Exposure Notification
The (Google/Apple) Exposure Notification System (GAEN)[2][3][a] is a framework and protocol specification developed by Apple Inc. and Google to facilitate digital contact tracing during the COVID-19 pandemic. When used by health authorities, it augments more traditional contact tracing techniques by automatically logging close approaches among notification system users using Android or iOS smartphones. Exposure Notification is a decentralized reporting protocol built on a combination of Bluetooth Low Energy technology and privacy-preserving cryptography. It is an opt-in feature within COVID-19 apps developed and published by authorized health authorities.[10][11] Unveiled on April 10, 2020, it was made available on iOS on May 20, 2020 as part of the iOS 13.5 update[12] and on December 14, 2020 as part of the iOS 12.5 update for older iPhones.[13] On Android, it was added to devices via a Google Play Services update, supporting all versions since Android Marshmallow.
Developed by
The Apple/Google protocol is similar to the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol created by the European DP-3T consortium and the Temporary Contact Number (TCN) protocol by Covid Watch, but is implemented at the operating system level, which allows for more efficient operation as a background process.[14][15][16] Since May 2020, a variant of the DP-3T protocol is supported by the Exposure Notification Interface.[17] Other protocols are constrained in operation because they are not privileged over normal apps. This leads to issues, particularly on iOS devices where digital contact tracing apps running in the background experience significantly degraded performance.[18][19][20] The joint approach is also designed to maintain interoperability between Android and iOS devices, which constitute nearly all of the market.
The ACLU stated the approach "appears to mitigate the worst privacy and centralization risks, but there is still room for improvement".[21] In late April, Google and Apple shifted the emphasis of the naming of the system, describing it as an "exposure notification service", rather than "contact tracing" system.[22]
Privacy[edit]
Preservation of privacy was referred to as a major component of the protocol; it is designed so that no personally identifiable information can be obtained about the user or their device.[30][11][31][32] Apps implementing Exposure Notification are only allowed to collect personal information from users on a voluntary basis.[33] Consent must be obtained by the user to enable the system or publicize a positive result through the system, and apps using the system are prohibited from collecting location data.[34] As an additional measure, the companies stated that it would sunset the protocol by-region once they determine that it is "no longer needed".[35]
The Electronic Frontier Foundation showed concerns the protocol was vulnerable to "linkage attacks", where sufficiently capable third parties who had recorded beacon traffic may retroactively be able to turn this information into tracking information, for only areas in which they had already recorded beacons, for a limited time segment and for only users who have disclosed their COVID-19 status, once a device's set of daily encryption keys have been revealed.[36]
On April 16, the European Union started the process of assessing the proposed system for compatibility with privacy and data protection laws, including the General Data Protection Regulation (GDPR).[37] On April 17, 2020, the UK's Information Commissioner's Office, a supervisory authority for data protection, published an opinion analyzing both Exposure Notification and the Decentralized Privacy-Preserving Proximity Tracing protocol, stating that the systems are "aligned with the principles of data protection by design and by default" (as mandated by the GDPR).[38]
Deployment[edit]
Exposure Notification is compatible with Android devices supporting Bluetooth Low Energy and running Android 6.0 "Marshmallow" and newer with Google Mobile Services. It is serviced via updates to Google Play Services, ensuring compatibility with the majority of Android devices released outside of Mainland China, and not requiring it to be integrated into Android firmware updates (which would hinder deployment by relying on individual OEMs). It is not compatible with devices that do not have GMS, such as Huawei devices released since May 2019.[39][40] On iOS, EN is serviced via operating system updates.[12] It was first introduced as part of iOS 13.5 on May 20, 2020.[41][42] In December 2020, Apple released iOS 12.5, which backported EN support to iPhone models that cannot be upgraded to iOS 13, including iPhone 6 and older.[42]
Exposure Notification apps may only be released by public health authorities. To discourage fragmentation, each country will typically be restricted to one app, although Apple and Google stated that they would accommodate regionalized approaches if a country elects to do so.[34] Apple and Google released reference implementations for apps utilizing the system, which can be used as a base.[34]
On September 1, 2020, the consortium announced "Exposure Notifications Express" (EN Express), a system designed to ease adoption of the protocol by health authorities by removing the need to develop an app themselves. Under this system, a health authority provides parameters specific to their implementation (such as thresholds, branding, messaging, and key servers), which is then processed to generate the required functionality. On Android, this data is used to generate an app, and a configuration profile that can also be deployed to users via Google Play Services without a dedicated app.[43] On iOS, the functionality is integrated directly at the system level on iOS 13.7 and newer without a dedicated app.[44] On December 14, 2020, Apple released iOS 12.5, bringing support for Exposure Notifications to older iPhones.
The last information update on the “Exposure Notification Systems” partnership was a year end review issued by Google in December 2020:[45] "we plan to keep you updated here with new information again next year". Nothing has however been issued on the one year anniversary of the launch of the “Exposure Notification Interface” API in spite of important changes on the pandemic front such as vaccination, variants, digital health passports, app adoption challenges as well as growing interest for tracking QR codes (and notifying from that basis) on a mostly airborne transmitted virus. The Frequently Asked Questions (FAQ) published document has not been revised since May 2020.[46] Basic support remains provided through the apps store released by authorized public health agencies, including enforcement of the personal privacy protection framework as demonstrated on the UK NHS challenge in support of their contact tracers.[47]
In June 2021, Google faced allegations that it had automatically downloaded Massachusetts' "MassNotify" app to Android devices without user consent. Google clarified that it had not actually downloaded the app to user devices, and that Google Play Services was being used to deploy an EN Express configuration profile that would allow it to be enabled via the Google Settings app without needing to download a separate app.[43]