What is the Google/Apple Exposure Notifications Protocol?
On April 10th, 2020, Google and Apple announced a partnership to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 through exposure notifications, with privacy and security core to the design. The protocol has been reviewed by privacy experts, and improving its implementation is the subject of ongoing research around the world. Only authorized health authorities can release apps that access the operating system functions which Google and Apple have built for this purpose (the “Exposure Notifications”).
What Rastrea el Virus Does
The App supports Puerto Rico’s public health response and the public during the COVID-19 crisis. Its function is to notify you and connect you with us as quickly as possible should you have been in close and sustained contact with someone who has tested positive.
The App cannot prevent you from being exposed, but it can help you break the chain of exposing others.
How Exposure Notifications Technology Works With the App
Once the App requests that the operating system enable Exposure Notifications, and you authorize it to do so, your device will regularly send out Bluetooth signals. These Bluetooth beacons (or “Chirps”) are random numbers generated using keys (the “Keys”) so that they do not tie to any personally identifying information about you or your device. Keys change every 10 to 20 minutes for additional protection.
Other devices will be listening for Chirps and broadcasting theirs as well. When your device receives another Chirp, the operating system will record and securely store that Chirp. At least once per day, only the authorized Exposure Notifications App will request that the operating system download a list of the generating Keys for Chirps that have been verified by us as positive for COVID-19 (the “Positive Diagnosis Keys”). Your device will check the list of Chirps it has recorded to see if they were generated using Positive Diagnosis Keys.
If you encounter someone who is also running Rastrea el Virus for long enough to collect Chirps from them, and then that person receives a positive diagnosis for COVID-19 and decides to share their Positive Diagnosis Keys, the App will then recognise a match with its collected Chirps. The App will locally measure the closeness and duration of all exposures before deciding whether to send an exposure notification. Its exposure relevance criteria are updated according to ongoing global research and based on several factors:
- proximity, as best estimated by the device;
- duration of contact; and
- whether the contact was made within the last 14 days.
The decision process for giving any user an exposure notification uses a fully ‘decentralized’ privacy model. This means that any Positive Diagnosis Key matches made against Chirps you have encountered are matched locally, on your device. Your device never uploads Chirps it discovered. Matches are not made externally by us or any third party.
Third parties who have been hired by us in order to assist with epidemiological case investigation and contact tracing are “Contact Tracers”. The Exposure Notifications protocol is designed to prevent tracking people’s movements or who they have contacted. It solves the same problem another way, acting like an exposure badge, meaning it sums all the exposure events as they happen, rather than assisting a Contact Tracer to recreate a story of where you went or what you did. Unlike an exposure badge, the exposure events that are from positive cases are only revealed later on.
Verification codes (“Verification Codes”) are short digit sequences that cryptographically limit access to reporting a positive test result. They are only sent out, under our authorization, to users who have a confirmed positive diagnosis. This protects the quality of exposure notifications the App makes.
Keys used to generate Chirps are stored by the operating system and are not available to any but the authorized App for Exposure Notifications, and then only when unlocked by a Verification Code. The operating system confirms this access by presenting a security dialog.
Data Collected from You
The App will not require you to provide any personal data to obtain exposure notifications. The App does not have access to device file system storage to save any information.
Data Generated by the App
If you decide to authorize Exposure Notifications on your device, Chirps will be exchanged between your device and the devices of other users. If you test positive, you may give your consent in the App, that will then share Positive Diagnosis Keys generated in the last two weeks with our registry. The Chirps generated from Keys are never shared with us.
As a consequence of how network traffic passes across the Internet, your Internet Protocol address (“IP Address”) is also transferred to PRHD Servers. While your data transmitted between the App and PRHD Servers includes your IP Address and it is considered personal data, we do not use your IP Address to identify you, i.e. it is not stored or used in conjunction with any other data set in order to identify you. Because Chirps are sent out anonymously and matched locally on your device, and because Verification Codes cryptographically limit access, PRHD Servers never need to identify you, even in order to upload Positive Diagnosis Keys.
Third Party Agreements Affecting Data
PRHD is responsible for running the App and all infrastructure required to operate and maintain the App, including PRHD Servers. Third parties developed and operate PRHD Servers, as used to process Positive Diagnosis Keys. The App never uploads data to any servers without asking for consent first.
The following entities provide services to PRHD related to the App’s functions, but it is not an inclusive list of all entities or third parties, and their scope, which collaborate with the PRHD in this effort currently or in the future.
- Puerto Rico’s Science, Technology and Research Trust (“SciTech”) is authorized by us to develop the App.
- SciTech made an agreement with the PathCheck Foundation to supply the App’s source code and assist with operations of PRHD Servers.
- PathCheck’s Positive Diagnosis Key server is an unmodified copy of Google’s reference code.
- Contact Tracers are authorized to give out Verification Codes as needed to upload Positive Diagnosis Keys to PRHD Servers.
- PRHD, or an authorized Contact Tracer, may send Verification Codes to your phone via SMS, using MITRE’s Sara Alert.
The App can be downloaded free of charge from the Apple App Store and the Google Play Store. Apple and Google require account sign-on in order to make the App available to you. Neither company obtains any personal data from your use of the App or the Exposure Notifications protocol itself.
Data Visible to Other Users of the App
Chirps are sent to every device in proximity. While Chirps cannot directly identify any users, there are circumstances when a user could identify another based on the day of contact. As an example, this may occur if a user knows another user personally, recalls a specific day of meeting, or can rule out other candidates.
To revoke your consent and terminate your use of Rastrea el Virus, delete the App from your device. Other than your IP Address, which may be stored on our servers and cannot be deleted but is not used to identify you, there is no information that can be used to identify you stored outside of your device.
Questions About This Policy
For legal questions about this policy, contact us at <firstname.lastname@example.org>.