Reflecting on APIs in the time of COVID

While the COVID pandemic is far from over, the era of the COVID exposure app may be. With Canada sunsetting its COVID alert app, it’s a good time to reflect on how in this case the API gave birth to the app instead of vice versa.

At the beginning of the pandemic, public health departments the world over scrambled to come up with solutions on how to notify its citizens that they may have come into contact with an infected person and should probably get tested. They hired armies of contact tracers to call close contacts of infected people, but this work was often slow, sometimes unreliable, and decidedly old-fashioned.

With smartphone usage in developed countries nearing ubiquity, it was clear that some app-based solution should have been possible. However, privacy concerns ramped up immediately. Any native app would likely have required vast databases detailing user data like identity, location, movement, and of course health status. As we’ve detailed on this blog, government-run APIs that would talk to those databases can sometimes be leaky. Not to mention, the mere creation of a database that details citizens’ personal information and movements makes it an extremely tempting target.

Therefore the assignment was to create a system that took all of that data, and left it exactly where it already was. To do that, you need an API.

Indeed, Apple and Google finished and announced their joint-venture API in May of 2020, and began granting access to public institutions to start building their apps atop it. Britain, who once again tried to go it on their own, eventually scrapped their first version of a contact-tracing app and went with the Apple-Google framework.

With their combined repository of data and metadata, Apple and Google were able to create an API that heavily encrypted all metadata, even going down to type of device and signal strength. Many of the apps built atop that API were remarkably simple as a result. Many required just three steps: download the app, enable Bluetooth, and flag if ever you got infected.

Our takeaway here is that most of today’s solutions won’t need to be built whole-cloth. Lots of talented people have already done lots of work collecting useful data. All that’s left is to get it to talk to each other through a secure API.