Contact tracing becomes exposure notification as privacy issues grow
posted Saturday Apr 25, 2020 by Scott Ertz
As the fear over the Coronavirus threat grows and the need for the world to begin spinning again, in one fashion or another, becomes more important, solutions are being developed around the world. One of the most publicized tools being developed has been the Apple and Google partnership for contact tracing.
The concept is that phones would talk to one another and, if one phone knew that its owner had been infected, it would report that to the phone that came in contact with it. From there, the idea of tracing contact would spider out with each subsequent contact. The reason for the process is to stem the spread. The virus shows no signs of symptoms for around 48 hours and many people never show signs, but you are still highly contagious.
While the concept has real-world value, it also has been met with concern, mostly around privacy. Apple and Google do not have a great track record of protecting user privacy. Combining that with medical information, even second-hand, and data sharing has raised the attention of privacy organizations. As a result, the two companies have made changes to the way the system works even before it releases.
To get started, the contact data will now be encrypted. Why this wasn't part of the original design is a mystery, and lends credence to the concerns raised. To address concerns raised by Avram and me on last week's show, the API being made available for this project will report Bluetooth signal strength. This allows the app developers to make an educated decision about whether the contact is valid. Bluetooth is strong enough to go from house to house, apartment to apartment, or office to office. Reporting the signal strength will allow for decisions about the actual distance. The keys will also reset every 15 minutes, which addresses my concerns over being able to create a false Bluetooth beacon to incorrectly spread data.
In addition to the changes to the API structure, the system is getting a new name. Since "contact tracing" has been met with such strong negative emotions, the pair have rebranded the process to "exposure notification." This new name does more accurately describe the goal as opposed to the process, an issue that Silicon Valley has long struggled with.
The API is scheduled to become public next month, but it will still require an opt-in process to make it work.