Apple and Google launch exposure notification API, enabling public health authorities to release apps
Apple and Google today made available the first public version of their exposure notification API, which was originally debuted as a joint contact-tracing software tool. The partners later renamed it the Exposure Notification system to more accurately reflect its functionality, which is designed to notify individuals of potential exposure to others who have confirmed cases of COVID-19, while preserving privacy around identifying info and location data.
The launch today means that public health agencies can now use the API in apps released to the general public. To date, Apple and Google have only released beta versions of the API to help with the development process.
To be clear, this launch means that developers working on behalf of public health agencies can now issue apps that make use of it — Apple and Google themselves are not creating an exposure-notification or contact-tracing app. The companies say that many U.S. states and 22 countries across five continents have already asked for, and been provided access to, the API to support their development efforts, and they anticipate more being added going forward. So far, Apple and Google say they have conducted more than 24 briefings and tech talks for public health officials, epidemiologists and app developers working on their behalf.
The exposure notification API works using a decentralized identifier system that uses randomly generated temporary keys created on a user’s device (but not tied to their specific identify or info). Apple and Google’s API allows public health agencies to define what constitutes potential exposure in terms of exposed time and distance, and they can tweak transmission risk and other factors according to their own standards.
Further, Apple and Google will allow apps to make use of a combination of the API and voluntarily submitted user data that they provide through individual apps to enable public health authorities to contact exposed users directly to make them aware of what steps they should take.
During the course of the API’s development, Apple and Google have made various improvements to ensure that privacy is an utmost consideration, including encrypting all Bluetooth metadata (like signal strength and specific transmitting power), as that could potentially be used to determine what type of device was used, which offers a slim possibility of associating an individual with a specific device and using that as one vector for identification.
The companies have also explicitly barred use of the API in any apps that also seek geolocation information permission from users — which means some apps being developed by public health authorities for contact tracing that use geolocation data won’t be able to access the exposure notification API. That has prompted some to reconsider their existing approach.
The companies previously announced plans to make Exposure Notification a system-level feature in a later update to both their respective mobile operating systems, to be released sometime later this year. That “Phase two” portion of the strategy might be under revision, however, as Google and Apple said they continue to be in conversation with public health authorities about what system-level features will be useful to them in development of their COVID-19 mitigation strategies.