Apple and Google on Friday updated technical details of the coronavirus contact tracing system they plan to release next month, saying new features would strengthen privacy protections and give health authorities more detailed data.
The system announced on April 10 will use Bluetooth technology to let authorities build apps to alert people who have been in proximity with those who have tested positive for the novel coronavirus.
Apple said the changes were the result of feedback both companies had received about the specifications and how they might be improved.
Both companies also promised to disable the service after the outbreak had been sufficiently contained. Such a decision would have to be made on a region-by-region basis. However, the engineers stated definitively that the APIs were not intended to be maintained indefinitely.
The technology does not employ GPS location data and stores most sensitive data in a decentralized way on users’ phones.
Under the new encryption specification, daily tracing keys will now be randomly generated rather than mathematically derived from a user’s private key. The daily tracing key is shared with the central database if a user decides to report their positive diagnosis. As part of the change, the daily key is now referred to as the “temporary tracing key,” and the long-term tracing key included in the original specification is no longer present.
The new encryption specification also establishes specific protections around the metadata associated with the system’s Bluetooth transmissions.
The numbers that identify users will be randomly generated, and so-called “metadata” such as Bluetooth signal strength and users’ phone models will now be encrypted along with primary data about who they have been near.
The update comes as health and privacy researchers cited privacy concerns that Google and Apple tried to address on Friday by making it harder to use system-generated data to track people.
In addition, “exposure time,” or how long two phones have been near each other, will be rounded to 5-minute intervals, to prevent using detailed time data to match up phones to people.
Apple and Google will now provide data about Bluetooth power levels to better estimate how close two phones came to each other and for how long, letting authorities set their own thresholds for when to alert people.
The companies also said they would provide data on how many days had passed since the last contact with an infected person, to help authorities notify users about what steps to take.
However, Friday’s changes do not address the question of how health authorities will verify positive diagnoses to prevent trolls or other false positives.
It is not clear whether the project will be adopted by public health agencies. Google and Apple However, they said they had discussed the project with dozens of stakeholders, including public health agencies.