Health Organizations Will Have to Agree to These Strict Rules to Use Apple’s COVID-19 Exposure Notifications

Last month Apple and Google announced a landmark partnership to help combat the spread of the novel coronavirus through a new COVID-19 contact tracing system that would be built into every modern iPhone and Android smartphone.

The solution, which is designed to be leveraged by official government health organizations around the world to provide another tool in containing the pandemic, is designed to provide an underlying framework for official health apps from all levels of government to plug into in order to collect necessary data.

Since Apple is one of the two companies behind the endeavour, which it has now dubbed with the less sinister-sounding name “Exposure Notifications,” it’s being done with privacy as a priority, and both Apple and Google have taken many steps to ensure that the system is entirely opt-in, only the minimum necessary amount of data is recorded, and that such data is not being collected on cloud servers.

In fact, some countries aren’t buying into the Apple and Google solution due to the privacy-focused nature of it, preferring to instead roll their own apps that will collect information — and in some cases, even user locations — in centralized government databases.

Unfortunately, this not only creates new privacy concerns, but these “non-participating” apps may in fact be less effective, since they won’t have the ability to collect contact tracing data in the background. Some countries have even gone so far as to ask Apple to relax its restrictions so that their apps can function.

Strict Legal Requirements

Of course, Apple isn’t about to loosen up the security and privacy features in iOS, and in fact it looks like Apple and Google are putting out some fairly strict legal requirements to make absolutely certain that their own new exposure notification system isn’t misused by governments and public health authorities.

With today’s release of the new Exposure Notification Framework, Apple has published a new Exposure Notification APIs Addendum to the standard Apple Developer Program License agreement — an additional set of conditions that registered iOS developers will need to agree to by signing legal documents in order to get access to the new framework.

First among these, of course, is that developers must actually “be a government entity, such as a government health services organization.” Developers who have been very specifically endorsed and approved by eligible government organizations can also sign on, of course, but this has to be very clearly laid out between the developer and the government organization.

Apple also notes that it will only approve one “Entitlement Profile” (basically meaning one developer) per country, except in those cases where a country has a regional approach. This means that for the most part, you’ll only see apps that use the Exposure Notification system coming from national government health organizations, although certainly larger jurisdictions like the United States and Canada, where health matters are under state/provincial jurisdiction, will likely be the typical “regional approach” exceptions.

Since Apple is using an Entitlement Profile to enable the feature, this also gives Apple the ability to pull the plug on an app at any time if it’s discovered to be out of compliance or misbehaving. In essence, Apple is holding a kill switch for each app’s ability to use the new Exposure Notification Frameworks.

This is important as developers are forbidden from using the Entitlement Profile on anything other than their own Contact Tracing App, and they can’t use it for any other purpose either. They are also not allowed to provide it to any third parties without express permission from Apple. Further, Apple and Google have both promised to shut the whole system down once it’s no longer necessary, and while that would presumably involve disabling it in a future iOS update, simply switching off all of the Entitlements would be the most reliable way to ensure the system could no longer be used.

Contract Tracing App Restrictions

As for the Contact Tracing Apps that government health organizations will be developing, they’ll be required to meet the following standards, in addition to all of the usual App Review Guidelines pertaining to health apps.

1. Data collected through the Exposure Notification APIs can only be used for COVID-19 response efforts. Apple explicitly states that it cannot be used for law enforcement — even for things like enforcing quarantine.
2. You can’t be asked to enter any personal information in order to receive exposure notifications. In other words, no app needs to know who you are to let you know that you may have been exposed to somebody who was diagnosed with COVID-19.
3. Apps can ask you for registration data with your consent, but they can only ask for the minimum amount of data necessary for COVID-19 response efforts.
4. Data collected by the Exposure Notification APIs, as well as data entered into the Contact Tracing App, must be kept strictly confidential and cannot be disclosed for any purpose other than COVID-19 response efforts without your express consent.
5. Contact Tracing Apps should also include COVID-19 informational and educational resources, such as public health information.
6. “All clinical information or guidance” must include references to sources so you can verify them.
7. No advertising, product promotion, or marketing is permitted in Contact Tracing Apps, and they’re not allowed to collect or use the iOS Advertising Identifier for tracking purposes, or otherwise use analytics to collect any “identifiable information” about you.
8. Contact Tracing apps can’t directly use the GPS, Bluetooth, or any other location services, or attempt to identify your location in any way, such as by collecting information about your device. They aren’t allowed to even ask for access to data that could personally identify you, such as Contacts or Photos.
9. Contract Tracing apps aren’t allowed to communicate with other apps on your device at all, even those that are created by the same government health organization. So, for instance, a Contact Tracing app can’t pull information from another government services app you may have installed on your iPhone.
   

Basically, Apple is making it abundantly clear that Contact Tracing apps developed by various government health organizations are to be used for COVID-19 response efforts only, and nothing else, while also drawing a hard line against any and all attempts for these apps to collect too much personal information or try and identify users in any way unless they very specifically choose to provide their information voluntarily.

The Exposure Notification system itself, which rolled out last week in the first iOS 13.5 beta, works purely over Bluetooth, using anonymized keys that are exchanged between phones, allowing them to log when they’ve been in proximity with each other. However, the identifiers are designed in a such a way that they can’t be used to easily identify individual phones, let alone individual people, and they exist solely for the purpose of notifying people who may have been in contact with somebody who is later diagnosed with COVID-19. However, due to the way that the keys are handled, neither Apple, nor Google, nor your government’s health app, has any need to know who you are in order to trigger that notification.

Further, all of these identifiers are only stored locally on each person’s device. It’s only if they are diagnosed with COVID-19 — and choose to voluntarily share that diagnosis — that the identifiers are used to send out notifications to other devices that the person has come into contact with. At this point, however, exactly how this works in terms of the user experience and the necessary contact thresholds is being left up to the individual government health organizations.

However, while this first stage relies on third-party government health apps, Apple and Google have suggested that they’ll build more functionality into the iOS and Android operating systems going forward, allowing users to participate and receive notifications even if they don’t have the necessary app installed. However, the solution is being built explicitly to handle the current crisis, and both companies have promised to dismantle the system entirely once the pandemic is over.