of public health authorities that ultimately take up the offer and the speed with which they can build and release these apps to the public remains to be seen.

In the meantime, Republicans in the Senate and Democrats in both chambers have introduced competing measures that would fill the privacy gaps in current law. Each of the bills would cover companies like Apple and Google who collect and process health information as part of digital contact tracing efforts and would require apps that collect COVID-19 related health data to operate on an opt-in basis, limit the information collected to that which is relevant to the COVID-19 pandemic, and create limitations on certain other uses of that data. Unfortunately, the sticking points between these privacy measures continue to be the private right of action and federal pre-emption, in addition to a handful of key differences in the purpose limitations that adhere to certain types of information.

Despite this, ACT | the App Association views the introduction of competing measures as a positive development in efforts to create responsible guardrails for digital contact tracing and exposure notification apps and to further general privacy legislation discussions.  We welcome robust debate on COVID-related privacy and will continue to engage with congressional leaders as they work through the differences in these two bills.