Exposure Notification is a new term for Contact Tracing technology, coined by Google and Apple. Amid the COVID-19 Pandemic, contact tracing has been the most difficult task for countries and their medical authorities. Almost all the countries have launched their own mobile app to trace the potential COVID-19 infected persons. For example India has it’s own Contact Tracing App Aarogya Setu, Australia has COVIDSafe etc. In terms of contact tracing, these apps haven’t shown success so far.
Reason for a little or nominal success of contact tracing technology is access restrictions by mobile operating systems to curb the data privacy issues. Many countries are going beyond data privacy of their citizens for contact tracing. We can’t blame their intentions.
- 1 Why Apple and Google had to pitch in?
- 2 What is difference between Apps and APIs?
- 3 What is the ‘Exposure Notification’ API?
- 4 How to access it?
- 5 Is ‘Exposure Notification’ API trustworthy?
- 6 How does Exposure Notification API works?
- 7 Why has ‘Covid19 Exposure Notification System’ failed to contain the ‘Pandemic’?
- 8 Wrapping Up-
Why Apple and Google had to pitch in?
As per 2019 Market share data by idc.com, Google has almost 86% while Apple has 14% shares of Mobile devices. Improving Contact Tracing in Android and iOS would cover almost 100% smartphone user’s active participation in Contact Tracing without breaching Data Privacy.
Recently on April 10th, Google CEO, Sundar Pichai, announced that Google and Apple are working on a contact tracing approach, designed with strong controls and protections for user privacy. This decision was made by these two companies to protect the Data Privacy of the users and enhance the efficiency of Contact Tracing technology.
To help public health officials slow the spread of #COVID19, Google & @Apple are working on a contact tracing approach designed with strong controls and protections for user privacy. @tim_cook and I are committed to working together on these efforts.https://t.co/T0j88YBcFu
— Sundar Pichai (@sundarpichai) April 10, 2020
Later, on 20th May, Google and Apple launched this API and named it as Exposure Notification API.
What is difference between Apps and APIs?
API is a set of functions and procedures allowing the creation of apps that access the features or data of an operating system, application, or other service. While accessing security prone modules like Bluetooth, APIs are usually developed by Operating System companies itself.
image source study.com
Exposure Notification API is developed by Google and Apple to moderate the Contact Tracing Apps development. Mobile App is the front-end application that is used by common user to communicate with Operating System and other module using different APIs.
What is the ‘Exposure Notification’ API?
Exposure Notification is created to help medical authorities to develop more efficient Contact Tracing App. This is an API, not a mobile app, created by the collaboration of Google and Apple.
Lately, the term ‘Contact Tracing’ has been considered a breach of user’s privacy. Google and Apple, while developing this API, they have taken care of the protection of end user’s Private Data, so they decided to name this API, “Exposure Notification”, less suspicious and more auspicious.
How to access it?
While developing Exposure Notification API Google and Apple have provided the option to enable and disable as per user preference. If you have received the OS upgrade in Android and iOS then probably you need to check and enable it as by default it is disabled.
Accessing Exposure Notification System in Android-
Many devices like One Plus, Samsung, Oppo have already received and using this API in the countries using this API. If medical authority is using this API in your country for Contact tracing, you can enable it in your android device and use it.
Steps to enable Covid19 Exposure Notification in android is simple. You need to go to Settings -> Google-> Click in ‘Covid19 Exposure Notification’
Since India is using its own Contact Tracing API you won’t be able to enable it. Anyone who is residing is a country, using “Exposure Notification API” to build contact tracing app , will get option to enable it. Basically you must have an mobile app installed who need to call Exposure Notification API.
Accessing Exposure Notification System in iOS-
To enable Covid19 Exposure Notification System in iOS devices like iPhone, you need to go to Settings -> Privacy->Health-> Click in ‘Covid19 Exposure Logging’
Is ‘Exposure Notification’ API trustworthy?
Before developing this API, Google and Apple have done extensive research with medical experts and data privacy experts around the world. They have considered the best interest of Medical Authorities in tracing the potential COVID-19 infected persons as well as Data Privacy of the end users or jailbreaking.
Below are some of the best features of Exposure Notification API which make it robust and a trustworthy solution for Contact Tracing:
- Exposure Notification API doesn’t record any user’s geographical or location data. While researching, Google found that people hesitate to share their location information. So, no more location privacy hassles.
