Here’s how it works the API of notification of the exposure of Apple and Google, ensuring privacy

This week Apple has officially released iOS 13.5 to the public. The update includes changes such as enhancements of Face ID for face masks, new features of Apple’s Music and other. Perhaps even more important, however, the update brings the first version of theAPI for notification of exposure developed by Apple and Google. Here’s how it works the function, while preserving the privacy.

How it works

When a user enables the function, and has an app to a public health authority that is installed, the device will regularly send a beacon via Bluetooth, which includes the identifier of the Bluetooth random. When two people are close, their phones, and you will exchange and register these identifiers Bluetooth.

If someone is positive for the test COVID-19, you may report it voluntarily to the application Notification exposure for your region. These screenshots show the developers of the public health authorities as to guide users through the process of reporting positive results for the coronavirus, including a unique identifier of the test:

Also the API of notification of the exposure will download a list of the keys for the beacons that have been verified as belonging to the people confirmed positive for the COVID-19 and verify that list. In the case of a match, the user can be alerted and informed on the next steps. What constitutes an exposure? It is up to the public health agencies to decide, but the API itself includes a minimum of 5 minutes of interaction to be considered a match.

Example: person A and person B spend more than 5 minutes together in a restaurant. During this period, their smartphones, they exchange the identifier Bluetooth anonymous. In the following days the person is positive for COVID-19 and choose to report that a positive test through the app of the notification of the exposure. Person B will then receive a notification that there is written that someone with which has recently reported to be positive for COVID-19.

Public health authorities can determine what are the next steps. If there are many buffers, the app may suggest that person B is put to the test even if it is asymptomatic. If it is not possible to perform a test, the app may suggest that person B controls the symptoms and be tested only manifests a few, in addition of course to self-isolation.

Privacy is a key element of the API for notification of exposure. Perhaps the greatest protection of the privacy of the API of the notification of the exposure is that the location data do not affect their operation. The two companies claim that these applications should also collect the minimum number of data, and that data on the position are not required for this approach is based on the Bluetooth.

Apple and Google have repeatedly pointed out that a large part of the control is in the hands of the same public health authorities. The two companies are providing the API for notification of exposure, and the developer can adapt the details as needed, while preserving the privacy and the requirements of the API.

In fact, the API is only used by public health authorities and can only be used for purposes COVID-19. Not all developers can access this API and implement it in your application. In the long term, the companies say that they are still exploring the possibility of allowing health authorities to send notifications of exposure without the help of an app.

With the release of iOS 13.5 this week, Apple and Google have also claimed to have made further improvements to the privacy of the API of notification of the exhibition:

  • The keys of the temporary exhibition are now randomly generated instead of being derived from a key tracking
  • All of the metadata associated with the Bluetooth are now encrypted to make it more difficult the identification of a person

More details on the API of notification of the exhibition:

  • The entire system is opt-in
  • Other applications for the track of the contacts will be allowed in the App Store; they can adopt the API of Apple and Google, but they must remove all of the functionality of the location services and take pictures of the privacy of the API
  • The trace data of the contacts are stored only on the device of a user
  • The trace data of the contacts are processed only on the device of a user
  • The public health agencies may define what constitutes an event of exposure
  • The public health agencies can determine the number of events of exposure that a person has had
  • The risk of transmission of positives can be taken into account in the definition of an event of exposure
  • The public health agencies can contact users shown on the basis of a combination of APIS and data that users voluntarily choose to enter in the app