In an effort to fight the COVID-19 pandemic, Google and Apple have started to implement a contact tracing feature into their mobile operating systems. This means that with the latest updates, nearly all iPhone and Android devices will have this capability.
But what is contact tracing, and how does it affect your privacy? Let's look at the facts of contact tracing and how you can stay safe while using it.
What Is Contact Tracing?
Contact (or exposure) tracing is the act of keeping track who has a communicable disease and following up with the people they came in contact with. By reaching out to those people, the hope is that health professionals can prevent further spread of the disease.
Contact tracing isn't a new idea. Before the advent of widespread mobile technology like we have today, contact tracing was an offline process. When someone was diagnosed with an infectious disease, they would speak with a professional to determine where they had gone and who they'd seen recently. The tracer would then reach out to those people and recommend that they come in for treatment, isolate themselves for a time, or take other action as needed.
As you'd expect, manual systems aren't perfect. It takes a lot of time to reach out to people one-by-one, and there's no guarantee that an infected person will remember everyone them came in contact with.
This is why digital contact tracing has entered the discussion during the coronavirus pandemic.
How Does Mobile Contact Tracing Work?
The contact tracing feature in Android and iOS uses the Bluetooth LE (Low Energy) protocol that's part of most phones. As the name suggests, this function uses less power than other Bluetooth connections, with a similar range (about 30 feet).
For now, Apple and Google are simply adding support for the new Exposure Notifications API. This is opt-in; to use it, you'll have to manually enable the feature and install a compatible contact tracing app.
Once you've done this, mobile contact tracing works by sending out beacons to nearby phones using Bluetooth. This keeps track of what phones you've come in contact with, but uses a random identifier so as not to expose any of your personal data.
Anyone who tests positive for COVID-19 can report it using the public health app on their phone. Your phone regularly checks the list of devices you've come in contact with against COVID-positive devices.
So when someone reports an infection, people who came in contact with that person will receive a notification letting them know about this and advising them on what to do next.
Here's a hypothetical scenario to illustrate:
- Alice and Bob both go shopping at the same store. They stay a few feet apart, but end up next to each other in the checkout line.
- There's a long line, so Alice and Bob are near each other for 15 minutes as they wait. Their phones exchange keys during this time.
- A few days later, Bob feels sick and gets tested for COVID-19. When the test is positive, he reports this using the public health app on his device.
- Because Alice and Bob exchanged keys when they were at the store, Alice will soon get a notification on her phone letting her know that she came in contact with someone who has the virus. This doesn't tell her who it was.
- The app will give Alice advice on what she should do next.
How to Enable Exposure Notifications on Your Phone
As of this writing, Apple has integrated the Exposure Notifications API into iOS 13.5 and above. If you're on an older version, first update your device.
After that, head to Settings > Privacy and select Health. Here, tap COVID-19 Exposure Logging and you can enable the feature using the slider at the top. However, you'll need to have a compatible public health app installed to use it.
At the bottom of the settings page, you can tap Exposure Checks to see a record of requests. Use Delete Exposure Log to clear all data related to this feature.
Google has rolled the feature out to devices running Android 6 Marshmallow and above through an update to Google Play Services. You'll find the setting available under Settings > Google; select COVID-19 exposure notifications and turn it on (if you have a compatible app installed).
Because this feature is so new, however, tracing apps aren't widely available yet. NOVID is one app designed for Allegheny County in Pennsylvania. Take a look at Wikipedia's page on COVID-19 apps for more options as they become available.
Contact Tracing and Privacy
All this talk of tracking users will certainly raise some privacy concerns. While everyone wants to fight the virus and return to normal life, we shouldn't have to give up our personal privacy in the process.
Google and Apple has discussed some points about the privacy of this system. As we mentioned, it is entirely opt-in, meaning that if you don't install an app and enable exposure notifications, your phone won't use this feature.
If you do decide to use it, all the exposure matching happens on your device. Google and Apple's servers are not involved in checking whether you came in contact with an infected user. The only information downloaded from the server is the list of IDs from people who have been confirmed as infected.
Your phone only stores the keys of people you've come across in the past 14 days, and nobody will see your personal information if you declare yourself as infected.
Only official public health apps can use this API. They cannot access your phone's location using this system. Neither Apple nor Google can see whether you have COVID or have come in contact with someone who has the disease.
The above setup is "phase one" of Apple and Google's rollout. Later in 2020, the company plans to bake support for this functionality directly into iOS and Android. This means that you won't need a separate app for it. However, it will still be optional at that time.
Take a look at the Exposure Notification FAQ document for more information.
Beware Contact Tracing Phishing Schemes
Bad actors often take advantage of crises, and the coronavirus pandemic is no exception. As contact tracing becomes more prevalent, you should be on the lookout for COIVD-19 phishing attempts that masquerade as contact tracing.
The setup we've described above is the only way that contact tracing will work with smartphones. This means that if you receive an email or text message claiming that you've been in contact with an infected individual, it's false. Legitimate alerts will come as a notification from the approved app you've installed on your phone.
Most areas of the US have abandoned manual contact tracing due to the widespread nature of the virus, so you should be vigilant to guard against potential attacks on that front as well. If you receive a call telling you that you may have been near an infected person, ask for information about who's calling and make sure it's a legitimate entity (it probably isn't) before giving them any info.
Someone could pose as a contact tracer when they really just want to steal sensitive information from you.
Know What Contact Tracing Involves
Digital contact tracing isn't perfect -- it relies on users opting in and self-reporting themselves as infected. There may also be false positives depending on how close people are, especially if the contact takes place through a window or similar.
Whether you choose to opt into contact tracing or not, you should know how the system works and what it means for privacy. Above all, take care not to fall for fake alerts that want to steal from you.
If you're working from home due to the virus, check out our guide to keeping your work and home lives separate.