Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
59,299
23,284


Apple in May 2020 introduced an Exposure Notification System, which lets public health authorities and governments worldwide help people figure out if they've been exposed to COVID-19, and if so, what steps to take next to minimize the spread of the virus.

Exposure-Notifications-W-People-and-Text.jpg

Exposure Notification Explained

Exposure Notification started out as contact tracing, an Apple-Google initiative that was announced in early April to limit the spread of COVID-19.

Apple and Google created an API that is designed to allow iPhones and Android smartphones to interface with one another for contact tracing purposes, so if and when you happen to be nearby someone who is later diagnosed with COVID-19, you can get a notification and take the appropriate steps to self isolate and get medical help if necessary.

Determining whether you've come into contact with someone relies on your iPhone, which, using the exposure notification API, interacts with other iPhones and Android smartphones over Bluetooth whenever you're around someone else who also owns a smartphone, exchanging anonymous identifiers.

Apple and Google developed the underlying APIs and Bluetooth functionality, but they are not developing the apps that use those APIs. Instead, the technology is being incorporated into apps designed by public health authorities worldwide, which can use the tracking information to send notifications on exposure and follow up with recommended next steps. Apple and Google have also implemented an "Express" feature that allows Exposure Notifications to work in partnership with health authorities, but without an Exposure Notification app.

The APIs have been created with privacy and security in mind, and app usage is opt in rather than mandatory.

How Exposure Notification Works

Almost everyone has a smartphone, which makes them ideal for determining who you've come in contact with. Exposure notification has a self-explanatory name, and in a nutshell, the feature is designed to send you a notification if you've been in proximity to a person who is diagnosed with COVID-19.

Here's a detailed, step-by-step walkthrough on how it works:
  1. Two people, Ryan and Eric, are both at the same grocery store shopping for food on a Tuesday afternoon. Eric has an iPhone and Ryan has an Android phone, both with a health app that uses the exposure tracking API or the Express Exposure Notification feature.
  2. There's a long wait, so Eric and Ryan are standing in the checkout line together for approximately 10 minutes. During this time, each of their phones is transmitting entirely anonymous identifier beacons, and picking up the identifier beacons transmitted by the other person. Their phones know they've been in contact and store that information on the device itself, transmitting it nowhere else.
  3. A week later, Ryan comes down with COVID-19 symptoms, sees a doctor, and is diagnosed with COVID-19. He opens up his Android phone, verifies his diagnosis using documentation from a healthcare provider, and taps a button that uploads his identifier beacon to a centralized cloud server.
  4. Later that day, Eric's iPhone downloads a list of all recent beacons from people that have contracted COVID-19. Eric then receives a notification that he was in contact with someone that has COVID-19 because of his interaction with Ryan at the grocery store.
  5. Eric does not know it was Ryan who has COVID-19 because no personally identifiable information was collected, but the system knows Eric was exposed to COVID-19 for 10 minutes on Tuesday, and that he was standing close to the person who exposed him based on the Bluetooth signal strength between their two phones, allowing the app to provide the appropriate information.
  6. Eric follows the steps from his local public health authority on what to do after COVID-19 exposure.
  7. If Eric later comes down with COVID-19, he follows the same steps listed above to alert people he's been in contact with, allowing everyone to better monitor for potential exposure.
Apple and Google also created a handy graphic that explains the process, which we've included below:

apple-google-contact-tracing-slide.jpg


apple-google-contract-tracing.jpg

What You Need to Do to Use Exposure Notification

Using Exposure Notification on a device running the latest version of iOS requires opening up the Settings app, selecting the "Exposure Notifications" section, and then tapping on "Turn on Exposure Notifications."

exposurenotificationsios14.jpg

From here, your iPhone will let you know if an Exposure Notification app is available in your state, country, or region, providing details on how to download it. You'll also be informed if you can use Exposure Notifications without an app through the Express feature, or Exposure Notifications are unavailable in your area at this time.

Exposure Notification is a feature that's off by default, and actually using the API requires you to toggle on the feature and in some cases, download an app from a verified health authority. Many countries are developing country and state-specific apps that users can download.

