Apple and Google's coronavirus tracking tool: How privacy fits in

Here's a breakdown of the encryption and security measures Apple and Google are adopting to protect privacy.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Alfred Ng
Stephen Shankland
6 min read

Apple and Google announced several security and privacy updates for their contact tracing tools, which are expected to roll out in May. 

Background by Pixabay; photo by Angela Lang/CNET

Apple and Google announced significant updates Friday for their coronavirus tracking tools, changes meant to improve how personal data is generated and secured on people's iOS and Android devices. 

The companies first announced their contact tracing collaboration on April 13, detailing technology that'll use Bluetooth signals on devices to detect who people have been in close contact with. The idea is that the tech could help people figure out if they've been exposed to coronavirus patients, so they can take appropriate actions. 

The original design included  privacy -protection measures, like using Bluetooth signals instead of geolocation data, and having identifiers change every 24 hours. In a press briefing Friday, the tech giants said they've added a new layer of encryption on top of that.

The updates make it more difficult to identify who's diagnosed with COVID-19, the disease caused by the coronavirus, and they also encrypt data to make it harder to use as a digital fingerprint if it's exposed.

Encrypting the data means that unless you have a key to decrypt it, you won't be able to see or access the information shared. That would mean that the data shared for dealing with COVID-19 can't be easily accessed by advertisers or government agencies or anyone tracking Bluetooth signals over the air.

In white papers released Friday, Apple and Google said the shared Bluetooth data can be decrypted only if a person tests positive for COVID-19, and that the data isn't tied to any personal information that can be used to identify someone. 

The tools are expected to become available in May, and app releases will depend on how quickly public health officials can develop them. Apple and Google are also working on ways to get contact tracing capabilities built into devices, without needing an app. The companies expect that build to be released in several months. 

Privacy and security have been major concerns for all contact tracing apps, including Singapore's TraceTogether and the tool used by the UK's National Health Services. Public health officials need a majority of the population to use these apps for them to be effective, but trust issues are a hurdle to mass adoption. At a previous press briefing, Google and Apple said the biggest challenge to their project will be getting people to trust and use the technology

To address that, the companies released an FAQ for the general public on how this data will be protected, along with updates that make it harder to link Bluetooth identifiers to particular individuals and that add new data security protections.

Although the general technology has alarmed some privacy-minded people, big names in encryption technology have been involved in a related effort spearheaded by MIT, called PACT, or Private Automated Contact Tracing.

New protections for Bluetooth identifiers

One of the most significant changes Apple and Google detailed Friday is how the identifiers are generated to begin with.

In the contact tracing tool's first incarnation, every device that opted into the public health program had a Tracing Key that was stored locally and never left your device. Each day, a new Daily Tracing Key would be created based on the main key, which would be shared only if you tested positive for COVID-19. 

Those keys generated an identifier, the information the phone would send to other devices to let you know if you'd been in contact with someone diagnosed as COVID-19 positive. 


Originally, the keys generated for contact tracing were based on derivatives of a single key stored on devices. 


Apple and Google's update Friday makes it harder to determine and track those keys, by giving them a random foundation that changes daily. The old system derived Daily Tracing Keys from the permanent Tracing Key, but that could leave an opening for a potential attacker to reverse-engineer the data and figure out who the daily keys belonged to. 

For example, if the main Tracing Key was "Apple and Google," a Daily Tracing Key generated from it could be something like "Oogle and Gapple" one day, then "Googel and Appel" the next, and so on. 

Under the new system, the companies employ a randomized key, now named the Temporary Exposure Key, that changes every day. Each is created every 24 hours through a cryptographic random number generator.


With the update, the contact tracing tool generates a new key every 24 hours using a random, cryptographic tool. 


The protocol is designed to store those keys for only 14 days, the time in which a person with COVID-19 is presumed infectious and likely to pass the virus to other people. 

The Temporary Exposure Key then generates a Rolling Proximity Identifier (RPI) Key, which is encrypted and then used to generate a new identifier every 15 minutes that's sent to other devices for contact tracing purposes. Google and Apple are also renaming the tools as "exposure notification" rather than the original "contact tracing."

Though the RPI Key is still derived from the daily key, it's harder to track because of how frequently it changes and because it expires after two weeks.

That doesn't make it impossible to identify a person through their contact tracing data, but it does make it much more difficult than it was with Apple and Google's original method. 

"With independently generated keys, it limits what someone with a lot of computational power can do," said Jake Williams, founder of cybersecurity firm Rendition Security. "If keys are independent versus derivative, it limits exposure." 

Encrypting associated data, too

Apple and Google also announced that they would encrypt the metadata sent with the identifiers. 

Metadata is data about data. In Apple and Google's contact tracing scenario, in which your phone is sending Bluetooth data, other information is associated with it, like signal strength and time sent. 

That data is useful for public health officials, because Bluetooth signal strength can indicate distance between devices, and exposure time can help indicate potential for spread between people.

But if that data isn't encrypted, it could also potentially be used by anyone able to pick up on the over-the-air signals. Apple and Google representatives said the companies would encrypt that information to increase privacy protections, and that it wouldn't be decrypted unless people are tested as COVID-19 positive.

Watch this: Contact tracing explained: How apps can slow the coronavirus

That adds a layer of security not just from Apple and Google themselves, but also from any government agencies seeking to get data on people en masse. 

Apple has long battled the US government over encryption. Justice Department officials have urged the tech company to unlock iPhones belonging to terrorists, sex offenders and drug dealers. 

The tech industry as a whole has stood firm in defense of encryption, arguing that the security technology protects billions of people from hackers and privacy violations. Adding encryption to the contact tracing tools could make it harder for government agencies to demand information on COVID-19 patients who opted in to digital contact tracing. 

"It sounds to me like the idea here is to ensure that even if the government gets access to a key they need for contact tracing, that only compromises a small amount of data and prevents an 'all or nothing' approach while also ensuring the data is fully usable for contact tracing as needed," Rendition Security's Williams said. 

Changes for public health officials 

Along with the privacy updates, Apple and Google are also changing how public health officials can use the tools. 

The tech companies aren't developing the contact tracing apps themselves; they're providing tools for public health officials to make their own. The announcements on Friday included changes to their framework to help health care workers determine COVID-19 exposure. 

That includes providing the radio signal strength in Bluetooth exchanges, a measurement commonly used to estimate the distance between devices.

Developers behind the contact tracing apps will also be able set their own rules for determining whether a contact took place, based on signal strength, contact duration and days since last contact. That's important because it lets public health officials update apps with the constantly changing science surrounding COVID-19.

Representatives from the tech companies expect to release a "seed version" of the technology by the first week of May, available only to public health officials for testing. This version will support iOS devices released since 2016, Apple said.

Coronavirus in pictures: Scenes from around the world

See all photos
The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.