Apple, Google release new contact tracing API specs, security, accuracy measures2 min read . Updated: 24 Apr 2020, 10:14 PM IST
- The metadata associated with Bluetooth will be encrypted now
- Data about who a user has been near is only retained on the device for 14 days, and deleted after that
After announcing that they would work together to help governments’ contact-tracing efforts, Apple and Google released more technical details about their efforts. Amongst the changes made to the API they will provide to others, are stronger encryption standards, more accurate Bluetooth signals and more.
According to the companies, the changes are “the result of meaningful engagement and feedback from key external stakeholders around the world." Today’s announcements mostly revolve around cryptography and Bluetooth specifications in the API.
Apple and Google will now be using the Advanced Encryption Standard (AES) instead of the earlier Hashed Message Authentication Code (HMAC). “Many devices have built-in hardware for accelerating AES encryption. This change will help performance and efficiency to avoid slowing down the phones, as we’ve determined that AES performs better for this application," the companies said.
Further, the metadata associated with Bluetooth will also be encrypted now. This makes it tougher for an app to use that data to identify the person using said app. Apple and Google had earlier announced
Also, the companies are changing the terminology from contact tracing to “exposure notification". The companies believe the new terminology better demonstrates what the API does. The API generates a “temporary exposure key" for a phone when an exposure event is being detected. So, when two phones are nearby and their Bluetooth signals are being used to identify that they are near each other, the unique id of the phone won’t be shared. These keys are now generated using a random number generator, which makes them more difficult to predict or identify manually.
Data about who a user has been near is only retained on the device for 14 days, and deleted after that. “It doesn’t keep track going forward after a person has registered as COVID-19 positive," the companies said.
Temporary keys are anonymised and more difficult to link to a phone’s user than the phone’s unique id. Further, since the API also allows apps to ask for exposure time for users, it will only record this in five minute intervals and capped at 30 minutes. This would make it easier for apps to gather exposure notifications more accurately.
The two companies are also letting apps record the “power levels" of Bluetooth signals now and developers can specify the signal strength. This is important since it lets apps ascertain the distance between two phones better and hence identify exposure events more accurately. “This will help public health authorities individually define what constitutes an exposure event by setting parameters for radio signal strength and duration that two phones have been in proximity," representatives from the companies said.
Essentially, the Bluetooth signal strength lets an app understand how close two phones are, and this can be combined with the time those two phones have been near each other to determine whether the user has been exposed to the virus.