Without explicitly opting in to use the Exposure Notifications feature, the Exposure Notification API on the iPhone doesn't do anything. Once you've downloaded an app and consented to using it, or consented to using the Express option, the Exposure Notification feature will become active on your smartphone.

Cross-Platform App Communication

Apple and Google have both worked to create APIs for exposure notifications that work together so iPhone and Android smartphones can interface with one another and you'll receive notifications if exposure happens even if the person you've been in contact with has an Android smartphone.

On iOS, Exposure Notification works on devices running iOS 13 and later, including iOS 14 and iOS 15.

Exposure Notification Opt-In

Exposure Notifications on the iPhone are off by default and must be toggled on. Using the feature requires users to consent to signing up for the exposure notification system, which is part of the sign up process. Exposure Notifications can be toggled on using the "Exposure Notifications" section in the Settings app.

If you do, at some point, get COVID-19, there's a separate consent process for anonymously alerting people that you've been in contact with. The feature needs express consent to inform others of the diagnosis, and nothing happens automatically.

Disabling Exposure Notification

You can disable Exposure Notifications entirely by opening up the Settings app and tapping "Turn off Exposure Notifications." If you've downloaded an Exposure Notification app, you can also delete the app to disable Exposure Notifications. Since Exposure Notifications is off by default, if you've never used it, you don't need to do anything to disable it.

Exposure Notification Verification

When a person is diagnosed with COVID-19, before an alert is sent out to the people they've been in contact with, the apps that are using Apple and Google's exposure notification APIs require verification that a person has tested positive for the disease.

This prevents people from using the system maliciously to trick others into believing exposure has happened when it has not.

As an example, a person who tests positive for COVID-19 might receive a QR code with their test results, which could be scanned into an exposure notification app for verification purposes. The verification process varies by region, according to Apple.

How Exposure Notifications Work

As explained above, with a health app that uses the exposure notification API installed or the Express system activated with express consent, your smartphone exchanges anonymous identifiers with each person you come in contact with that also has an app that uses the API.

Your phone keeps a list of these identifiers on it, and this list remains on your device -- it is not uploaded anywhere. The exception is if you're diagnosed with COVID-19 and then follow the steps to send out notifications to the smartphones that have been in contact with yours.

In this situation, the list of random identifiers that your iPhone has been assigned over the course of the previous 14 days is sent to a centralized server. Other people's iPhones check this server and download that list, checking it against the identifiers stored on their own iPhones. If there's a match, they receive a notification about exposure with more information about the steps to take next.

Matches are made on device rather than on a server in a central location, which preserves privacy while also making sure people know about possible exposure.

For a more simple explanation, here's a step-by-step walkthrough on how it works:
  1. Ryan and Eric interact at the grocery store. During this interaction, Ryan's Android phone has a random identifier number, 12486, which is unique to Ryan's phone (and which changes every 15 minutes).
  2. Eric's iPhone records Ryan's random identifier number, 12486, and sends Ryan his own random identifier, 34875. Both Ryan and Eric are in contact with a dozen people at the grocery store, so their smartphones download random identifiers from all of these phones.
  3. Ryan contracts COVID-19, confirms his diagnosis in the app, and consents to upload all of the identifiers his phone has used for the last two weeks (including 12486) to a central server accessible by Eric's COVID-19 app. At this point, Ryan's identifier is shared with a central database, but these random identifier numbers are not associated with any personal information and don't include location data.
  4. Eric's phone downloads the list of identifiers of people who have been diagnosed with COVID-19, which includes Ryan's identifier, 12486, and compares it against the list of identifiers that have been stored based on Eric's interactions.
  5. A match is made, so Eric receives a notification that he has been in contact with someone who has COVID-19 and he receives info on what steps to take next.
Public health authorities will have access to information that includes the amount of time that Eric and Ryan's phone were in contact and the distance between them, as determined by Bluetooth signal strength, which can be used to estimate distance.

Based on this information, the Exposure Notifications System can deliver location-specific, tailored notifications to Eric, perhaps letting him know his exposure level and potential danger based on those factors. The system will know the day he was exposed, how long the exposure lasted, and the Bluetooth signal strength of that contact. No other personal information is shared.

