Today California joined dozens of other states and countries in launching its COVID-19 exposure notification app, CA Notify, built on Google and Apples Exposure Notification API. Google and Apples API is
CA Notify and apps like it meet most, but not all, of our standards for exposure notification apps
These apps use mobile phones Bluetooth functionality to determine if a person has come into contact with someone who recently tested positive for the virus. (In iOS, there is no app to download; the Exposure Notification feature can be turned on via the settings.) If an app user tests positive for COVID, the app will notify others with the app who have come into contact with them, without giving information about the individual who tested positive. While the Bluetooth technology that powers Californias app and others like it is the most promising approach to COVID exposure notification, there are still important privacy and equity concerns. And, ultimately, COVID tracking apps like these can only be effective if deployed alongside widespread testing and interview-based contact tracing.
Is It Private and Secure?
CA Notify and other apps built on Google and Apples API meet several of the key proximity tracking and exposure notification safeguards that EFF has been looking for from the start, including informed, voluntary, opt-in consent and data minimization (both in terms of what data is collected and where it is shared). They also allow users to uninstall the app, turn off the functionality, and opt out at any point. Google and Apple have not yet, however, met our standards for information security (including open-sourcing their code and subjecting it to third-party audits and penetration testing), nor are we aware of any individual app developers publishing transparency reports.
Two important privacy-protective choices are worth additionally highlighting: Google and Apples system does not track users location, and it uses a decentralized approach to keep all the users identifiers on their device.
First, these apps use Bluetooth to track your proximity to other devices, rather than using GPS data or cell tower data to track your location. This is the right approach. Phone location data is insufficiently granular to identify when two people are close enough together to transmit the virus, but it is detailed enough to expose sensitive information about where youve been and what youve been doing.
Proximity tracking apps might be, at most, a small part of a larger public health response to COVID-19
Second, the apps are designed to keep your identifiers on your device (and not, for example, in an inaccessible, centralized government or law enforcement database). If and when a user tests positive, they can choose to enter the diagnosis code provided by their testing provider and upload their identifiers to a publicly accessible registry. These identifiers are random and ephemeral, and thus harder to correlate to a specific person.
We've outlined theoretical ways that an attacker could abuse the app, such as setting up a Bluetooth beacon to map a user's detailed routine. Additionally, police may seek data created by proximity apps, which is stored on users phones, and could use that to learn about specific associations or interactions. Whether these dangers are outweighed by the benefit of COVID-19 is user-dependent, and the relative costs and benefits of the proximity apps themselves remain unknown.
Will It Work?
Proximity tracking apps might be, at most, a small part of a larger public health response to COVID-19, for several reasons.
First, any benefits of this technology will be unevenly distributed. These apps assume that one smartphone equates to one human. But any app-based or smartphone-based solution will miss the groups least likely to have a mobile phone and more at risk of COVID-19 and in need of resources: in the United States, that includes elderly people, people without housing, and those living in rural communities. Even if someone have access to a cell phone, that phone might not be an up-to-date iPhone or Android, and many older phones simply wont have the technology necessary for Bluetooth proximity tracking. Phones can be turned off, left at home, run out of battery, or be set to airplane mode. So even a proximity tracking system with near-universal adoption is going to miss millions of contacts each day, and disproportionately miss communities at higher risk for COVID.
Second, even with widespread adoption, the app will be far from perfect. Bluetooth technology was simply not designed for this. A study of early deployments of the technology in Europe found that an app detected about 50% of true exposures, and also incorrectly triggered exposure notifications for about 50% of nearby devices. It also found that simply changing the person holding a particular phone was enough to cause significant variations in how the app measured exposure. Some of the apps performance will be dictated by parameters set by local health departments, and its possible that CA officials can do better than earlier prototypes. And even flawed apps can be useful: pilot studies have suggested that even a relatively small number of people using a relatively inaccurate app can help flatten the curve.
Third and finally, however, even a theoretically best-designed, most privacy-protective, universally adopted app cannot fill the as-yet unmet need for traditional public health measures like testing, contact tracing, PPE for healthcare workers, and widespread social distancing and masking. Imagine it: if you received a notification that you had been exposed, but could not access testing, contact tracing, or isolation guidance and support, that notification would not serve you or the larger public health purpose of fighting the spread of COVID-19. This is why governments and institutions must not rely on this technology as a silver bullet to rush reopening, and further must be prohibited fromdiscriminating against people who choose not to use it.
CA Notify and apps like it meet most, but not all, of our standards for exposure notification apps. We hope to see Google, Apple, and developers building on their system embrace additional information security and transparency measures. In the meantime, governments, institutions and users must continue to take seriously the tradeoffs and risks at stake when it comes to COVID exposure notification technology.