Dave Peckdavepeck.org

Notes on the Apple + Google Contact Tracing Partnership

April 20, 2020

On Friday April 10, 2020, Apple and Google announced a partnership to provide new tools on top of which comprehensive at-scale digital contact tracing solutions can be built.

The primary contributions are a bluetooth and a cryptographic specification, plus the promise that these specifications will be implemented on tens of millions of mobile devices by very early May, 2020. I expect the number of supporting devices to reach the billions in the months following. Scale is essential in any successful tracing solution; as a result, any viable solution going forward will probably need to utilize these specifications. I’ll be surprised if any competing proposal achieves the necessary scale.

While their specifications are an important piece of the puzzle, Apple and Google have not built (and do not seem to want to build) a complete solution for digital contact tracing. Instead, they’ve focused on the low-level question of how mobile devices will interact with one another to exchange anonymized data that can — in tandem with both apps and data services presumably built by others — be tied back to an infection and scored based on time and distance of exposure. The details of the underlying protocols are not specific to COVID-19 and should provide a foundation for future epidemics.

The current specifications appear to strike a balance between privacy and anonymity and the need to share diagnostic information with arbitrary third parties. In the assumed common case where the mobile device’s owner remains healthy, no identifiable information of any kind is obtainable by any third party, including the operators of back-end data services and the developers of contact tracing applications. (Contact tracing applications can of course explicitly ask for PII and can share this information with data services, but the Apple + Google protocols themselves stay silent on this point.) On the other hand, in the assumed rare case where a mobile device’s owner gets sick, that owner voluntarily shares cryptographic identifiers associated with the specific days when they might have been contagious. With access to these identifiers, owners of mobile devices that were within Bluetooth range of the symptomatic individual can rank the severity of their exposure without the ability to determine the infected individual’s identity. In addition, it is not possible for data service providers to determine which set of users may be at risk; the information necessary to make this determination lives on, and never leaves, the at-risk mobile devices.

Because the Apple + Google partnership does not provide a contact tracing app or a contact tracing data service — and because these are necessary components of an at-scale solution — there are many open questions about how digital contact tracing will work in practice.

For instance: it is unclear who will be allowed to ship applications that use these new protocols. Will Apple and Google limit access to public entities, select private partners, or will they open the floodgates wide?

It’s also unclear who is likely to operate back-end data services in practice. The Apple + Google design naturally lends itself to the creation of federated rather than centralized data services. We might expect multiple or even competing services to emerge. To achieve scale, these services will need to speak with one another; with what schema and semantics will this conversation take place?

Griefing is also an important consideration in the development of apps and data services. If anybody can press a button that says “I have COVID-19” then anybody will, including the uninfected. Apps and services may need to place hard restrictions on who can share what the protocol calls “diagnostic keys”. As a simple example, an app may allow an individual to share their diagnostic keys with their doctor but only allow authorized medical professionals to share the diagnostic keys with participating data services.

There are many other important factors to consider. On the technical front, well-known cryptographers have begun to ask pointed questions about the chosen cryptographic scheme and its real-world privacy considerations. On the privacy and policy front, there are many deep and complex issues to tackle. Perhaps the best discussion I’ve run across in the context of the United States comes from a recent Lawfare Podcast episode that dives deep on the question of whether contact tracing is a privacy threat.