Each public health authority is able to define what constitutes an exposure event and the number of exposure events an individual has had, plus it allows apps to factor transmission risk of positive cases into their definitions of an exposure event, all of which will impact how and when exposed users are contacted.

App Demonstrations

Apple and Google provided samples on how apps will work to give users an idea of what to expect before making a download. In iOS 13.5, there is a new menu under Settings > Health > COVID-19 Exposure Logging that lets users know which public health authority app they're using along with a list of exposure checks, which can be deleted.

covid-19-exposure-app-settings.jpg

When a user is potentially exposed to COVID-19, the app will provide a push notification letting them know about the incident. All exposure events for the last 14 days are listed in the app, and details include whether a diagnosis was verified and when you were near the person who later became sick.

covid-19-app-positive-exposure.jpg

When Data is Shared

For the most part, the exposure notification system runs on your device. Identifiers are collected and matched entirely on your smartphone and are not shared with a central system. There are two exceptions to this:
  1. When a user is diagnosed with COVID-19 and chooses to report that positive diagnosis to the contact tracing system, the most recent identifier beacons (from the last 14 days) are added to the positive diagnosis list shared by a public health authority to allow others who came in contact with that identifier to be alerted.
  2. When a user is notified through their smartphone that they've come into contact with an individual who has tested positive for COVID-19, the day the contact occurred, how long it lasted, and the Bluetooth signal strength of that contact is shared.

Exposure Notification Privacy Details

First and foremost, full privacy details on exposure notification are available on Apple's website, but we'll cover some important frequently asked questions about privacy below.
  • No identifying info - Your name, Apple ID, and other information are never shared in or associated with apps that use the exposure tracking API.
  • No location data - The system does not collect, use, or share location data. Exposure notification isn't for tracking where people are, but for determining whether a person has been around another person.
  • Random identifiers - Your iPhone is assigned a random, rotating identifier (a string of numbers) that is transmitted using Bluetooth to other nearby devices. Identifiers change every 10 to 20 minutes.
  • On-device operation - Identifiers that your phone comes into contact with, or phones that come into contact with your identifier, are stored on device and are not uploaded anywhere without consent.
  • Consent-based sharing - If you do test positive for COVID-19, the people you have been in contact do not receive an alert without express permission.
  • On-device identifier matching - If you contract COVID-19 and consent to share that information, your identifier list from the last two weeks is uploaded to a central server that other devices can check to identify a match on their iPhones.
  • Opt-in - Exposure notification is entirely opt-in. You do not need to use the feature, and it does not work unless you download an app that uses the API. It also does not work if you turn off the Exposure Notifications option in the Settings app.
  • Data sharing with Apple/Google - Apple and Google do not receive identifying information about the users, location data, or any other devices the user has been in proximity of.
  • Data monetization - Apple and Google will not monetize the exposure notification project.
  • Verified health apps only - Apple's APIs are only able to be used by public health authorities around the world. Apps must meet specific criteria around privacy, security, and data control. Apps can access a list of beacons provided by users confirmed as positive for COVID-19 who have opted in to sharing them, but no personally identifiable information is included.
  • Disabling exposure notification - Apple and Google can disabled the exposure notification system on a regional basis when it is no longer needed.

Restrictions for Apps

Apps need to follow a number of restrictions to be approved to use the Exposure Notification API. Only one app per country is allowed, in order to make sure there's no fragmentation and to promote high user adoption.

The exception is if a country has opted for a regional or state approach, which Apple and Google support. The following restrictions must also be followed:

  • Apps must be created by or for a government public health authority and they can only be used for COVID-19 response efforts.
  • Apps must require users to consent before the app can use the API.
  • Apps must require users to consent before sharing a positive test result with the public health authority.
  • Apps should only collect the minimum amount of data necessary and can only use that data for COVID-19 response efforts. All other uses of user data, including targeting advertising, is not permitted.
  • Apps are prohibited from seeking permission to access Location Services.

Apps That Use the Exposure Notification API

So far, Switzerland, Latvia, Italy, Germany, Poland, Saudi Arabia, Ireland, Croatia, Denmark, Netherlands, Scotland, Canada, Japan, England, Wales, Belgium, New Zealand, and Norway have all launched Exposure Notification apps or use Apple's Exposure Notification express feature.

