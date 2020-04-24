The health emergency of COVID-19 that suffers the world has put the two great technology companies to work side by side to help world governments to reduce the contagion curve. Nothing more and nothing less than Apple and Google working together to achieve a method of notification of exposure to the disease, using the mobile technology that they lead between the two, based on four fundamental pillars: health, privacy, transparency and that the user has absolute control over the use (or not) of this system.

Representatives from Apple and Google have shared a major system update to fight the spread of COVID-19, improving privacy and adding more development possibilities

In a special press conference held this afternoon with the brands, Apple and Google representatives They updated us with a new batch of improvements over the initial system that they unveiled on April 10. It is appreciated the effort that both companies are making to explain in the best way to the general public the idea that they are developing: starting to change the name of the program, which is now called “Exposure Notification” – much more in line with what the system does, alert of a contagion to prevent it from spreading among the rest of the population. For this, the technology of our mobiles is used since it can be automated and expanded to determine if we have been exposed to someone infected.

To do this, Apple and Google have started with a first phase consisting of:

Provide governments with programming tools (an API or Application Programming Interface) that will allow each of them to develop (or include) this technology in their own health apps.

Apple and Google are responsible for the development of this API together, and will support the development by publishing all the technical details of it, both on Android and iOS (being exactly the same on both systems).

The apps integrated with these APIs will enable or disable this technology. It is the user who has full control over their inclusion in the program.

The final version of these programming tools will be available in mid-May.

Updating in advanced privacy and more possibilities for development

The advances in the construction of this programming tool that Apple and Google have updated us today with respect to the initial version, are the following:

Privacy enhancements

The identifiers of each user that is part of the system now they will be random, instead of temporary. This prevents an ID from being tracked by the origin of its creation.

The data obtained from Bluetooth is now encrypted. This data consists of the signal strength of an emitter, which determines the exposure distance. Each country can configure the one it deems appropriate. They have even encrypted this data to prevent anyone from identifying a specific person by the transmission power of their mobile phone’s Bluetooth beacon.

Exposure time is limited to maximum of 30 minutes, in 5 minute fractions.

Improvements to facilitate the creation of apps

I know improves distance estimation between two devices now also using the Bluetooth signal strength, not just the value received by the receiver. As I mentioned, this is encoded to avoid pattern identification.

Initially, the API generated random numbers that changed every 15 minutes. Now the API has changed to improve security. Every day, the system will generate a new user identification code (also random) from which a new code will be generated randomly, with two-step encryption that improves the security of the data and its anonymization (remember, they can be iOS or Android, or mixed. The brand does not matter, the tool works the same and is shared between both platforms).

You can get the number of days since last exposure of the user. This will allow authorities to customize their plan: for example, if we have been exposed today, the app will tell us to go to the emergency room. If we were exposed 10 days ago, you could recommend that we stay home. All this is personalized by each government at any time – and importantly, the app will not know any data from who is telling it, because it is completely anonymous, but the trigger will be activated when indicating this configuration in the system.

It has been encryption algorithm improved, going from HMAC to AES, which is currently the most used when encoding data. Many devices even have hardware encoding acceleration, which will speed up this encoding (all iPhones as of 2015 have it implemented, by the way). This algorithm is more efficient, allowing it to be used more quickly by apps.

Improvements in phase 2: OS-level deployment

Once the first phase is finished, which consists of providing this API to governments so that they can implement the system in their apps, the companies have planned a second plan To improve the effectiveness of the system:

Add to both operating systems (iOS and Android) the activation and deactivation of this system. In phase 1 it will be implemented only in apps that use this API, the idea in this phase is to have it implemented at the operating system level so that it is easier for the user to enter.

The notifications Daily will be managed between Apple and Google to improve efficiency and ease of use.

Deployment to operating systems will continue to be based on the principles of privacy, transparency and that the user continues to have absolute control over the system.

It will be available soon (in the case of iOS, possibly an update to iOS 13 will include it, before iOS 14 arrives the last months of the year – this is my opinion).

Questions and answers

The process is technically very sophisticated and may give rise to doubt, so I add here a small section of questions and answers to the most common ones about the system:

1.- How does the proposal of Apple and Google work?

The system proposed by Apple and Google is the use of the contact tracking technique: Bluetooth technology is used in mobile phones to help detect exposure with someone affected. When activated, our mobile sends a signal based on a random identifier without any personal data, which also changes every 10 or 20 minutes.

The verification of the positives is done on each phone, not on servers: The mobiles registered in the system listen and save the beacons close to what is established by the authority that manages the application. At least once a day, the system will download a list of beacons confirmed as positive in COVID-19 from the health authority in the app. The app will check if any of them is in your “recent visits” list, in which case, the app will notify the user with the action to take.

2.- How is privacy and security protected?

Each user MUST EXPLICITLY CHOOSE TO ENTER THE PROGRAM, activating within the app their explicit permission to do so. And you can withdraw from it, at any time. Neither Apple nor Google nor anyone else can activate this without the explicit consent of the user.

The system does not collect position data from the phone, and does not share it with other devices, nor with companies. The user controls at all times the information he wants to share, and if he wants to do so.

Each user’s Bluetooth beacon is randomly rebuilt every 10 to 20 minutes, to avoid being tracked by a person.

Exposure notification is only made on the user’s physical device and always under his supervision. The positives are not identified in any way in the system, nor among other users, nor in Apple or Google.

3.- How is the information handled by these apps controlled?

The system has been designed to be completely agnostic of any user identification and only the health authorities of each country have access, no one else. Apps will be evaluated and must meet specific privacy, security and data control criteria. The health authorities of each country will only be able to access the list of beacons marked as positive by COVID-19, but they are not linked to any personal data that allows identifying who they are.

4.- Could this data be monetized by Gooole or Apple?

No, in any way, by relying on privacy principles and avoiding connections with real user data.

5.- How do users indicate that they are positive for COVID-19?

It can only be done from the official apps of the health agencies of each country. Details for each of the territories will be given when the app is launched.