[clug] Apple-Google Contact Tracing API. V1 released May 20, 2020

steve jenkin sjenkin at canb.auug.org.au
Sun May 24 22:15:32 UTC 2020

Does anyone see security or privacy issues with the spec?

It’ll mean rewriting the local AusGov contact tracing App, the one that they haven’t fully developed the back-end for.


The Apple-Google notification service is designed to be anonymous & tracking-resistant, without a central database of user details or central processing of contacts.
There is a central database of rapidly (15-30 min) keys generated on devices.

Unclear to me who runs the DB? On what hardware?
Google’s tech spec page contains sample code for an “Exposure Notifications server” - presumably the local public health authority runs one of these, known to its App.

App users who are diagnosed Covid-19 positive, notify the App, which uploads the last 14 days of keys ’seen’ by the device. The devices with those keys are sent notifications.

It’s unclear to me how the keys-device connection is made within the server database.
The Notification side of the server must push a notification to devices (presumably when they connect to upload keys).

Currently, App developers - presumably public health authorities - have to build local Apps for users to download & ‘accept’. This allows local ’tuning’ of what constitutes a ‘contact’.

In coming months, this interface will be baked into the O/S of both Android and iOS.

We’re told the contact tracing O/S module will require ‘opt-in’.


Exposure Notification - Frequently Asked Questions

Google and Apple partner on COVID‑19 Exposure Notifications API
+ More information and technical specs

Apple - Bluetooth Spec

Apple Developer API
Steve Jenkin, IT Systems and Design 
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA

mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list