In the United States, Virginia, North Dakota, Arizona, Delaware, Nevada, Alabama, Colorado, Wyoming, North Carolina, Pennsylvania, Michigan, Maryland, New York, New Jersey, Minnesota, Washington, Connecticut, Nevada, the District of Columbia, California, and Utah have launched Exposure Notification apps or take advantage of Apple's "Express" feature that allows for notifications without an app.

iPhone users can have more than one Exposure Notification app installed, but only one can be active at a time. Options to control which app is functional can be found in Privacy > Health > COVID-19 Exposure Logging.

Exposure Notifications Express

Introduced as part of iOS 13.7, Exposure Notifications Express is the operating-system level second-generation version of the Exposure Notification API, allowing states, countries, and regions to take advantage of the Exposure Notification System without having to build an entire app.

exposurenotificationexpress.jpg

Exposure Notifications Express can be thought of as Exposure Notifications without an app, but using the feature still requires oversight by a public health authority in a given area.

Basically, public health authorities that want to use Exposure Notifications Express can instead provide Apple and Google with information about how to reach the public health authority, guidance for residents, and recommendations on potential actions.

Public health authorities provide a name, logo, criteria for triggering an exposure notification, and the materials to be presented to users in case of exposure, with Apple and Google using this information to offer an Exposure Notifications System to customers on behalf of the public health authority.

Exposure Notifications Express programs from various areas are interoperable with one another and existing Exposure Notifications apps that have rolled out. Public health authorities can still choose to build their own custom apps instead of using Exposure Notifications Express.

Privacy continues to be a focus with the new feature. Even though an app is not necessarily required in an area where a public health authority has opted into Exposure Notifications Express, it still needs to be expressly enabled on an iPhone by opening up the Settings, navigating to the Exposure Notification section, and tapping "Turn on Exposure Notifications." Opting out at any time is possible.

Health Organization Partners

The API was developed with a number of health authorities, including the CDC, the Association of Public Health Laboratories, the Association of State and Territorial Health Officials, the Council of State and Territorial Epidemiologists, and the Public Health Informatics Institute of the Taskforce for Global Health.

More Information

Apple and Google both have dedicated websites with more information about exposure notification, and that should be your first stop if you want to know more about it and how it works.

Guide Feedback

Have a question about the exposure notification system, know of something we left out, or want to offer feedback? Send us an email here.

Article Link: Apple's Exposure Notification System: Everything You Need to Know
 
Last edited:

Trik

macrumors 6502
Jan 18, 2011
368
1,159
Washington, DC
Ready for the flood of "not me" posts from people that barely read the title...

~ 81% of Americans own a smartphone, this technology CAN save lives. Apple & Google have done an excellent job explaining HOW this is done without compromising your privacy. If you own a smartphone, but don't trust the explanation around how this works, why would you trust that your phone isn't already compromising your privacy & security?
 

TechieGeek

macrumors regular
Mar 12, 2012
248
511
Thanks Juli, I've been following this and trying to address misinformation on the forum every time an article about this API came up.

This is well written and accurate, and I encourage folks to read through it carefully to be informed about the way this system actually works.
 

ryanwarsaw

macrumors 68030
Apr 7, 2007
2,746
2,441
Going to be a hard pass for me. It's simply too creepy. Along with drones in parks telling people to separate and being told no to go outside, wearing masks mandatory. That world is just too creepy for me to accept as the new normal. I just have pictures in my mind of the government coming to my house and treating me like E.T.
 

hourglass111

macrumors member
Jan 26, 2017
45
117
Mid Ohio Valley
Ready for the flood of "not me" posts from people that barely read the title...

~ 81% of Americans own a smartphone, this technology CAN save lives. Apple & Google have done an excellent job explaining HOW this is done without compromising your privacy. If you own a smartphone, but don't trust the explanation around how this works, why would you trust that your phone isn't already compromising your privacy & security?

Once again, it’s not a data/privacy issue, it’s an ideological/societal one.

