Today, Apple and Google shared more information on their automatic exposure notification system, including sample interface designs for potential apps and restrictions on how the system will ultimately be used.
First introduced on April 10th, Apple and Google’s system tracks potential cases of COVID-19 through Bluetooth Low Energy signals, allowing for retroactive exposure notifications while using encrypted keys to preserve non-exposed users’ privacy. The companies have pledged to discontinue the system as soon as the public health crisis has passed.
The new interface samples give a sense of how those notifications will work in practical terms and exactly how the companies plan to ensure proactive consent. Intended for use by developers, they show how specific alerts would appear and when particular API calls should be made.
The companies are also sharing a library of reference code (an SDK for Android and an Xcode toolkit for iOS), which the team hopes will serve as “a starting gun” for app development by public health agencies. Still, representatives clarified that the code itself was not meant to ever ship as an application.
The companies declined to name any specific public-sector partners but said they had been proactively approached by multiple governments because of their unique operating system-level access to the Bluetooth systems in smartphones.
The companies also laid out six specific principles that public-sector partners would be expected to uphold. Most notably, the apps can only be used for COVID-19 response efforts, will be restricted from using Location Services, and require opt-in consent before accessing the API or sharing a positive diagnosis. They also will not allow any form of targeted advertising in the resulting apps; any existing apps using targeted advertising or location services will need to turn off those systems before they access the API.
In one new twist, the companies plan to restrict access to a single app per country in an effort to avoid fragmentation. But the wording of the principle leaves the door open for countries like the US where the response has been led by states.
“If a country has opted for a regional or state approach,” the restriction reads, “the companies are prepared to support those authorities.”