Exposure Notification

To generate encounter identifiers, first a persistent 32-byte private Tracing Key (${\displaystyle tk}$) is generated by a client. From this a 16 byte Daily Tracing Key is derived using the algorithm ${\displaystyle dtk_{i}=HKDF(tk,NULL,{\text{'CT-DTK'}}||D_{i},16)}$, where ${\displaystyle HKDF({\text{Key, Salt, Data, OutputLength}})}$ is a HKDF function using SHA-256, and ${\displaystyle D_{i}}$ is the day number for the 24-hour window the broadcast is in starting from Unix Epoch Time. These generated keys are later sent to the central reporting server should a user become infected.[25]

From the daily tracing key a 16-byte temporary Rolling Proximity Identifier is generated every 10 minutes with the algorithm ${\displaystyle RPI_{i,j}={\text{Truncate}}(HMAC(dtk_{i},{\text{'CT-RPI'}}||TIN_{j}),16)}$, where ${\displaystyle HMAC({\text{Key, Data}})}$ is a HMAC function using SHA-256, and ${\displaystyle TIN_{j}}$ is the time interval number, representing a unique index for every 10 minute period in a 24 hour day. The Truncate function returns the first 16 bytes of the HMAC value. When two clients come within proximity of each other they exchange and locally store the current ${\displaystyle RPI_{i,j}}$ as the encounter identifier.[25]

Once a registered health authority has confirmed the infection of a user, the user's Daily Tracing Key for the past 14 days is uploaded to the central reporting server. Clients then download this report and individually recalculate every Rolling Proximity Identifier used in the report period, matching it against the user's local encounter log. If a matching entry is found, then contact has been established and the app presents a notification to the user warning them of potential infection.[25]

Unlike version 1.0 of the protocol, version 1.1 does not use a persistent tracing key, rather every day a new random 16-byte Temporary Exposure Key (${\displaystyle tek_{i}}$) is generated. This is analogous to the daily tracing key from version 1.0. Here ${\displaystyle i}$ denotes the time is discretized in 10 minute intervals starting from Unix Epoch Time. From this two 128-bit keys are calculated, the Rolling Proximity Identifier Key (${\displaystyle RPIK_{i}}$) and the Associated Encrypted Metadata Key (${\displaystyle AEMK_{i}}$). ${\displaystyle RPIK_{i}}$ is calculated with the algorithm ${\displaystyle RPIK_{i}=HKDF(tek_{i},NULL,{\text{'EN-RPIK'}},16)}$, and ${\displaystyle AEMK_{i}}$ using the algorithm${\displaystyle AEMK_{i}=HKDF(tek_{i},NULL,{\text{'EN-AEMK'}},16)}$.[26]

From these values a temporary Rolling Proximity Identifier (${\displaystyle RPI_{i,j}}$) is generated every time the BLE MAC address changes, roughly every 15-20 minutes. The following algorithm is used: ${\displaystyle RPI_{i,j}=AES128(RPIK_{i},{\text{'EN-RPI'}}||{\mathtt {0x000000000000}}||ENIN_{j})}$, where ${\displaystyle AES128({\text{Key, Data}})}$ is an AES cryptography function with a 128-bit key, the data is one 16-byte block, ${\displaystyle j}$ denotes the Unix Epoch Time at the moment the roll occurs, and ${\displaystyle ENIN_{j}}$ is the corresponding 10-minute interval number. Next, additional Associated Encrypted Metadata is encrypted. What the metadata represents is not specified, likely to allow the later expansion of the protocol. The following algorithm is used: ${\displaystyle {\text{Associated Encrypted Metadata}}_{i,j}=AES128\_CTR(AEMK_{i},RPI_{i,j},{\text{Metadata}})}$, where ${\displaystyle AES128\_CTR({\text{Key, IV, Data}})}$ denotes AES encryption with a 128-bit key in CTR mode. The Rolling Proximity Identifier and the Associated Encrypted Metadata are then combined and broadcast using BLE. Clients exchange and log these payloads.[26]

Once a registered health authority has confirmed the infection of a user, the user's Temporary Exposure Keys ${\displaystyle tek_{i}}$ and their respective interval numbers ${\displaystyle i}$ for the past 14 days are uploaded to the central reporting server. Clients then download this report and individually recalculate every Rolling Proximity Identifier starting from interval number ${\displaystyle i}$, matching it against the user's local encounter log. If a matching entry is found, then contact has been established and the app presents a notification to the user warning them of potential infection.[26]

Version 1.2 of the protocol is identical to version 1.1, only introducing minor terminology changes.[26]

According to the joint announcement by Apple and Google, the system is intended to be rolled out in three stages:[37][38]

• API specification and publication
• rollout of tools to enable governments to create official privacy-preserving coronavirus tracing apps
• integration of this functionality directly into iOS and Android

Apple have stated that the system is designed to work on all recent devices that can support iOS 13.[22]

The companies planned an API for development on April 28, 2020[39] and it was released to developers the following day.[40]

The iOS 13.5 update released on May 20, 2020 introduced support for the Exposure Notification API.[9] Google stated that on Android, Exposure Notification will be serviced via Google Play Services (a system API component for Google services that is present on almost all Android devices outside of mainland China, and updated independently of Android itself via the Google Play store), ensuring compatibility with Android Marshmallow and later and not requiring them to be integrated into an Android firmware (which would hinder deployment).[41]

Each U.S. state and territory is able to participate in GAEN, with a one PHA per state/territory. Elsewhere, GAEN is available to one PHA per country.

The Google Apple Exposure Notification (GAEN) solution relies on users receive a positive COVID-19 diagnoses self-reporting their infection. When a public health authority (PHA) notifies a user of a positive test result, the PHA provides a "confirmation code" the user can enter into their local exposure notification application. The app communicates with the PHA's verification server[44] to retrieve a cryptographically signed certificate that unlocks the user's ability to upload their anonymous exposure keys to the exposure notification key server. This process prevents undiagnosed users from falsely reporting infections.

Each PHA is responsible for establishing and operating the verification process. The PHAs can develop their own server, or use a third party solution. Google has created an reference verification server that any PHA can leverage. The choice of verification solution does not affect whether GAEN works across state or national boundaries.

Exposure keys are uploaded to an Exposure Key server designated by each participating public health authority. The server aggregates all keys into a file that is downloaded daily by each participating application. The GAEN applications rely on iOS and Android to process the key files to determine if the user has been exposed to another person with a positive diagnosis.

PHAs are responsible for hosting an exposure key server. They can develop their own, though most are leveraging an [reference exposure notifications server published by Google. The Association of Public Health Laboratories announced it is partnering with Microsoft to host a National Key Server,[45] that can be shared by all states and territories. The shared key server reduces costs and complexity for states, and it assures that exposure notifications work when users are from different states.

Google has also created a federation capability that allows servers to share exposure notifications keys.

Some countries, such as France, have pursued centralized approaches to digital contact tracing, in order to maintain records of personal information that can be used to assist in investigating cases.[33][78][79] The French government has asked Apple to allow apps to perform Bluetooth operations in the background, allowing the government to create its own system independent of Exposure Notification.[80] Australia launched a custom exposure notification app called COVIDSafe, which has been criticized for working only on iPhones and not reliably exchanging Bluetooth identifiers.[81]

In the United States, states such as New York, California and Massachusetts declined to use the technology, opting for manual contact tracing.[82]