Messages are circulating on WhatsApp groups and social media in South Africa that Google has secretly downloaded a COVID-19 contact tracing app to Android smartphones.
The concerns stem from the sudden appearance of a new settings screen on Android devices called “COVID-19 exposure notifications”.
This has resulted in speculation and fears that Google has quietly started collecting private information, including location information, to aid the South African government in contact tracing people who have tested positive for the coronavirus.
However, Google and Apple have made it clear that this is not what their COVID-19 exposure notification system does.
Apple-Google COVID-19 exposure notification partnership
On 11 April 2020, Apple and Google announced that they had partnered to develop an application programming interface (API) for COVID-19 exposure notification.
- Google: Exposure Notifications: Using technology to help public health authorities fight COVID‑19
- Apple: Privacy-Preserving Contact Tracing
This technology would not replace traditional methods of contact tracing, the two companies said, but would augment it.
Part of the specification of the technology is that no personally identifying information or location data is collected.
Rather than relying on GPS tracking or any other exchange of personal data, the exposure notification framework built into Android and iPhone devices uses Bluetooth low-energy signals to determine whether two people were in close proximity to each other.
According to Google, their system was heavily inspired by the Decentralized Privacy-Preserving Proximity Tracing protocol (DP-3T), which was developed by a team of European researchers.
DP-3T was one of many protocols developed by researchers to try and address the privacy concerns as they relate to contact tracing. Others include the Temporary Contact Numbers Protocol (TCN) and the Private Automated Contact Tracing (PACT) system from MIT.
However, CNBC quoted Google vice president of Android, Dave Burke, as saying that DP-3T “gives the best privacy-preserving aspects of the contacts tracing service”.
Bluetooth-based “contact tracing” needed Apple and Google to work
While several countries have independently developed contact tracing apps to help in their fight against the COVID-19 pandemic, each had its pitfalls.
Chiefly, if you wanted to make use of Bluetooth as suggested by privacy-first protocols such as TCN, DP-3T, and PACT, your app had to be running in the foreground the whole time.
The Register reported that Google and Apple placed significant restrictions on how Bluetooth may be used in their mobile operating systems. There are workarounds to this, but this comes with several trade-offs, including a tremendous cost to the battery life of your device.
According to The Verge, the reason Android and iOS don’t allow the constant broadcast of Bluetooth signals is because it has been exploited before for targeted advertising.
For a privacy-centric contact tracing protocol based on Bluetooth low-energy to succeed, it needed Apple and Google on board to make it work at an operating system level.
How it works
The Apple-Google COVID-19 exposure notification framework works through the exchange of anonymous cryptographic tokens using Bluetooth low-energy signals.
When two devices are within Bluetooth range, they send each other a randomly generated token. Google calls these random IDs, though they don’t contain any personally identifying information — they are completely random.
Devices store the tokens they have sent, as well as the tokens they have received for 14 days.
If someone tests positive for the coronavirus and they have been using an app that makes use of the Apple-Google API, they can upload all of the tokens they have sent in the past 14 days to a notification server. Governments must put safeguards in place to try and ensure that people can’t upload tokens without a confirmed positive coronavirus test result.
The notification server then sends out the tokens for other app users to check against the list of tokens they have received in the past 14 days.
If you have received a cryptographic token from someone who has tested positive, you will be advised to self-quarantine for a period of 14 days and seek medical advice if you experience symptoms.
Several European governments and epidemiologists have asked Apple and Google to relax the privacy requirements of their exposure notification system.
They explained that the apps built using the Apple-Google API are essentially useless to researchers and do not provide contact tracers with any useful data to help them do their jobs.
Since no personal information is gathered, the framework also does not give governments the information they need to enforce their quarantine rules.
If the system notifies someone that they have potentially been exposed to the coronavirus, it is entirely up to that person to remain isolated and go for the necessary tests.
Traditional contact tracers may also end up duplicating the work the app has already done. They may end up investigating contacts that the app has already advised to self-isolate, as they will have no idea which contacts the app has notified.
Participating app needed
Initial reports suggested that the Apple-Google exposure notification system would be released in two phases.
The first phase is the API that has already been released, which is made available to national governments to build apps to offer exposure notifications in their respective countries.
The second phase was reportedly the ability for this contact tracing software to work without a participating government-sanctioned app. Users would still have to opt in to use the system, though.
However, Google and Apple have since made it clear that their system requires the participation of governments:
“Access to the technology will be granted only to apps from public health authorities. Their apps must meet specific criteria around privacy, security, and data use.”
This is reiterated on the very settings screen that has caused misinformation and speculation to spread around South African social media.
On Android, to view your COVID-19 exposure notifications settings, you can search for “COVID-19” in your phone’s settings app. On Samsung devices you can access the COVID-19 exposure notifications screen by navigating to Settings→Google Settings.
The very first sentence on that screen is: “To turn on COVID-19 exposure notifications, install or finish setting up a participating app”.
South Africa does not currently have a participating app.