I will not have my phone pinging me just because someone else has gotten sick. If I get sick, I’ll take appropriate measures. But I’m not walking around waiting to get pinged. In high density areas like a city, you’ll be at risk for getting more pings about COVID than texts from friends and colleagues.

To me, this is simply obnoxious; but imagine the people who already can’t handle anxiety or mainstream fear paranoia, how will they do with being pinged about their potential acute death sentence multiple times a day?

Furthermore, unless I end up in hospital from symptoms, I won’t be pursuing a COVID test because of how haphazardly it’s assumed I should suddenly be tracked. That’s a big NO. I was not opposed to getting tested until seeing how a positive test suddenly comes with all of these assumptions and implied actions to take next.

All of this is a red flag setting precedent for worse things. In the other thread I used the example of HIV/AIDS. That’s something that “should” have contact tracing, yet it does not. So far we can statistically say that people recover from COVID. Not so with HIV, which is a death sentence* on maintenance. So I find this COVID tracking supremely suspicious.

If you’ve got no problem with this, then get ahead of the curve you’re flattening and imagine a future where you’re pinged for passing a stranger with COVID … then passing one with HIV … then passing one with Herpes … etc. It’s all inappropriate.

The violation of privacy is not with the data (which I applaud Apple for handling well), but with the idea of allowing our health to be broadcast and allowing our personal devices invaded with pings from those who willy-nilly broadcast their health out of some noble sense of saving the world.

It would honestly make more sense to have no privacy and share everyone’s contact info. That way if you, Person Who Supports Tracking, pass me and get me sick, then I can sue your insurance to cover my healthcare to get sick. How does that sound? Just like with a car accident.

After all, contracting COVID and ending up in hospital in the US is more likely a financial death sentence than an actual death sentence. Statistically speaking, anyway.

EDIT: Corrected typo of not including the word “sentence.”
 
Last edited:

Mosey Potter

macrumors member
Aug 9, 2018
34
60
Ready for the flood of "not me" posts from people that barely read the title...

~ 81% of Americans own a smartphone, this technology CAN save lives. Apple & Google have done an excellent job explaining HOW this is done without compromising your privacy. If you own a smartphone, but don't trust the explanation around how this works, why would you trust that your phone isn't already compromising your privacy & security?

So. My answer is this. I don't carry my phone around with me when I am out and about in my community. I take it with me when I travel, but nobody is traveling right now. Why don't I carry my phone around with me even in "normal" times? Because, I don't trust that my phone isn't already compromising my privacy and security. Simply that. I use iPhone but have no doubts that even though Apple is better than the googles, microsofts, facebooks and twitters of the world...they are still tracking every step I take and every breath I breathe. Sorry not going to trust anything that GOOGLE is involved with. Never. If it was Apple and DuckDuckGO maybe I'd think about it for thirty seconds and then say NO WAY !
It's a shame that we have this amazing tech that could do so much to help us right now, but the lords of the tech universe have monetized and stolen every single byte of our data. So eff them !
 

TechieGeek

macrumors regular
Mar 12, 2012
248
511
Not addressed anywhere I've seen...
If Apple and Google both push out updates to their OS to allow this tracking, are we then just tracking iPhone users? Because we've all see the graphs in Android % on new updates.
Where have you looked exactly?


"For Google, the update to enable the tracking tools won't be like a normal operating system upgrade. It will instead come through a set of tools called Google Play Services, which lets Android sidestep some fragmentation issues by pushing updates directly, without the approval of device and wireless partners. The company normally uses Google Play Services to update its own apps, like Gmail and Maps, and to push changes like a new app icon. The contact tracing tools will be available for phones running software as old as Android Marshmallow, the version of the operating system released in 2015."
 

The Cappy

macrumors 6502a
Nov 9, 2015
608
1,082
Dunwich Fish Market
'transmitting entirely anonymous identifier beacons'

We know now this is not possible in this day and time. Data will be breached.
Life's a bitch. Lives saved vs your nebulous and mostly imaginary fears of... of what exactly. WTF dreadful consequences do you foresee for this data getting breached? And if your answer is anything along the lines of "well I would have wanted my positive COVID status not to have been known", screw you. And if you have genuine concerns, feel free to balance that against the good of this kind of tracking.

