Apple in the iOS 13.5 beta introduced an exposure notification API, which will let apps from public health authorities and governments worldwide help people figure out if they’ve been exposed to COVID-19, and if so, what steps to take next to minimize the spread of the virus.
Exposure notification started out as contact tracing, an Apple-Google initiative that was announced in early April to limit the spread of COVID-19.
Apple and Google created an API that is designed to allow iPhones and Android smartphones to interface with one another for contact tracing purposes, so if and when you happen to be nearby someone who is later diagnosed with COVID-19, you can get a notification and take the appropriate steps to self isolate and get medical help if necessary.
Determining whether you’ve come into contact with someone relies on your iPhone, which, using the exposure notification API, interacts with other iPhones and Android smartphones over Bluetooth whenever you’re around someone else who also owns a smartphone, exchanging anonymous identifiers.
Apple and Google are developing the underlying APIs and Bluetooth functionality, but they are not developing the apps that will use those APIs. Instead, the technology will be incorporated into apps designed by public health authorities worldwide, which will be able to use the tracking information to send notifications on exposure and follow up with recommended next steps.
The APIs have been created with privacy and security in mind, and app usage is opt in rather than mandatory.
Apple and Google also created a handy graphic that explains the process, which we’ve included below:
Apps that use Apple’s exposure notification API will be available when Apple releases iOS 13.5, a beta update that has the API to allow public health authorities to begin incorporating the API into their COVID-19 apps.
Exposure Notification is a feature that’s on by default in the iOS 13.5 beta, and it may be enabled automatically when the update is released, but actually using the API requires you to download an app from a verified health authority. Many countries are developing country-specific apps that you will be able to download.
At the current time, there are no apps that use Apple’s API available, but once these apps are released, you will need to download one and consent to using it before Exposure Notification becomes functional on your smartphone.
Without an app that you explicitly download and opt in to using, the Exposure Notification API on the iPhone doesn’t do anything at this time.
Apple and Google have both worked to create APIs for exposure notifications that work together so iPhone and Android smartphones can interface with one another and you’ll receive notifications if exposure happens even if the person you’ve been in contact with has an Android smartphone.
In the iOS 13.5 beta, Exposure Notification is a privacy setting that is on by default, but using the feature is still opt-in rather than opt-out because you need to download an app and consent to sign up for the exposure notification system.
If you do, at some point, get COVID-19, there’s a separate consent process for anonymously alerting people that you’ve been in contact with. The app needs express consent to inform others of the diagnosis, and nothing happens automatically.
Exposure Notifications can be turned off in the Privacy section of the Settings app. As you can see in the demo screenshot below, users will need to tap “Allow” after installing an app to allow the app to collect and share random IDs with nearby devices.
You can disable Exposure Notification entirely by following the steps in our how to, and there will also be options to toggle off the feature on a per-app basis if multiple apps that use the API are installed. Apps that you have installed that use the API will be listed in the Privacy settings on your iPhone.
When a person is diagnosed with COVID-19, before an alert is sent out to the people they’ve been in contact with, the apps that are using Apple and Google’s exposure notification APIs will require verification that a person has tested positive for the disease.
This will prevent people from using the system maliciously to trick others into believing exposure has happened when it has not.
As an example, a person who tests positive for COVID-19 might receive a QR code with their test results, which could be scanned into an exposure notification app for verification purposes. The verification process will vary by region, according to Apple.
As explained above, with a health app that uses the exposure notification API installed, your smartphone exchanges anonymous identifiers with each person you come in contact with that also has an app that uses the API.
Your phone keeps a list of these identifiers on it, and this list remains on your device - it is not uploaded anywhere. The exception is if you’re diagnosed with COVID-19 and then follow the steps to send out notifications to the smartphones that have been in contact with yours.
In this situation, the list of random identifiers that your iPhone has been assigned over the course of the previous 14 days will be sent to a centralized server. Other people’s iPhones check this server and download that list, checking it against the identifiers stored on their own iPhones. If there’s a match, they receive a notification about exposure with more information about the steps to take next.
Matches are made on device rather than on a server in a central location, which preserves privacy while also making sure people know about possible exposure.
For a more simple explanation, here’s a step-by-step walkthrough on how it works:
Health apps will have access to information that includes the amount of time that Eric and Ryan’s phone were in contact and the distance between them, as determined by Bluetooth signal strength, which can be used to estimate distance.
Based on this information, the app can deliver tailored notifications to Eric, perhaps letting him know his exposure level and potential danger based on those factors. Eric will know the day he was exposed, how long the exposure lasted, and the Bluetooth signal strength of that contact. No other information is shared.
For the most part, the exposure notification system runs on your device. Identifiers are collected and matched entirely on your smartphone and are not shared with a central system. There are two exceptions to this:
First and foremost, full privacy details on exposure notification are available on Apple’s website, but we’ll cover some important frequently asked questions about privacy below.
Right now, there are no apps that use the Exposure Notification API because it’s not publicly released yet. Apple plans to release iOS 13.5 with exposure notification support in mid-May, and at that point, we’ll see the first apps that use it and will list them here.
Apple and Google are releasing an API for apps to use in May, but eventually, later in the year, exposure notification will be introduced at the operating system level to ensure a broader adoption, which is necessary for contact tracing to succeed in cutting down on the spread of COVID-19.
When the feature is built into the operating system, it will continue to work the way it does with an app right now, but no app will need to be installed for identifier information to be exchanged.
Apple and Google both have dedicated websites with more information about exposure notification, and that should be your first stop if you want to know more about it and how it works.
Have a question about the exposure notification system, know of something we left out, or want to offer feedback? Send us an email here.