Curious About “Exposure Notifications?” Here are Your Answers

Google and Apple’s response to the call for virus-combatting technological advancements, in the form of contact tracing

This article is a part of the Tech in Policy publication. TiP focuses on technology being used for good and shines a light on its more malicious or neglectful implementations. To read more, visit this link.

Have you received a notification like the one above within the last couple of months? If so, you might be curious about what this new technology actually means for you. Before we get into the nitty gritty of how Exposure Notifications work, let’s take a step back.

As we’re all well aware, the spread of COVID-19 forced communities across the globe to uproot their routines and adapt to a new normal. Each and every aspect of our daily lives has been affected, leading to the digitization of professional communication, grocery shopping and even dating. Contrary to the president’s desperate attempts to diminish the gravity of the pandemic and the danger it imposes upon society, COVID-19 is a serious threat for anyone who doesn’t have the means to receive presidential-quality medical treatment (and maybe even for those who do). Many companies are taking advantage of arising opportunities for technological advancements to help us adapt to our new normals, and in turn, experiencing significant growth. Alongside the newfound business opportunities brought about by the pandemic, tech companies are faced with a responsibility to use their resources to develop solutions to combat the spread of the virus. In May 2020, Apple and Google joined forces to create a new contact tracing API, powered by our smartphones, called the Exposure Notification System (ENS).

iOS and Android users are able to opt-in to Exposure Notifications if their state government has made the technology available — usage is completely voluntary. Because state officials are in charge of getting the ball rolling on implementing the API for their residents, it’s being released on a state-by-state basis. Check here to see an updated list of the states using ENS!

US States currently using or planning to use the ENS API as of Oct 1, 2020

How do Exposure Notifications work?

We’ll take a deeper look at some of the technical aspects in a bit, but let’s start with a brief overview of the EN implementation. When turned on, the ENS generates a random identification code that changes every 10–20 minutes. If a person spends enough time within six feet of someone who also has Exposure Notifications enabled, the two phones will swap codes. Each phone keeps a log of the codes it has received within the past 14 days. If a user tests positive for COVID-19, they’re able to anonymously notify the system. Each day, the ENS compares its log with a list of confirmed cases, and notifies anyone whose log contains a match. The app also contacts state health authorities if the cluster is large enough.

Wait a minute… I don’t want to share all that personal information!

The creators of the ENS were faced with no simple task. In order to build a digital public health system with the intention of widespread usage, there were many privacy and security risks to consider. The only way to get users to fully trust the software was by protecting their information, which is why the ENS does not track its users’ locations. Rather, it uses Bluetooth technology to detect when another device is nearby. Because the contact tracing happens on the user’s device with encrypted ID codes, no personally identifiable information (PII) is shared with Apple, Google or any other users. The only people authorized to facilitate the system are public health authorities, who may ask for additional information, such as a phone number, in order to contact infected users. However, neither public health authorities nor state government officials are automatically granted access to users’ locations or personal data.

The system goes through many steps to encrypt a user’s information. When Exposure Notifications are first set up, a Temporary Exposure Key (TEK) is generated on the device using a cryptographic random number generator and updates on a 24-hour cycle called the TEKRollingPeriod. See the method below, from the Exposure Notifications Cryptography docs.

public static TemporaryExposureKey generateKey(
        int rollingStartIntervalNumber, int rollingPeriod) {
    SecureRandom random = new SecureRandom();
    byte[] key = new byte[16];
    random.nextBytes(key);
    // ...
}

The TEK is used to derive a Rolling Proximity Identifier Key (RPIK):

RPIKᵢ ← HKDF(TEKᵢ, NULL, UTF8(“EN-RPIK”), 16)

The variable ᵢ is the ENIntervalNumber, a value corresponding to the TEKRollingPeriod. The RPIK is then used to derive a Rolling Proximity Identifier (RPI). Approximately every 15 minutes, a new RPI is created using the following formula:

RPIᵢ,ₓ ← AES₁₂₈(RPIKᵢ,PaddedDataₓ)

PaddedData is a 16-byte sequence and the variable ₓ refers to the Unix Epoch Time when the roll occurs.

Key schedule for ENS, found in the official EN Cryptography Specs

That sounds pretty secure, but what about the contact tracing?

When two devices using EN are in close proximity for long enough (determined by the strength of Bluetooth signals), they swap RPIs along with some Associated Encrypted Metadata (for more info on what that metadata contains, read page 4, point 3b of this doc), and keep them on a 14-day backlog. When a positive COVID-19 diagnosis is reported to the system, the infected user’s TEKs (only the ones from the period of time when the user could have been contagious) and their ENIntervalNumber are uploaded to the Diagnosis Server. The server aggregates all of these COVID-positive Diagnosis Keys and distributes them to all devices participating in EN. (Note that if you’re using Exposure Notifications and never receive a positive test result, your TEKs will never leave your device.) When the ENS performs its regular match-checking, it uses the above formulas along with the Diagnosis Keys it’s received to derive corresponding possible RPIs. Those values are then compared with the device’s local log of RPIs to check whether the user has been exposed to anyone with a positive test result.

EN user flow diagram from Apple and Google

Can any system really be 100% secure?

Everything has a vulnerability, right? While the Exposure Notification System is safe and should be used by as many people as possible in order to most effectively control the spread, all systems have vulnerabilities. Apple and Google addressed those risks in this document, as well as the methods they used to try to mitigate them. Potential risks that were considered include tracking users’ locations/interactions, uncovering data of positive cases, and disrupting the system at large. Although it’s commonly difficult for any software created by tech giants to gain full trust from the public, usage of the ENS is encouraged and generally considered safe.

Why didn’t we start using Exposure Notifications sooner?

The ENS was announced on April 10, yet as of October 1, only 11 states have made Exposure Notifications available to their residents. The lead developer of Wyoming and North Dakota’s EN app says “it’s not the apps that are the problem. It’s the fractured nature of contact tracing and the political issues. That’s the mess.” A failure by the US government to respond adequately to the pandemic forced local and state governments to take measures into their own hands. Without the same resources as the federal government, local officials face various obstacles that are delaying the process of bringing a digital contact tracing solution to reality. Leaving the development of the app up to state governments was another factor in the delayed implementation of the API, which Apple and Google addressed with their September 1 announcement of Exposure Notifications Express. The new system lowers the barrier of entry for states interested in EN, allowing them to use the technology without developing and maintaining an app.

The Exposure Notification System is a good example of tech giants fulfilling their responsibility to react to the ongoing health crisis, but it’s shadowed by the shortcomings of an incompetent government and its inability to produce a unified solution. While it’s easy to focus on those shortcomings (and important not to ignore them), participating in contact tracing is one of the steps we can take to help reduce the spread of COVID-19.