Apple, Google release contact tracing API specs, security, accuracy measures: All you need to know
The companies have released technical announcements that support the project goals of helping to curb the pandemic
Apple CEO Tim Cook had mentioned that Apple would be releasing the first version of Apple and Google's joint contact tracing API by next week. And now, the tech giants have released more technical details about their efforts indicating towards the fact that they are fast-tracking the work.
Amongst changes made to the API Apple and Google will be providing developers to make apps with, there are stronger encryption standards, more accurate Bluetooth signals etc.
According to Apple and Google, the changes are "the result of meaningful engagement and feedback from key external stakeholders around the world" and the announcements made today mostly revolve around cryptography and Bluetooth specifications in the API.
Apple and Google will be using the Advanced Encryption Standard (AES) instead of the earlier Hashed Message Authentication Code (HMAC). "Many devices have built-in hardware for accelerating AES encryption. This change will help performance and efficiency to avoid slowing down the phones, as we've determined that AES performs better for this application," the companies said.
Also, the metadata associated with Bluetooth will also be encrypted now. This encryption makes it tougher for an app to use that data to identify the person using it.
The companies are also changing the terminology from contact tracing to "exposure notification". Apple and Google believe that the new terminology demonstrates what the API does better.
The API generates a "temporary exposure key" for a device (the phone) when an exposure event is being detected. So, when two phones are near each other and their Bluetooth signals are being used to identify that proximity, the unique id of the phone won't be shared. These keys are going to be generated using a random number generator, which will make it more difficult to predict or identify manually.
Data about who a user has been near and come in contact with is going to be retained on the device for 14 days only. It will be deleted after that. "It doesn't keep track going forward after a person has registered as COVID-19 positive," the companies explained.
Temporary keys that will be generated are anonymised and more difficult to link to a phone's user than the phone's unique id. Also, since the API allows apps to ask for 'exposure time' for users, it will only record this timea at five minute intervals and will cap it at 30 minutes. This will make it easier for the apps to gather exposure notifications more accurately.
Apple and Google are also going to let apps record "power levels" of Bluetooth signals now and developers can specify signal strength. This is important since it lets apps ascertain the distance between two phones better and hence identify exposure events more accurately.
"This will help public health authorities individually define what constitutes an exposure event by setting parameters for radio signal strength and duration that two phones have been in proximity," representatives from the companies said.
Essentially, the Bluetooth signal strength will let an app understand exactly how close two phones are, and this can be combined with the time those two phones have been near each other. These two things together can be used to determine whether the user has been exposed to the virus or not.
Apple and Google have also released a set of FAQs for people to understand what they are working on and how they intend to proceed better.