Apple’s COVID-19 exposure notification API: What it is and how it works in iOS 13.5

In the release notes for iOS 13.5, you may have noticed a somewhat ominous message. Apple says that the update, “introduces the Exposure Notification API to support COVID-19 contact tracing apps from public health authorities.”

Update 5/27: Added information about the first contact-tracing app launching in Switzerland.

That sounds an awful lot like it’s going to allow the government to track you and invade your privacy! Fortunately, that couldn’t be further from the truth. Contact tracing and exposure notification are important tools to help limit the spread of COVID-19 and enable the easing of lockdown restrictions, but only if they are widespread. 

To that end, Apple and Google got together back in April to develop technology that would notify you if you may have been exposed to someone with COVID-19 without compromising your identity, location, or personal information.

The result is an API for both Android phones and iPhones that will allow state health agencies to produce apps to notify the public about possible COVID-19 exposure. This is a brief overview of what it is and how it works.

What is the Exposure Notification API?

An API is an “application programming interface.” It’s basically a way for app developers to request functions provided by the operating system. As an example, a mapping app may want to know your location so it can show where you are on a map. The application doesn’t have to have a bunch of code to talk to the GPS hardware in your phone, it just calls a function from the iOS location API.

Apple and Google have built a set of functions into Android and iOS that developers can use to help notify people when they might have been exposed to someone with COVID-19.

This API is not available to all developers, but rather only to official government health agencies around the world, and those apps will have a lot of restrictions placed upon them. Here in the United States, that likely means that an app using the API would have to come from your state Department of Health or equivalent agency.

Apple

At the time of this writing, there are only three states that have publicly stated they will use the API: Alabama, South Carolina, and North Dakota. Everything is moving quickly, and that will likely change. Bear in mind this is a global technology program, and other countries’ health agencies may use the API, too.

How it works

Apple has provided a lot of technical detail about how the API works, as well as a very useful FAQ. But in brief, this is how it works.

Your iPhone is given a random Bluetooth identifier—a string of numbers and letters that will be different from everyone else’s. This identifier doesn’t have any of your personal info in it. It doesn’t include your name, email address, Apple ID, location, age…nothing at all. It’s just a big string of letters and numbers whose sole purpose is to be different from everyone else’s, to be unique. Your unique ID number changes every 10 to 20 minutes.

Your phone broadcasts this unique ID string over Bluetooth to every other phone it comes close to. Those other phones are broadcasting their identifiers too, and everyone’s phone keeps a log: A record of all the unique but anonymous ID numbers to which your phone has come close.

There’s no information in there to tell you who those people actually are or where you were when you were near them.

Let’s say one of those people you were near gets tested for COVID-19, and tests positive. With their permission, they can use the app from their public health authority to upload their own Bluetooth identifiers to a central database. Again, this doesn’t have any of their personal information or location history.

Apple

Your phone (and everyone else’s) periodically downloads that list of COVID-positive identifiers from the server. Remember, it doesn’t contain any personal information or location information. It’s just, “this is a list of those anonymous random Bluetooth ID numbers from people who have tested positive for COVID-19.” Your phone compares its log of IDs that it has been near with this database of known-positive-IDs.

If there’s a match, your iPhone will pop up a warning. It will say you have possible exposure to someone who has tested positive, the date which their test was verified positive, and the date in which you were near that person.

Apple

The app on your phone will know which IDs you have been near, how close you were (as determined by Bluetooth signal), and for how long. It’s probably not going to pop up an alert for someone you jogged past in ten seconds, but it will if you spent ten minutes standing next to someone at the dog park.

How is your privacy protected?

First, you should know that you can disable this technology at any time. Open Settings > Privacy > Health and look for COVID-19 Exposure Logging. You can see which app is active and toggle exposure logging on or off.

You also have to opt-in by downloading an app from your public health authority. This isn’t something that just gets turned on for everyone by default. If you don’t have an app that want to do the logging, the option can’t be turned on.

Know that other phones get no information about you, nor does your phone get info about them. It’s just random identifiers. No location data is ever logged.

Your phone doesn’t transmit your contact log to anyone, anywhere: not Apple or Google, not the government, not other users.

If you test positive, the public health agency will get (with your permission!) your own random IDs, but not a list of people you have been in contact with. It will never get your location history, under any circumstance.

All the matching of positive IDs with the people they have been in contact with happens locally, on the users’ devices.

If your phone finds a match (your local contact log matches an ID from the public health agency’s positive test ID log), the app will tell the public health authority only that a contact occurred, not who the people involved were. They will get the day the contact happened, how long it lasted, and the Bluetooth signal strength. That’s all.

Apple and Google never get any of this data. Not positive IDs, not your own list of contacts, nothing.

The apps that use this exposure notification API have a set of restrictions placed upon them, too:

• Apps must be created by or for a government public health authority and they can only be used for COVID-19 response efforts.

• Apps must require users to consent before the app can use the API.

• Apps must require users to consent before sharing a positive test result with the public health authority.

• Apps should only collect the minimum amount of data necessary and can only use that data for COVID-19 response efforts. All other uses of user data, including targeted advertising, is not permitted.

• Apps are prohibited from seeking permission to access Location Services.

Should you use it?

At the time of this writing there are only three states which have announced they will use the app (Arkansas, South Carolina, and North Dakota) and none of them have rolled out support in an app yet. So for users in the United States, this doesn’t yet do anything. The only country that has launched an app using the API is Switzerland and it’s currently limited to army members, hospital workers and civil servants.

If your public health agency does issue an app that supports this API, we suggest you use it. If a critical mass of people use this app, it can go a long way toward giving health agencies a clear picture of how much (or little) COVID-19 is spreading, and exactly what restrictions should be placed on business or public activity, and which can be lifted.

Compared to similar programs across the world, this Apple/Google solution does a very good job of protecting your privacy. In fact, some states don’t want to use it specifically because it does not give them enough personally identifiable info, like the ability to trace your location.