[Update 4: Beta APIs Available] Google and Apple announce the Contact Tracing API and Bluetooth spec to warn users of COVID-19

Due to the ongoing threat posed by SARS-CoV-2, Google and Apple have teamed up to announce a new API and Bluetooth Low Energy specification called “Contact Tracing.” The idea behind contact tracing is to inform users if they’ve recently been in contact with someone who has been positively diagnosed with COVID-19. South Korea and Taiwan have successfully “flattened the curve,” as in they’ve limited the number of new cases to fall below the capacity of their healthcare systems, by implementing widespread testing and contact tracing. According to the Associated Press, several countries in Europe including the Czech Republic, the U.K., Germany, and Italy are developing their own contact tracing tools. Apple and Google hope to empower nations and medical organizations around the world with the ability to trace the spread of the novel coronavirus, but the two companies also recognize the potential privacy concerns with this pandemic containment method. That’s why the two companies have created the new API and Bluetooth spec “with user privacy and security central to the design.”

Google and Apple published blog posts and documents that outline their goals to roll out a new API and Bluetooth LE service. Due to urgent need, both companies are tackling this problem in two stages. First, in May, both companies will release an API that “[enables] interoperability between Android and iOS devices using apps from public health authorities.” These apps will be made available for users to download on the Google Play Store and Apple App Store. On Android, the API will likely become available for apps through an update to Google Play Services. Second, in the next few months, both Google and Apple will add support for a new Bluetooth Low Energy service into Android and iOS. For iOS, this new BLE service will likely come via an OS update, while for Android, this service will likely be added as part of another update to Google Play Services. Google says that adding a Bluetooth LE Contact Tracing service “is a more robust solution than an API and would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities.”
Once an app integrates the new API or the BLE specification has been integrated, Android and iOS users can receive notifications if they’ve recently been in contact with someone who has been diagnosed with COVID-19. Notably, the BLE solution will not require the user to have an application installed (presumably they just need Google Play Services), but if they choose to install one of the official apps, then the app can inform them on the next steps to take after they receive a notification. This will allow users to decide if they need to self-quarantine for 14 days or to seek testing and further medical intervention. Here is an example flow of what Google and Apple envision will be possible with this new Bluetooth LE service:

An overview of COVID-19 contact tracing using Bluetooth Low Energy. Source: Google/Apple.

Here is what Google says about how they designed the new Android Contact Tracing API to protect user privacy and security:

Apps calling the API via the startContactTracing method are required to get user consent to start contact tracing. If this is the first time the API is being invoked, the user will be shown a dialog asking for permission to start tracing.
In order to be whitelisted to use this API, apps “will be required to timestamp and cryptographically sign the set of keys before delivery to the server with the signature of an authorized medical authority.” In other words, unauthorized COVID-19 apps will not be allowed to use this API.
If the user uninstalls the app, the stopContactTracing method “will be automatically invoked and the database and keys will be wiped from the device.”
The user, after having confirmed a positive diagnosis of COVID-19, must grant explicit consent to upload 14 days of daily tracing keys. A dialog will be shown to the user if the app calls the startSharingDailyTracingKeys method.
Users will be shown what date and for how long they were in contact with a potentially contagious person, down to increments of 5 minutes, but not who or where the contact occurred.

Here is how the new BLE Contact Detection Service will protect user privacy and security:

The spec does not require the user’s location or any other personally identifiable information. Location-use is completely optional and is only done after the user provides explicit consent.
Rolling Proximity Identifiers are changed every 15 minutes on average, which makes it “unlikely that user location can be tracked via Bluetooth over time.”
Proximity identifiers retrieved from other devices “are processed exclusively on device.” This means that the “list of people you’ve been in contact with never leaves your phone.”
It’s up to the user to decide if they want to contribute to contact tracing. Users who are diagnosed with COVID-19 must consent to sharing Diagnosis Keys with the server. There will be transparency about the user’s participation in contact tracing, and “people who test positive are not identified to other users, Google, or Apple.” In fact, this information “will only be used for contact tracing by public health authorities for COVID-19 pandemic management.”
In case you’re wondering, the Content Detection Service should not significantly drain the battery of a device if the hardware and the OS support “Bluetooth controller duplicate filters and other [hardware] filters” to “account for large volumes of advertisers in public spaces.” Scanning is “opportunistic,” meaning it can occur within existing wake and scan window cycles, but will also occur at a minimum of every 5 minutes.

