Covid testing app: the details of the privacy guarantee
Some have asked me to explain. I snooped through the source, but I think this https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy/assessment.html does a better job. The key section is quoted below.
Each device with the app installed is sending out and listening for random codes called rolling proximity identifiers (RPIs) which are not static: On a daily basis, the Google/Apple layer automatically generates a random temporary exposure key (TEK). The TEK of the day then generates a new random ID (“rolling proximity identifier” (RPI)) every five to twenty minutes. It is these ever-changing random IDs that are shared with other devices.
The daily TEK generation and frequent RPI generation are design features with the purpose of minimizing the risk of re-identification of users. (In addition to this, they are designed to minimize data transfer to conserve bandwidth.) The RPIs are not identifiable and are not accessible to the app or transmitted to the key server. By design, the RPIs are meant to be public (they are shared to other devices via Bluetooth), and as such do not provide any form of identifying information in the absence of other information. Even if an RPI were intercepted by a device operated by a malicious actor, it would be an entirely meaningless number, and would not be linkable to a device without significant effort. TEKs are stored on the device, but may only be released to the key server in the case of a positive test result and explicit user consent.
When a user receives a positive COVID-19 test result, provincial/territorial (PT) health authorities who have adopted the app will provide them a one-time code Footnote2 and instructions on how to enter it into the app. Footnote3 The app will validate the one-time code and ask the user if they would like their past 14 days of TEKs to be sent to the key server. Footnote4 If the individual says yes, the app communicates with the Google/Apple layer. The Google/Apple layer asks a second time whether the individual consents to sending the past 14 days of TEKs to the key server. If the individual consents, the TEKs are sent to the key server, allowing other users they have come in contact with in the past 14 days to be notified, once their app has downloaded these keys. App users also have the option of uploading their diagnosis keys for the 14 days following receipt of a positive diagnosis, in the unfortunate scenario where an individual who has COVID-19 cannot self-quarantine (e.g. doesn’t have sick leave; lives alone and has to buy groceries, etc.).
TEKs are generated once a day and expire after 14 days on the device. A TEK become a “diagnosis key” once released for upload to the key server. If the user consents to upload and transmit the diagnosis key, other users with whom they were in contact may receive a notification. Footnote5 We note that if an individual has had contact with a very limited number of individuals in the past 14 days, it’s possible that the user who receives the notification may be able to associate it with an individual.Footnote6