Project Aurora: A New Open Source Solution for the Google Apple Exposure Notification API

On May 4, 2020, Google and Apple released new details about the Google Apple Exposure Notification API (GAEN). GAEN provides a new way for public health authorities (PHAs) to implement a digital contact tracing solution that uses Bluetooth to detect contacts between people that may have led to exposure. The new technology is an important innovation in this rapidly emerging field, and we’re pleased to announce a new Path Check initiative, codenamed project Aurora, to empower PHAs to take advantage of GAEN. 

As part of Aurora, the Path Check community is actively developing an open source, GAEN-compliant reference mobile app as well as the server technology required to deploy a GAEN solution. We are also launching a pilot program for PHAs and their solution providers who want to evaluate GAEN and potentially use Aurora. If you are interested in learning more about Aurora and how you could pilot it in your jurisdiction, please complete this form

With GAEN, an authorized mobile app can use Bluetooth to help identify whether a user has been physically near someone who has been diagnosed with COVID-19. The technology is designed to preserve the privacy of people who use the app, so the user-identifiable data are not accessible by Apple, Google, PHAs, or other citizens. (Read more about how GAEN works.)

As an implementation of GAEN, Aurora will include a reference mobile app for iOS and Android as well as what is called a key server. The key server is how a PHA anonymously publishes the information that notifies users that they may have been exposed to someone who has COVID-19. Aurora is currently under development and more technical information on Aurora is available on GitHub

For a variety of reasons, Google and Apple are limiting use of the GAEN API. As a result, Aurora will be separate from our GPS-based solution, which includes Safe Paths and Safe Places. Our GPS solution is maturing quickly, pilots are being organized by PHAs around the world, and we continue to be deeply invested in developing this solution in parallel with the Aurora project.

For PHAs that choose to deploy a GAEN solution for their communities separately or alongside a GPS solution, Aurora will offer a number of advantages over other implementations of GAEN:

  • Your IT team or solution partner can integrate the open source solution and avoid vendor lock in. A vibrant open source community and collaboration between PHAs across multiple jurisdictions helps ensure strong security, valuable features, and maintenance of the solution. 
  • Aurora is designed so that it is easy for each PHA to generate a build of the app from the original source code. The downstream build can have customization but still be easily patched and maintained. Today, GAEN licensing encourages each authorized PHA to release their own app through their own Apple and Google accounts. 
  • Aurora is 100% compliant with the GAEN APIs and requirements. 
  • The software is free, which significantly reduces development and maintenance costs. 
  • Collaboration with the vibrant Path Check community and other PHAs provides access to insights beyond the software, including program design, pilot management, roll-out, and adoption. 
  • The Path Check community has a clear point of view on contact-tracing policy and data privacy issues, and is actively collaborating to develop a shared understanding of best practices. 
  • A growing network of solution providers is planning to offer support for Aurora app customization and Aurora key server hosting and scaling. 

Aurora will also include a number of differentiated features: 

  • PHA customizations for the COVID-19 authentication methods, support for various exposure definitions and reporting styles, and the option of self-reported symptom tracking.
  • Customized messaging to affected and exposed individuals communicating the nature and the severity of exposure incidents.
  • Historical exposure tracking for everyday users.

Limitations on Using GAEN

In order to drive adoption and protect privacy, Google and Apple have put controls on the use of the GAEN API and the deployment of apps built with GAEN. Limitations on apps include several important provisions: 

  1. GAEN apps cannot use GPS location data on the phone or on the server and data from GAEN apps cannot be combined with GPS location data from another app.
  1. GAEN apps can only be released by a PHA (or contracted technical partner) that has been authorized by Google and Apple. Google and Apple only want one GAEN app per jurisdiction (e.g., country or state), in order to maximize user adoption.
  1. The GAEN APIs require version 13.5 or higher of iOS and version 5.0 or higher of Android. 

For a full list of the restrictions, see the licensing terms from Google and Apple

For a variety of good reasons, Google and Apple have chosen to limit the use of GAEN. Based on our work with public health authorities around the world, we recognize that there are a number of benefits that would come from being able to have both the contact data provided by GAEN and the context data provided by GPS in the same privacy-preserving system.

A number of examples illustrate how contact and context together would be powerful:  

  • Exposure notification reveals the day of exposure but not the time or location. If the user was exposed in a public park store wearing a mask and keeping social distance, there is less risk compared to the same user in a small coffee shop not wearing a mask. 
  • Detection of contacts occurring within a factory might alert officials to a potential outbreak at a location. GAEN contact data alone would not reveal this risk and thus limit the public health interventions that could contain an outbreak.   

In addition to phone-to-phone contact and GPS positioning, other location technologies will likely be useful for digital contact tracing. For example, on a campus, low-cost Bluetooth beacons could be a useful tool for precise positioning. In this paper we provide more thinking about how GPS and GAEN could work together.    

Choosing between GAEN and GPS

PHAs will need to choose the solution or solutions that best fit their needs and community. Today, many PHAs are moving forward with GPS and some are planning to pilot GAEN. Unfortunately, those who want to use both will need to promote two separate apps to their communities and maintain required data separation on the backend. 

The following table shows some of the pros and cons of GAEN and GPS.

This image has an empty alt attribute; its file name is Picture1-1024x495.png

Conclusion

Digital contact tracing is a new, rapidly evolving field that can be difficult to navigate. As a non-profit and volunteer community committed to developing free, open source software and privacy-preserving digital contact-tracing solutions, we always welcome the opportunity to talk to PHAs and companies who are evaluating solutions in this space. We are committed to serving PHAs and providing the much-needed support; please feel free to contact us if you would like to discuss your specific needs or get more involved in our work.