Apps for COVID-19 testing tend to fall into one of two broad categories, although there are many overlaps. The first provides coronavirus information and includes self-diagnostic tools. These types of apps ask up to 10 questions relating to your current health conditions. The app offers suggestions based on the responses. Contact tracing apps, by contrast, identify persons who may have come into contact with an infected person. By tracing the connections of infected individuals, then testing them for infection, public health officials hope to reduce further infections in the population. An Exposure Notification API created jointly by Apple and Google is the most promising contact tracing resource in the United States. Keep in mind; this isn’t an app.  Instead, it’s a tool government officials can incorporate into local-based apps for contact tracing purposes. The API is accessible through iOS and Android.

Contact Tracing Process in the U.S.

In the United States, contact tracing for COVID-19 is the responsibility of health officials in each of the 50 states plus the District of Columbia. There’s no universal contact tracing app, unlike the process in other countries. To use the Exposure Notification API in the U.S., public health officials must first agree to terms, then create an iOS and Android app for their location. Then, an end-user must download and active the tracing app.  Once enabled, the app uses Bluetooth technology to aid in exposure notification.

How It Works

Apple and Google have designed the Exposure Notification API with privacy and security in mind. User information isn’t directly tied to the collected data. According to an API FAQ released in May, enabled devices regularly send out beacon via Bluetooth that includes a random identifier made up of a string of numbers. This identifier refreshes every 10- to 20-minutes for added security. As this process continues on your mobile device, it’s also happening on other devices. Once per day, the system downloads a list of keys for each beacon for anyone confirmed as testing positive for COVID-19. If you’ve come into physical contact with someone testing positive, you’ll receive an alert on your phone detailing the next steps you should perform.

Promised Security

For security purposes, a positive tested person must give consent to the health authorities to send out their test results to other app users. Even with permission, there’s no specific user information sent to others. The only detail shared with others is that this person, who has come into physical contact with others in the past 14 days, now has COVID-19. As noted in the FAQ, the Exposure Notification API has baked in various privacy and security tools. This includes the previously mentioned requirement that an end-user must first turn on the technology. At any time, the user can turn off the system. Other protections include:

The system does not collect location data from your device. Additionally, it doesn’t share the identities of other users, or to Google or Apple. The user controls all data they want to share, and the decision to share it.Random Bluetooth identifiers rotate every 10-20 minutes, to help prevent tracking.Exposure notification is only done on the device and under the user’s control. The system does not identify people who test positive to other users, or Apple or Google.Public health authority apps are the only once that can use the API for contact tracing.Once it’s no longer needed on a regional basis, the API is shutoff by Google.

Who’s Using the API?

The Exposure Notification API has been accepted for use in various countries, including Austria, Switzerland, and Italy, among others. In the United States, only Alabama, North Dakota, and South Carolina have announced plans to use the tool, although none of these has deployed any software that uses it. Meanwhile, other states, including California, New York, and Massachusetts, have decided to stick with manual contact tracing.

The Bottom Line

As you can see, there’s no one-size-fits-all approach when it comes to the coronavirus and contract tracing. When Apple and Google announced the standard API, it looked like a positive step on multiple fronts. First, it shows two of the largest companies in the world are committed to helping to eradicate this terrible pandemic. Second, it looks like security and privacy are two of the tool’s core features. Unfortunately, health authorities aren’t committing to a single tool to get the job done. Without a vaccine, COVID-19 is still going to cause havoc around the world. From a technical standpoint, the best thing each of us can do is use self-diagnostic tools whenever we’re feeling sick and seek help if it’s warranted. When your national, state or local health agencies do get around in offering contact tracing solutions in your area, make sure it’s one built on security and privacy. Otherwise, additional problems could arise. For more information on COVID-19 in the U.S., visit CDC.gov.