A long wait for an app notification

Twenty-one months ago, I installed the Virginia Department of Health’s COVIDWISE app on my smartphone and urged everybody reading that post in Virginia to go and do likewise. Back in August of 2020, I expected that this app developed with the Apple-Google COVID-19 exposure notifications framework would soon be warning me that I’d been near somebody else who had tested positive and had then used this app or another built on that foundation to send a thoroughly anonymized warning.

But the notifications of possible exposures didn’t appear, even as the U.S. suffered repeated waves of novel-coronavirus variants and the positive-test rate in Northern Virginia shot up above 30 percent at the start of this year. And as I got my first vaccination, second vaccination and booster shot, the continued silence of this app bothered me less and less–to the point that I briefly forgot to activate it after moving from my Pixel 3a to my Pixel 5a.

That silence ended Thursday morning, when my smartphone greeted me with a notification of a probable exposure. “You have likely been exposed to someone who has tested positive for COVID-19,” the app told me. “COVIDWISE estimates that you were last exposed 5 days ago.”

The app further informed me that “Most people who are fully vaccinated and free of COVID-like symptoms do not need to quarantine or be tested after an exposure.” Fortunately, I had already self-tested negative on an antigen at-home kit Wednesday morning to verify my health before heading to the Hack the Capitol security conference.

Because this app and others built on the Apple/Google code don’t store location data, I can only wonder when this possible exposure happened. And since five days ago was Saturday, when I flew home from Latvia via Munich and then Boston, I’m looking at thousands of miles of possibility. A second notification from COVIDWISE referencing North Carolina’s SlowCOVIDNC app suggests that my possible exposure source lives there, but the privacy-preserving design of this system ensures I’ll never know for sure.

A five-day turnaround, however, now seems quick after seeing three people reply to my tweet about this notification to report that they didn’t get their own heads-up from one of these exposure-notification apps until 10 days after the possible exposure–a uselessly long lag. My conclusion from those data points: Get vaccinated and boosted, because that will do more than anything else you could possibly undertake to ensure that receiving one of these exposure alerts remains a drama-free experience.

Weekly output: password managers, exposure-notification apps, talking tech with Mark Vena

Six months ago, I expected to be busy tonight packing for the IFA tech trade show. But although that conference in Berlin is proceeding on a drastically-scaled-down basis, I’m not flying to Germany tomorrow because of the European Union’s ban on Americans traveling to the EU. Given how thoroughly we’ve botched this pandemic, I can’t blame them for imposing that restriction.

8/24/2020: Extra security or extra risk? Pros and cons of password managers, TechRepublic

I shared my experience with password managers–mainly LastPass and 1Password–with TechRepublic’s Veronica Combs for this overview of the advantages and disadvantages of these services.

8/25/2020: COVID-19 tracking apps, supported by Apple and Google, begin showing up in app stores, USA Today

Writing a lengthy report for O’Reilly about contact-tracing apps did not mean I could write this much shorter piece from memory and my existing notes. In addition to getting useful adoption data from Virginia’s Department of Public Health about its COVIDWISE app, I also reported that VDH plans to support a national key-server project from the Association of Public Health Laboratories that will let these state-developed apps relay and receive warnings of potential COVID-19 exposure across state lines.

8/28/2020: SmartTechCheck Podcast (8-28-20), Mark Vena

I talked about exposure-notification apps, the future of tech events like IFA, 5G wireless and Apple silicon with my analyst pal at Moor Insights & Strategy–another tech type who would have been packing for Berlin tonight but is instead grounded. You may notice a break in the recording about halfway through, when I had to get a glass of water so I could resume speaking normally. Note to self: Before sitting down to record a 45-minute podcast, make sure a glass of water is on the desk.

My fellow Virginians, please install the COVIDWISE app. Now, thank you.

As the United States continues to flail away at the novel-coronavirus pandemic, my part of it has done one thing right. Wednesday morning, Virginia’s Department of Health launched COVIDWISE–the first digital contact-tracing app shipped in the U.S. on the privacy-optimized Exposure Notifications framework that Apple and Google co-developed this spring.

What that means is that COVIDWISE, available for iPhones running 13.5 or newer and most Android phones running Android 6.0 or newer, requires none of your data–not your name, not your number, not your e-mail, not even your phone’s electronic identifiers–to have it warn that you spent a sustained period of time close to somebody who has tested positive for COVID-19.

COVIDWISE and other apps built on the Apple/Google system instead send out randomized Bluetooth beacons every few minutes, store those sent by nearby phones running these apps, and flag those that indicate sufficiently extended proximity to allow for COVID-19 transmission as doctors understand it. That’s the important but often misunderstood point: All of the actual contact matching is done on individual phones by these apps–not by Apple, Google or any health authorities.

If a user of COVIDWISE tests positive and alerts this system by entering the code given them by a doctor or test lab into this app, that will trigger their copy of the app to upload its record of the last 14 days of those flagged close contacts–again, anonymized beyond even Apple or Google’s knowledge–to a VDH-run server. The health authority’s server will then send a get-tested alert to phones that had originally broadcast the beacons behind those detected contacts–once the apps on those devices do their daily check-ins online for any such warnings.

The U.S. is late to this game–Latvia shipped the first such app based on Apple and Google’s framework, Apturi Covid, in late May. In that time, the single biggest complaint about the Apple/Google project from healthcare professionals has been that it’s too private and doesn’t provide the names or locations that would ease traditional contact-tracing efforts.

I’m not writing this just off reading Apple and Google’s documentation; I’ve spent a lot of time over the last two months talking to outside experts for a long report on digital-contact-tracing apps. Please trust me on this; you should install COVIDWISE.

Plus, there’s nothing to it. The pictures above show almost the entire process on my Android phone: download, open, tap through a few dialogs, that’s it. At no point did I have to enter any data, and the Settings app confirms that COVIDWISE has requested zero permissions for my data. It uses the Bluetooth radio and the network connection; that’s it, as I’ve confirmed on two other Android phones.

If I’m curious about how this app’s working, I can pop into Android’s Settings app (search “COVID” or “exposure”) to see when my phone last performed an exposure check. But I don’t expect to get any other sign of this app’s presence on my phone–unless it warns me that I stood too close to somebody who tested positive, in which case I may not enjoy that notification but will certainly need it.

Updated 8/6/2020 with further details about the app’s setup and operation.