In the United States, Virginia has enabled app-less Covid-19 exposure notification services for iPhone users, joining California, Colorado, Connecticut, Hawaii, Maryland, Minnesota, Nevada, Washington, Wisconsin, and the District of Columbia. This means iPhone users in those US states will not need to install exposure notification apps and can instead turn on notifications in the phone’s settings.
The services use the coronavirus exposure notification system built jointly by Apple and Google for their smartphone operating systems, iOS and Android, which the companies updated to work without apps. The system uses the ubiquitous Bluetooth short-range wireless communication technology.
As of January, 20 US states and the District of Columbia were using the system for exposure notification apps and app-less services. All of the apps and services are voluntary; however, the island of Maui in Hawaii now requires visitors to use one.
Dozens of apps are being used around the world that alert people if they have been exposed to a person who has tested positive for Covid-19. Many of them also report the identities of the exposed people to public health authorities, which has raised privacy concerns.
Several other exposure notification projects, including PACT, BlueTrace, and the Covid Watch project, take a similar privacy-protecting approach to Apple’s and Google’s initiative.
Recently, a study found that contact tracing can be effective in containing diseases such as Covid-19 if large parts of the population participate. Exposure notification schemes like the Apple-Google system are not true contact tracing systems because they do not allow public health authorities to identify people who have been exposed to infected individuals. But digital exposure notification systems have a big advantage: They can be used by millions of people and rapidly warn those who have been exposed to quarantine themselves.
So how does the Apple-Google exposure notification system work? As researchers who study security and privacy of wireless communication, we have examined the system’s specifications and have assessed its effectiveness and privacy implications.