How Apple and Google’s Exposure Notification API works

Apple officially released iOS 13.5 to the public this week. The update includes changes such as Face ID improvements for masks, new Apple Music features, and more. Perhaps most importantly, however, the update brings the first version of the Exposure Notification API developed by Apple and Google. Here’s how that feature works, while also preserving your privacy.

How it works

When a user enables the feature and has an app from a public health authority installed, the device will regularly send out a beacon via Bluetooth that includes a random Bluetooth identifier. When two people are near each other, their phones will exchange and record these Bluetooth identifiers.

If someone tests positive for COVID-19, they can voluntarily report the positive test to the Exposure Notification application for their region. These screenshots show public health authority developers how to walk users through the process of reporting that they tested positive for coronavirus, including a unique test identifier:

The Exposure Notification API will also likewise download a list of the keys for the beacons that have been verified as belonging to people confirmed positive for COVID-19, and check against that list. If there is a match, the user may be notified and advised on the next steps. What constitutes as an exposure? This is up to the public health agencies to decide, but the API itself includes a minimum of 5 minutes of interaction for it to be considered a match.

Think of it like this: Person A and Person B spend more than 5 minutes together at a restaurant. During this time, their smartphones exchange the anonymous Bluetooth identifier. They go their separate ways, but Person A tests positive for COVID-19 a few days later and chooses to report that positive test via the Exposure Notification app. Person B will then receive a notification saying that someone they recently interacted with has tested positive for COVID-19.

The public health authorities can determine what the next steps are. If ample testing is available, the app might suggest that Person B get tested even if they are asymptomatic. If testing is constrained, the app might suggest that Person B monitor for symptoms and only get tested if they become symptomatic, while also self-isolating.

Privacy is a tentpole of the Exposure Notification API. Perhaps the biggest privacy protection in Apple and Google’s Exposure Notification API is that location data plays no part in how it works. The two companies say that these applications should collect as little data as possible, and location data is not needed for this Bluetooth-based approach.

Apple and Google have repeatedly emphasized that much of the control is in the hands of the public health authorities themselves. Apple and Google are providing the Exposure Notification API, and developers can adjust the details as-needed while preserving the privacy and requirements of the API.

In fact, the API is only used by public health authorities, and can only be used for COVID-19 purposes. Not just any developer can access this API and implement it into their application. In the long-term, the companies say they are still exploring the possibility of allowing health authorities to send exposure notifications without requiring an app.

With the release of iOS 13.5 this week, Apple and Google also said they had made further privacy enhancements to the Exposure Notification API:

  • Temporary Exposure Keys are now generated randomly instead of being derived from a tracing key
  • All metadata associated with Bluetooth is now encrypted to make it more difficult to identify a person

More details on the Exposure Notification API:

  • The entire system is opt-in
  • Other applications for contact tracing will be allowed in the App Stores; they can adopt Apple and Google’s API, but they must remove all Location Services features and adopt the privacy frameworks of the Apple and Google API
  • Contact tracing data is only stored on a user’s device
  • Contact tracing data is only processed on a user’s device
  • Public health agencies can define what constitutes an exposure event
  • Public health agencies can determine the number of exposure events a person has had
  • Transmission risk of positive cases can be factored into the definition of an exposure event
  • Public health agencies can contact exposed users based on a combination fo the API and data that users voluntarily choose to input into the app
  • No news to announce yet on whether Apple will promote these applications, such as in the App Stores

Useful Links:

What do you need to do?

As of right now, the only thing you can do is download and install iOS 13.5 on your iPhone. Again, what Apple and Google have developed isn’t an application, but rather an API on top of which public health agencies can build their own applications.

Currently, no public health agencies have released an application for COVID-19 exposure notifications that actually uses the Apple and Google API. Apple says that 22 countries around the world have requested and received access to the API — so presumably there are applications on the way, we just don’t know when.

In the United States, three states have committed to building applications using the Exposure Notification API: Alabama, North Dakota, and Virginia. Many other states say they have no plans to participate, and you can find the full list here. It’s important to keep in mind that as state health officials become more knowledgable on how the Apple and Google API works, their plans might change.

Once you have an app from a public health authority, you can enable and manage exposure logging in the Settings app on your iPhone. To access this interface, simply open the Settings app, tap Health, then look for the COVID-19 Exposure Logging pane. Here, you enable Exposure Logging, delete exposure logs, and manage installed applications.

What do you think?

Now that the first version of the Apple and Google Exposure Notification API is available, and the companies have made several changes in the name of privacy, will you enable the functionality on your device when an app is available? Let us know down in the comments!

Read more about the Exposure Notification API:

FTC: We use income earning auto affiliate links. More.

Incipio Organicore iPhone case

Check out 9to5Mac on YouTube for more Apple news:


You can follow iPhoneFirmware.com on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Apple and the Web.