A Critique of the Google Apple Exposure Notification (GAEN) Framework

TL;DR

This paper critically examines the GAEN framework, revealing its potential for mass surveillance, centralization risks, and how it allows tech giants to influence contact tracing implementations despite privacy claims.

Contribution

It provides a detailed critique of GAEN's architecture, exposing privacy and control issues not addressed by the framework.

Findings

GAEN's OS-level implementation creates dormant surveillance capabilities.

It does not technically prevent centralized contact tracing.

GAEN allows tech companies to influence health authorities' contact tracing methods.

Abstract

As a response to the COVID-19 pandemic digital contact tracing has been proposed as a tool to support the health authorities in their quest to determine who has been in close and sustained contact with a person infected by the coronavirus. In April 2020 Google and Apple released the Google Apple Exposure Notification (GAEN) framework, as a decentralised and more privacy friendly platform for contact tracing. The GAEN framework implements exposure notification mostly at the operating system layer, instead of fully at the app(lication) layer. In this paper we study the consequences of this approach. We argue that this creates a dormant functionality for mass surveillance at the operating system layer. We show how it does not technically prevent the health authorities from implementing a purely centralised form of contact tracing (even though that is the stated aim). We highlight that GAEN allows Google and Apple to dictate how contact tracing is (or rather isn't) implemented in practice by health authorities, and how it introduces the risk of function creep.