As the debate around Apple and Google’s COVID-19 contact tracing app framework continues to grow, many people are asking how they can disable it.
Earlier this month, I awoke to find that my social media networks were buzzing with the same messaging: Apple and Google had suddenly installed a COVID-19 tracking app to iPhones and Android devices without permission. As is often the case when it comes to viral threads that flood social networks, the truth of the matter was somewhat different to the claims being made.
In an attempt to clarify what was happening, I published a fact-checking article the same day: Have Apple And Google Uploaded A COVID-19 Tracking App To Your Phone? The Facts Behind The Furor. The long and short of it is that neither Apple nor Google had uploaded an app to smartphones without permission; no stealthy and automatic tracking app installation had taken place.
Befittingly, that article itself went kind of viral and has been viewed more than one and a half million times to date. It also spawned a large amount of feedback by way of emails and direct messages, the vast majority of which was from people asking how they could disable or delete the ‘tracking app’ on their phone right now.
Is there a COVID-19 tracking app on your phone?
OK, let’s get this out of the way once and for all: the COVID-19 exposure notifications framework that has been included in both Android and iOS platform updates is not an app. It’s an application programming interface (API) to enable tracking, or contact tracing, apps to work correctly when they are installed.
Indeed, as an Android user myself, when I click on the exposure notifications entry, it tells me that I must either install or finish setting up the participating app before the notifications can be turned on. A joint statement from Apple and Google, published May 20, makes this very clear: “What we’ve built is not an app – rather public health agencies will incorporate the API into their own apps that people install.”
So, if you haven’t installed an official state or government tracking app, there’s nothing to worry about. Or so you might think, but not everyone would agree with you as my mailbox so aptly demonstrates. I even took to Twitter to gauge the feeling of people when it comes to installing and using an Apple or Google COVID-19 exposure notification based tracking app, when available. With just 231 people taking part in my poll, it’s not a statistically valid thing, but that’s beside the point.
The point is that it reflected what I already knew, that opinion is split down the middle on this issue: 40.7% said yes, 46.8% no with 12.6% as yet undecided.
A recent study by Avira suggests that 71% of Americans won’t download such an app, 88% of those aged 55 or over and 84% of government or healthcare workers. The biggest concern amongst that sample was privacy, closely followed by a false sense of security.
Interestingly, that mirrors the responses of my small sample. Most of those in the no camp were worried either by what governments intended to do with the data or whether the technology involved even worked well enough to be effective. One thing is clear, for any such system to be effective it has to have the backing of the public. “User adoption is key to success,” the joint Apple and Google statement said, “we believe that these strong privacy protections are also the best way to encourage use of these apps.”
The decentralized exposure notification model in a nutshell
So, how does exposure notification work in this Apple and Google decentralized model? In a nutshell, random IDs are exchanged using Bluetooth between your phone and the phones of others who have opted in around you. These random IDs are stored on your phone and are not shared with any central database server.
Unless that is, someone is diagnosed with COVID-19 and shares that information with the official contact tracing app. At this point, the ID beacons from the previous 14 days are, with your permission, uploaded to a central server from where matching users can be notified of the exposure if they have also opted in.
This system isn’t interested in tracking your location, just the devices you have been in contact with. It doesn’t share other users’ identities with the app itself or with Apple or Google for that matter.
What’s more, the random ID allocated to your phone is changed every 10 to 20 minutes to prevent tracking as opposed to contact tracing, and these IDs are deleted after 14 days.
“All of the exposure notification matching happens on your device, which means that only you and your app know if you report having COVID-19 or been exposed to someone who has reported having COVID-19,” according to Google. That same Google statement said that “the public health authority app is not allowed to use your phone’s location or track your location in the background.”
It’s worth pointing out that there are also plans to allow the activation of Bluetooth ID beacons, following another operating system update in the coming months, without the requirement of a separate app being installed. “If a match is detected the user will be notified, and if the user has not already downloaded an official public health authority app they will be prompted to download an official app and advised on next steps,” an Apple and Google exposure notification FAQ stated. Once again, however, this will be opt-in, and all the same requirements as before apply.
How to disable Apple and Google COVID-19 exposure notification
If you’ve decided, for whatever reason, that contact tracing isn’t something that you want to participate in, then you’ll likely be looking for ways to disable or delete the exposure notification framework.
Remember, however, if you don’t enable exposure notifications, then you will not be notified if you have potentially been exposed to COVID-19. Only you alone can determine if that is a risk worth taking, and the flip of this is that you might also expose others who would be none the wiser if you had the infection.
First things first, then: you don’t need to ‘disable’ exposure notifications as they are not enabled by default. As I’ve already made clear, the exposure notification framework currently only works if you have installed an official tracking app and opted into using the notification system. Even if, or when, it becomes part of the operating system without the need for a separately installed app, it will still be an opt-in thing.
Google said that you can turn off exposure notifications in your Android phone settings or uninstall the official public health app if you’ve previously installed one when it becomes available. Just go to the settings app, click on Google|COVID-19 exposure notifications, and you can toggle them on or off from there. From the same place, you can also delete any random IDs that have been stored by clicking on Delete random IDs|Delete.
Apple said that the “choice to use this technology rests with the user, and he or she can turn it off at any time by uninstalling the contact tracing application or turning off exposure notification in Settings.” As with Android users, the toggle for exposure logging is off by default in iOS 13.5 and later. If you have installed an officially authorized app and opted into exposure notification use, then you need to go to Settings|Privacy|Health from where you can toggle them on or off. You can also delete any exposure logs, kept for 14 days as with Android devices, from the same settings page.
Remember, in both cases, you won’t be notified if you’ve been exposed to COVID-19.
Why uninstalling the exposure notification framework is a bad idea
I would strongly advise you not to follow any of the guides you may find online with instructions for how to remove the framework altogether. These involve rolling back to a previous version of the operating system and ensuring that automatic updates are disabled to prevent any further updates from being installed. As a cybersecurity person, I cannot stress enough what a bad idea it is not to be protected against attackers who would exploit unpatched vulnerabilities in either Android or iOS.
If you are anxious about the privacy of your data, and this is why you want to disable the COVID-19 exposure notification capability, then it makes no sense to open up your device to attacks with the potential to access your data.
I have approached both Apple and Google for further comment, and will update this article should any be forthcoming.