Because the new Contact Tracing specs are designed with user privacy and security in mind, it’s debatable how effective they’ll be at limiting the spread of COVID-19. According to The Verge, such opt-in, non-invasive contact tracing measures may have limited effectiveness. The issues boil down to a lack of widespread adoption by the population and a potentially large number of false-positive Bluetooth proximity events. Still, I hope this new initiative is successful. It’s rare to see Google and Apple collaborate on anything, but desperate times call for desperate measures.
Sources: Google Blog Post, Overview of COVID-19 Contact Tracing, Contact Tracing BLE Spec, Contact Tracing Cryptography Spec, Android Contact Tracing API Spec

Update 1: More Details

In a conference call with reporters, Google and Apple clarified some points about the upcoming Contact Tracing API (rolling out in mid-May as part of “phase 1”) and BLE Contact Detection Service (rolling out later this year as part of “phase 2”). According to TechCrunch and Axios, both the Contact Tracing API and the BLE Contact Detection Service will be available on Android devices following updates to Google Play Services—so long as the Android smartphone is running Android 6.0 Marshmallow. Users will not need to manually update their devices or even update their OS since updates to Google Play Services happen silently in the background through the Google Play Store.
Although the introduction of BLE Contact Detection Service means that users won’t need to install an application to partake in contact tracing, Google says that users will still be prompted to download a relevant public health app if a positive contact event has been detected. This will help users determine the next steps they should take. Apple notes that while data, after being processed locally on-device, may be “relayed” to servers run by public health organizations around the world, there will not be a centralized data server. This will make it difficult for any government or other malicious actor to conduct surveillance. According to Axios, countries can run their own servers or use ones from Apple and Google. To prevent people from submitting false positive diagnoses, Apple and Google are working with public health organizations on a way to confirm diagnoses.
With the confirmation that Google will bring Contact Tracing to Android devices via updates to Google Play Services, what will happen to the millions of devices without Google Mobile Services? I’m referring, of course, to the millions of devices in China and the newer smartphone releases by Huawei and Honor. According to The Verge, Google “intends to publish a framework that those companies could use to replicate the secure, anonymous tracking system developed by Google and Apple.” Thus, it’s up to third-parties to decide whether they want to use that system. Google did not confirm if its Contact Tracing framework will be open-sourced, but they did say they will offer code audits to companies that want to adopt the system.

Update 2: Initial Rollout, Huawei Involvement

Originally planned to go live in “mid-May,” it looks like Apple and Google’s Contact Tracing timeline has moved up. According to Thierry Breton, the European Commissioner for internal market, Phase 1 of the plan will go live on April 28th. This information was given to Mr. Breton by Apple CEO Tim Cook.
Phase 1 of Contact Tracing is all about APIs. These APIs will be used by developers who are working on behalf of public health agencies, not third-party applications. The APIs will be made available through an update to Google Play Services and most devices with Android 6.0+ and Bluetooth Low Energy can support Contact Tracing.
Of course, recent Huawei and Honor devices do not have Google Play Services, but many older devices still do. TechRadar confirms that these older devices, which do not include the Huawei Mate 30, P40, Honor V30, and others, will be included in the rollout. As for the other Huawei/Honor devices, the previous article update stated that Google “intends to publish a framework that those companies could use to replicate the secure, anonymous tracking system developed by Google and Apple.”
Source 1: Les Echos | Via: TechCrunch | Source 2: TechRadar

Update 3: More Privacy Protections

Apple and Google are now referring to the Contact Tracing plan as “Exposure Notification,” which they say is a better description for the purpose of the tool. We also have some more information about how health authorities can fine-tune the API and the privacy protections that will be in place.
The API uses Bluetooth to detect if you’ve been in the vicinity of others who have tested positive, but that has the potential to be inaccurate (detecting people who weren’t close enough or behind a wall). The API will share the strength of the Bluetooth signal so health authorities can set their own threshold for what constitutes a “contact event.”
The API will share how many days have passed since an individual “contact event.” It will not share the precise length of time the two people were in contact. Rather, it will only share estimates of exposure time, from a minimum of 5 minutes to a maximum of 30 minutes, in increments of 5 minutes. Health authorities can use this information to alter their guidance to users based on how long ago the event was.
Bluetooth metadata will be encrypted to protect against it being used to track individuals in reverse identification attacks. This metadata includes signal strength and other information. The encryption algorithm is being changed to AES from HMAC that they were using before. AES encryption can be accelerated on many mobile devices, making the API more power-efficient.
Lastly, the keys used to trace potential contacts are now randomly generated rather than being derived every 24 hours from a “tracing key” that is permanently tied to a particular device. This gets rid of the chance that an attacker with direct access to a device can figure out how keys are generated from the tracing key, though that is very, very difficult to do already.
Source 1: Axios | Source 2: Bloomberg | Source 3: TechCrunch