Using smartphones to trace the COVID-19 pandemic isn’t a new idea: China, South Korea, Singapore, and other countries have been doing it for a while now. Apple and Google control the software that powers a vast majority of the world’s phones, though, so their partnership is going to make disease tracking possible on a much larger scale.

The software update they plan to push out to their operating systems in May will allow users to opt into a Bluetooth-based tracking system that will send alerts if it detects that you’ve been in contact with a COVID-19 case. The two companies have done a lot to allay privacy concerns – much more than most existing government initiatives – but exactly how effective it will be and how much people will trust it remains to be seen.

What is the tracing system?

Apple and Google will both be implementing the same system: a Bluetooth Low-Energy (BLE) contact-tracing network. Any phone that opts in to the program will turn on its Bluetooth and, every five minutes, check for other Bluetooth devices (Androids and iPhones) that are part of the contact-tracing program.

When it finds one close by, the user’s phone will send the other device a unique identification code (with no personal information or names attached) and get another code in return. Both of those devices will record the code they get from the other.

The anonymous identification code for a user’s device changes every fifteen minutes as a privacy measure. These codes, and the codes of devices that the user has come in contact with, are stored temporarily on the device. If the user doesn’t have COVID-19, no data is ever uploaded anywhere.

If a user does have COVID-19, however, the identification codes their phone has been using for the past fourteen days will, with their consent, be uploaded to a central server. Other users’ devices will check to see if any of those codes exist in their phone’s storage, and, if one does, it will alert the user of their potential exposure. All of this matching takes place on user devices: no records of any two users being in proximity are ever put online or made public.

How can people get it?

The first thing Apple and Google are working on is an application programming interface (API), which is a way for apps to connect to the tracing system. Users who want to participate will first have to download an app created by a public health authority that’s cleared to use the system. That functionality should be available by mid-May to users who want to participate. It should be available for every iPhone version and Android devices with 6.0 or greater.

That will require some work to opt into, though, which might lead to low usage rates. That’s why the next step for Apple and Google will be building the functionality at an operating system level, which will probably make it much easier for users to sign up and start using it. That may come out in June.

What about privacy?

Google and Apple are big tech companies, which can rub some people’s privacy instincts the wrong way. Isn’t this just another opportunity to track you? That’s a justifiable reaction, but the two companies have done a lot to keep user data private here, and they’ve covered almost every possible base. There are certainly still potential holes, but it’s not for lack of trying to patch them.

The phone’s identification codes are anonymous, continuously-changing, and locally-stored – even if the codes were made public, you couldn’t be immediately identified with them.

Your phone’s codes and codes that your phone collects are deleted from your device after some time.

No data is collected unless you opt in.

If you do opt in, your data will only be shared if you contract the virus and choose to upload your codes.

Your phone compares locally-stored codes against centrally-stored codes from people known to be infected. If there’s a match, only your phone knows about it.

API access is restricted to a small group of trusted public health authorities.

No location data is ever recorded – it’s just Bluetooth pings.

The system will be shut down after the crisis is over.

Will it work?

Contact tracing is a very important tool in epidemic response, and it’s typically done by medical professionals interviewing patients to gather data about where they’ve been and what they’ve done. That’s a fairly ponderous process, and automating it would be a massive help. The electronic system requires widespread adoption to work, though, and it’s pretty likely that most users won’t download the apps in May, though they might opt in once the update rolls out on the software level.

Another issue is testing: even if a lot of people do participate, if a lot of cases are going unconfirmed, users won’t get alerts following contact. On the other hand, Bluetooth can’t actually tell if people had potentially infectious contact or not, so you might get false positive alerts if, say, someone with COVID-19 was within range but in a different room.

The future of device-based pandemic tracing

The fight against COVID-19 is probably going to drag on for quite some time, and eventually these apps might prove to be valuable assets in tracking the periodic outbreaks we’re likely to have going forward. Even if digital contact tracing doesn’t work out for COVID-19, though, it’s very unlikely that this is the last pandemic we’re going to see, and building a system now means we’ll be ready to deploy it much more quickly in the future.