- Exposure Notification API is available only for one App each country. Yes, you heard it right. Only top medical authority of each country gets access to build app using this API.
- Google and Apple have assured to decommission this API after Pandemic is over.
- User data remains on server for 14 days. Data gets erased and overwritten after every 14 Days.
- This API asks proper permissions to share the information over Bluetooth.
How does Exposure Notification API works?
Exposure notification API is based on Bluetooth permissions and do not share any information without user consent. User can check all the data that has been shared and they can delete it in case they don’t want to share it.
In other words, this API uses Bluetooth to make a nest of App users who have been in contact lately and later process the data and notify if the user has been exposed to any COVID-19 patient.
As per the Google API technical documentation, this is how it works:
1-If Exposure Notification enabled app not used previously-
If user has installed the app for the first time or haven’t used it earlier, it will ask for consent to start the Contact Tracing.
2-If installed and used previously-
Every time a user opens an app with this API, it will check the following active status values before staring the Contact Tracing itself-
/* Application is running successfully and have the consent */
Int SUCCESS = 0;
/* User has declined the API for COntact Tracing */
int FAILED_REJECTED_OPT_IN = 1;
/* Service has been disabled either from client or Server */
int FAILED_SERVICE_DISABLED = 2;
/* Bluetooth is turned off by the user */
int FAILED_BLUETOOTH_SCANNING_DISABLED = 3;
/* Services has been temporarily disabled by either user or App */
int FAILED_TEMPORARILY_DISABLED = 4;
/* User doesn’t have enough storage for the traced data */
int FAILED_INSUFFICENT_STORAGE = 5;
/* App failed internally to start the Contact Tracing */
int FAILED_INTERNAL = 6
Based on the result, App will further operate.
This API is not exposed for public use. Requesting body should be medical representative country.
3-On Contact –
If a user meets any COVID-19 infected person or a person who has already been in contact with a patient, this API requests client (App or browser) to upload the details to server regularly.
Before sending the details to Server, this API ask the medical authority to cryptographically sign the data. Below are the intents called to fulfil this requirement.
/* function to check if user has contact with any COVID-19 patient */
/* Request medical authority to provide the key to encrypt user details before sending it to server */
/* Contact detail to be shared on Server */
/** Length of contact in 5 minute increments. */
If a Contact Tracing App is uninstalled, it automatically calls stopContactTracing(); function.
App or client can check the individual user’s status if he has application installed or not by the function isContactTracingEnabled().
5-Data Availability on Server –
Data will be available on Server for 14 days and get overwritten with the 15th Day Data or erased in case user has uninstalled the App.
Why has ‘Covid19 Exposure Notification System’ failed to contain the ‘Pandemic’?
Clearly Exposure Notification System has failed to contribute in containing the Pandemic because of so much data privacy restrictions and default disabled framework.
At the day of unveiling of exposure notification system, 23 countries including multiple states from United States of America showed interest in this API. This popularity was because of its improvements over older Contact Tracing technologies. This API is efficient over old contact tracing because it is calling Bluetooth automatically and no need to keep the app running on foreground to work. But many people are not aware that it is disabled by default.
Also other major drawback of this API is that it is not using geographical data for Contact tracing purpose. Geographical data is very important to define the containment zones. Other drawback of this API is, its procedure calling only based on user consent. Many users decline all the permissions by default because of privacy concerns.
Any country adopting this API to build contact tracing App, must ensure to spread the awareness as well as a lot of installation and use of the Exposure Notification based App. Due to fear of data privacy issues this system has been ignored not only by people but many government authorities as well.
Even after so many data protection measures in this API, we still see a lot of concerns being raised. A lot of people are complaining about storage of the user’s contact data on Server. However, experts believe Apple and Google have done an extensive job by balancing the Medical Authorities requirement as well as user’s data privacy concerns.
If we look at our day to day technology usage and associated data privacy issues, we are surrounded by a lot of technologies exploiting our data privacy. Do you consider Alexa and Siri a data safe technology? They have permission to hear you all the time and they hear a lot of stuff. Don’t you think raising questions for sharing mere Contact Ids over Bluetooth is a little hypocritic here?