They had far more aggressive tracking in S. Korea. And yeah the people there were tools and tried very hard to de-anonymize the data to publicly shame some of the infected, by S. Korea is doing pretty damned good right now infection wise. Sometimes the needs of compulsive zealotry must bend to the needs of people in the real world who simply want. Not. To. Die.
 

Trik

macrumors 6502
Jan 18, 2011
368
1,159
Washington, DC
So. My answer is this. I don't carry my phone around with me when I am out and about in my community. I take it with me when I travel, but nobody is traveling right now. Why don't I carry my phone around with me even in "normal" times? Because, I don't trust that my phone isn't already compromising my privacy and security. Simply that. I use iPhone but have no doubts that even though Apple is better than the googles, microsofts, facebooks and twitters of the world...they are still tracking every step I take and every breath I breathe. Sorry not going to trust anything that GOOGLE is involved with. Never. If it was Apple and DuckDuckGO maybe I'd think about it for thirty seconds and then say NO WAY !
It's a shame that we have this amazing tech that could do so much to help us right now, but the lords of the tech universe have monetized and stolen every single byte of our data. So eff them !

Great, then this won't affect you. For all intents and purposes, you don't carry a phone around.
[automerge]1588351388[/automerge]
Once again, it’s not a data/privacy issue, it’s an ideological/societal one.

I will not have my phone pinging me just because someone else has gotten sick. If I get sick, I’ll take appropriate measures. But I’m not walking around waiting to get pinged. In high density areas like a city, you’ll be at risk for getting more pings about COVID than texts from friends and colleagues.

To me, this is simply obnoxious; but imagine the people who already can’t handle anxiety or mainstream fear paranoia, how will they do with being pinged about their potential acute death sentence multiple times a day?

Furthermore, unless I end up in hospital from symptoms, I won’t be pursuing a COVID test because of how haphazardly it’s assumed I should suddenly be tracked. That’s a big NO. I was not opposed to getting tested until seeing how a positive test suddenly comes with all of these assumptions and implied actions to take next.

All of this is a red flag setting precedent for worse things. In the other thread I used the example of HIV/AIDS. That’s something that “should” have contact tracing, yet it does not. So far we can statistically say that people recover from COVID. Not so with HIV, which is a death on maintenance. So I find this COVID tracking supremely suspicious.

If you’ve got no problem with this, then get ahead of the curve you’re flattening and imagine a future where you’re pinged for passing a stranger with COVID … then passing one with HIV … then passing one with Herpes … etc. It’s all inappropriate.

The violation of privacy is not with the data (which I applaud Apple for handling well), but with the idea of allowing our health to be broadcast and allowing our personal devices invaded with pings from those who willy-nilly broadcast their health out of some noble sense of saving the world.

It would honestly make more sense to have no privacy and share everyone’s contact info. That way if you, Person Who Supports Tracking, pass me and get me sick, then I can sue your insurance to cover my healthcare to get sick. How does that sound? Just like with a car accident.

After all, contacting COVID and ending up in hospital in the US is more likely a financial death sentence than an actual death sentence. Statistically speaking, anyway.

Head in the sand. Got it.

And btw, it is telling you exposure time and proximity. But if you're the type where the less you know the better, then sure, this functionality is not meant for you.
 

NightFox

macrumors 68040
May 10, 2005
3,064
4,089
Shropshire, UK
I already stayed at home for 2 months, thanks Italy. Don't need any more nanny state or liberal companies trashing my privacy and rights.

Yes I read the specs. Yes I read the full article. No, no way I will willingly give up God given rights.

Please - given that you've read the article and so presumably understand how this thing works: which of your God-given rights are you giving up?
 

Kaizen

macrumors member
Nov 11, 2006
49
10
It’s encouraging to see many of the comments here are sceptical of this service. History shows that governments all all too happy to infringe on personal rights and liberties under the guise of ‘safety;’ the modern spin in our corporatocracy is that it is private companies who are offering these slick, well-marketed Orwellian surveillance systems. But make no mistake, it’s the same old fascism.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.