As the debate over Apple and Google’s COVID-19 contact tracking application framework continues to grow, many people wonder how they can disable it.
Earlier this month, I woke up to find my social media was full of messages: Apple and Google suddenly installed a COVID-19 tracking app on iPhone and Android devices without permission. As is often the case when it comes to viral threads flooding social media, the truth of the matter was somewhat different from the claims being made.
In an attempt to clarify what was happening, I posted a fact-check article the same day: Have Apple and Google uploaded a COVID-19 tracking app to their phone? The facts behind the rage. In short, neither Apple nor Google had uploaded an application to smartphones without permission; A stealthy, automatic installation of the tracking app had not been performed.
Correspondingly, that article itself went viral and has been viewed more than a million and a half times to date. It also generated a lot of comments through emails and direct messages, the vast majority of which were from people asking how they could disable or remove the ‘tracking app’ on their phone right now.
Is there a COVID-19 tracking app on your phone?
Okay, let’s get this over with once and for all: The COVID-19 exposure notification framework that has been included in Android and iOS platform updates is not an app. It is an application programming interface (API) to allow contact or tracking applications to function properly when installed.
In fact, as an Android user, when I click on the exposure notifications entry, it tells me that I must install or finish setting up the participating app before the notifications can be triggered. A joint statement by Apple and Google, released on May 20, makes this very clear: “What we have created is not an application, but public health agencies will incorporate the API into their own applications that people install.”
So if you haven’t installed an official state or government tracking app, there is nothing to worry about. Or so you might think, but not everyone would agree with you as my mailbox so aptly demonstrates. I even turned to Twitter to assess people’s feel when it comes to installing and using an Apple or Google COVID-19 exposure notification-based tracking app, when available. With only 231 people participating in my survey, it is not statistically valid, but that is irrelevant.
The point is that it reflects what you already knew, that opinion is divided in half on this issue: 40.7% said yes, 46.8% not with 12.6% still undecided.
A recent Avira study suggests that 71% of Americans will not download the app, 88% of those over 55 and 84% of government or healthcare workers. The biggest concern among that sample was privacy, closely followed by a false sense of security.
Interestingly, that reflects the responses of my small sample. Most of those who were not in the camp were concerned about what governments intended to do with the data or whether the technology involved worked well enough to be effective. One thing is clear, for such a system to be effective, it must have public support. “User adoption is key to success,” said the joint statement by Apple and Google, “we believe that these strong privacy protections are also the best way to encourage the use of these applications.”
The decentralized exposure notification model in a nutshell
So how does exposure notification work in this decentralized model from Apple and Google? Simply put, random IDs are exchanged via Bluetooth between your phone and the phones of other people who have chosen you. These random IDs are stored on your phone and are not shared with any central database servers.
Unless it is, someone is diagnosed with COVID-19 and shares that information with the official contact tracking app. At this point, the identification beacons of the previous 14 days are uploaded, with your permission, to a central server from which matching users can be notified of the exposure if they have also opted.
This system is not interested in tracking your location, only the devices with which you have been in contact. You do not share the identities of other users with the application itself or with Apple or Google.
Also, the random ID assigned to your phone is changed every 10-20 minutes to avoid tracking instead of contact tracking, and these IDs are removed after 14 days.
“All matching exposure notifications happen on your device, which means that only you and your application know if you report having had COVID-19 or if you have been exposed to someone who has reported having COVID-19,” according to Google. That same Google statement says that “the public health authority app cannot use your phone’s location or track its location in the background.”
It’s worth noting that there are also plans to allow the activation of Bluetooth ID beacons, after another OS update in the coming months, without the requirement to install a separate app. “If a match is detected, the user will be notified, and if the user has not yet downloaded an official application from the public health authority, they will be prompted to download an official application and will be advised on next steps,” it states. in the Apple and Google Exposure Notifications FAQ. Again, however, this will be optional and the same requirements will apply as before.
How to disable Apple and Google exposure notification COVID-19
If you’ve decided, for whatever reason, that contact tracking isn’t something you want to be involved in, then you’re probably looking for ways to disable or remove the exposure notification framework.
However, remember that if you do not enable exposure notifications, you will not be notified if you have potentially been exposed to COVID-19. Only you can determine if that risk is worth taking, and the flip side of this is that you could also expose others who wouldn’t be wiser if you had the infection.
First things first, then: You don’t need to ‘disable’ exposure notifications as they are not enabled by default. As I have already made clear, the exposure notification framework currently only works if you have installed an official tracking app and have chosen to use the notification system. Even if, or when, it becomes part of the operating system without the need for a separate installed application, it will still be an option.
Google said you can disable exposure notifications in your Android phone’s settings or uninstall the official public health app if you’ve already installed one when it’s available. Just go to the settings app, click on Google | COVID-19, and you can enable or disable them from there. From the same place, you can also delete any random ID that has been stored by clicking Delete Random ID | Remove.
Apple said that “the choice of using this technology rests with the user, and he or she can disable it at any time by uninstalling the contact tracking application or disabling exposure notification in Settings.” As with Android users, exposure logging activation is disabled by default in iOS 13.5 and later. If you installed an officially licensed app and opted to use exposure notifications, you need to go to Settings | Privacy | Health from where you can enable or disable them. You can also delete any exposure log, saved for 14 days as with Android devices, from the same settings page.
Remember, in both cases, you will not be notified if you have been exposed to COVID-19.
Why uninstalling the exposure notification framework is a bad idea
I highly recommend that you do not follow any of the guides that you can find online with instructions on how to remove the frame entirely. This involves reverting to a previous version of the operating system and ensuring that automatic updates are disabled to prevent further updates from being installed. As a cybersecurity person, I can’t emphasize enough that it’s a bad idea not to be protected against attackers who would exploit vulnerabilities without patches on Android or iOS.
If you are concerned about the privacy of your data and that is why you want to disable the COVID-19 exposure notification capability then there is no point in opening your device to attacks with the potential to access your data.
I’ve reached out to both Apple and Google for more feedback, and will update this article in case it gets published.