Today California joined dozens of other states and countries in launching its COVID-19 exposure notification app, CA Notify, built on Google and Apple’s Exposure Notification API. Google and Apple’s API is already used in 20 other U.S. states, as well as countries including Germany, the UK, and much of Canada.
CA Notify and apps like it meet most, but not all, of our standards for exposure notification apps
These apps use mobile phones’ Bluetooth functionality to determine if a person has come into contact with someone who recently tested positive for the virus. (In iOS, there is no app to download; the “Exposure Notification” feature can be turned on via the settings.) If an app user tests positive for COVID, the app will notify others with the app who have come into contact with them, without giving information about the individual who tested positive. While the Bluetooth technology that powers California’s app and others like it is the most promising approach to COVID exposure notification, there are still important privacy and equity concerns. And, ultimately, COVID tracking apps like these can only be effective if deployed alongside widespread testing and interview-based contact tracing.
Is It Private and Secure?
CA Notify and other apps built on Google and Apple’s API meet several of the key proximity tracking and exposure notification safeguards that EFF has been looking for from the start, including informed, voluntary, opt-in consent and data minimization (both in terms of what data is collected and where it is shared). They also allow users to uninstall the app, turn off the functionality, and opt out at any point. Google and Apple have not yet, however, met all of our standards for information security (including subjecting it to third-party audits and penetration testing), nor are we aware of any individual app developers publishing transparency reports.
Two important privacy-protective choices are worth additionally highlighting: Google and Apple’s system does not track user’s location, and it uses a “decentralized” approach to keep all the user’s identifiers on their device.
First, these apps use Bluetooth to track your proximity to other devices, rather than using GPS data or cell tower data to track your location. This is the right approach. Phone location data is insufficiently granular to identify when two people are close enough together to transmit the virus, but it is detailed enough to expose sensitive information about where you’ve been and what you’ve been doing.
Proximity tracking apps might be, at most, a small part of a larger public health response to COVID-19
Second, the apps are designed to keep your identifiers on your device (and not, for example, in an inaccessible, centralized government or law enforcement database). If and when a user tests positive, they can choose to enter the diagnosis code provided by their testing provider and upload their identifiers to a publicly accessible registry. These identifiers are random and ephemeral, and thus harder to correlate to a specific person.
We've outlined theoretical ways that an attacker could abuse the app, such as setting up a Bluetooth beacon to map a user's detailed routine. Additionally, police may seek data created by proximity apps, which is stored on users’ phones, and could use that to learn about specific associations or interactions. Whether these dangers are outweighed by the benefit of COVID-19 is user-dependent, and the relative costs and benefits of the proximity apps themselves remain unknown.
Will It Work?
Proximity tracking apps might be, at most, a small part of a larger public health response to COVID-19, for several reasons.
First, any benefits of this technology will be unevenly distributed. These apps assume that one smartphone equates to one human. But any app-based or smartphone-based solution will miss the groups least likely to have a mobile phone and more at risk of COVID-19 and in need of resources: in the United States, that includes elderly people, people without housing, and those living in rural communities. Even if someone has access to a cell phone, that phone might not be an up-to-date iPhone or Android, and many older phones simply won’t have the technology necessary for Bluetooth proximity tracking. Phones can be turned off, left at home, run out of battery, or be set to airplane mode. So even a proximity tracking system with near-universal adoption is going to miss millions of contacts each day, and disproportionately miss communities at higher risk for COVID.
Second, even with widespread adoption, the app will be far from perfect. Bluetooth technology was simply not designed for this. A study of early deployments of the technology in Europe found that an app detected about 50% of true exposures, and also incorrectly triggered exposure notifications for about 50% of nearby devices. It also found that simply changing the person holding a particular phone was enough to cause significant variations in how the app measured exposure. Some of the app’s performance will be dictated by parameters set by local health departments, and it’s possible that CA officials can do better than earlier prototypes. And even flawed apps can be useful: pilot studies have suggested that even a relatively small number of people using a relatively inaccurate app can help flatten the curve.
Third and finally, however, even a theoretically best-designed, most privacy-protective, universally adopted app cannot fill the as-yet unmet need for traditional public health measures like testing, contact tracing, PPE for healthcare workers, and widespread social distancing and masking. Imagine it: if you received a notification that you had been exposed, but could not access testing, contact tracing, or isolation guidance and support, that notification would not serve you or the larger public health purpose of fighting the spread of COVID-19. This is why governments and institutions must not rely on this technology as a “silver bullet” to rush reopening, and further must be prohibited from discriminating against people who choose not to use it.
CA Notify and apps like it meet most, but not all, of our standards for exposure notification apps. We hope to see Google, Apple, and developers building on their system embrace additional information security and transparency measures. In the meantime, governments, institutions and users must continue to take seriously the tradeoffs and risks at stake when it comes to COVID exposure notification technology.
UPDATED (12/18/2020): An earlier version of this article stated incorrectly that Google and Apple's Exposure Notification code is not open source. Multiple components are available on GitHub and on Apple's developer site.