1/ Last night, I spent some quality time with the Apple docs on the new contact tracing protocol and APIs they and Google are preparing.

I'm quite optimistic about this effort. Here's why.

2/ First, my understanding of the health experts' point of view. If we want to reopen society once hospitalization rates are down & testing is more broadly available, but before we have widespread vaccination, we'll need contact tracing to rapidly contain any outbreak.

3/ contact tracing is this: say you test positive, we want to very quickly find everyone you were in contact with over the past 2 weeks and test them, too. Anyone testing positive is then quarantined to contain the outbreak.

4/ can cell phones help with this contact tracing?

Obviously they can: smartphones know where you are at all times and could dump all that geo data into one big database and just query it when someone tests positive.

Dystopian much? Can we do contact tracing less invasively?

5/ (there's the possibility of using cell tower records. One problem, it seems, is that this would yield a *lot* of false positives because cell tower location is not sufficiently precise. Even if it works, dystopian hellscape.)

6/ the key idea is we don't actually need geo data. We just need to know who was in contact with whom during a 2-week span. Whether it was at the gym or on the bus doesn't matter for our purposes.

And we don't need a big dystopian database. Much of the data can stay on phones.

7/ That leads to a number of similar proposals, including Apple/Google, MIT PACT, and others, that roughly do this:

- each phone locally broadcasts an identifier, using Bluetooth LE.

- phones record identifiers they see from other phones in close physical proximity.

8/

- phones change their identifier every few minutes, so that you can't correlate identifiers across long periods of time and track people.

- when someone tests positive, their phone releases the identifiers used over the last 14 days to a database.

9/

- phones download positive identifiers from the database and, if they see one that matches their list of encountered identifiers, they light up and say "you've been in contact with a positive person, you should get tested right away."

10/ diff proposals have diff parameters for how often identifiers are changed, and diff mechanisms for phones to prove they actually generated those claimed identifiers so disruptors can't pollute the system with false claims.

11/ there are also cool tricks used to reduce the amount of data phones need to upload/download.

The Apple/Google proposal has phones releasing a single daily tracker from which all of that phone's identifiers for a whole day can be regenerated and authenticated.

12/ so what, exactly, have Apple and Google done?

- they defined technical details for generating, broadcasting, recording, and revealing identifiers, common across iPhones and Android phones

- they defined an interface through which apps can use this tracing capability.

13/ this means a large part of the tricky stuff -- generating identifiers, rotating them, finding others and recoding them -- is done once by capable cryptographers. Very cool.

Also, the docs indicate that a phone won't release its identifiers unless user approves. Also cool.

14/ so this is pretty great. Data stays on the phone and release of identifiers is gated on the user.

There are some nits to be debated, e.g. how linkable identifiers are -- could we do this without linking together all the daily identifiers of an individual who tests positive?

15/ Also, Apple and Google are *not* operating the database of positive identifiers (at least for now.) They're letting other apps do that. With this API in place, A+G can aggressively police contact tracing apps: they should use the API, and maybe only some are approved. Good!

16/ we're left with 3 big questions:

- who's going to build the actual apps and positive identifier databases?

- how do we get enough users installing those apps to make contact tracing work?

- how do apps decide that a user has been truly infected, so this doesn't get abused?

17/ here's one possible path forward that answers those questions in a way that I *think* could work well: county health department produce apps. Maybe clumps of counties band together, e.g. all the SF Bay area counties.

18/ that means declaring a user positive would be gated on health departments, so abuse is limited. It also means a county could decide, based on adoption, how safe it is to reopen. The incentives are aligned nicely: install your county health app so we can reopen for business.

19/ another way it could go, and Apple kinda hints at this in their announcement, is that Apple and Google could take more drastic action to strongly encourage installation of an app. Maybe a system notification to everyone.

20/ As long as Apple & Google do constrain which apps get to use this API and frown on apps using more invasive approaches to contact tracing, this direction feels quite good.

Contact tracing is necessary to reopen society before vaccines. This looks like a good way to do it.

21/ two more details: the reason this is pretty good for privacy is because contact tracing is designed for when the pandemic is under control and only a handful of people are testing positive every day. So only a handful of people's location data is released.

22/ also, if we're indeed going to see counties pushing out apps, best way to go is have one open-source implementation that can be white-labeled by health departments. Who's going to build the open-source app & backend that runs against these APIs?

23/ one last idea: if the app is built by a health department, it can help prioritize testing. Show up to any testing center with your county health app showing the "you need to get tested" screen and you're immediately prioritized, no question asked, no insurance needed.