The (Google/Apple) Exposure Notification System (GAEN)[2][3][a] is a framework and protocol specification developed by Apple Inc. and Google to facilitate digital contact tracing during the COVID-19 pandemic.

When used by health authorities, it augments more traditional contact tracing techniques by automatically logging close approaches among notification system users using Android or iOS smartphones.

Exposure Notification is a decentralized reporting protocol built on a combination of Bluetooth Low Energy technology and privacy-preserving cryptography.

This leads to issues, particularly on iOS devices where digital contact tracing apps running in the background experience significantly degraded performance.

The ACLU stated the approach "appears to mitigate the worst privacy and centralization risks, but there is still room for improvement".

[22] Digital contact tracing protocols typically have two major responsibilities: encounter logging and infection reporting.

The tracking messages contain unique identifiers that are encrypted with a secret daily key held by the sending device.

If a user tests positive for infection, the last 14 days of their daily encryption keys can be uploaded to a central server, where it is then broadcast to all devices on the network.

The method through which daily encryption keys are transmitted to the central server and broadcast is defined by individual app developers.

This causes the app to obtain a cryptographically signed certificate, which is used to authorize the submission of keys to the central reporting server.

[25] The received keys are then provided to the protocol, where each client individually searches for matches in their local encounter history.

If a match meeting certain risk parameters is found, the app notifies the user of potential exposure to the infection.

[26] Google and Apple intend to use the received signal strength (RSSI) of the beacon messages as a source to infer proximity.

If a matching entry is found, then contact has been established and the app presents a notification to the user warning them of potential infection.

Clients then download this report and individually recalculate every Rolling Proximity Identifier starting from interval number

If a matching entry is found, then contact has been established and the app presents a notification to the user warning them of potential infection.

[29] Preservation of privacy was referred to as a major component of the protocol; it is designed so that no personally identifiable information can be obtained about the user or their device.

[30][11][31][32] Apps implementing Exposure Notification are only allowed to collect personal information from users on a voluntary basis.

[35] The Electronic Frontier Foundation showed concerns the protocol was vulnerable to "linkage attacks", where sufficiently capable third parties who had recorded beacon traffic may retroactively be able to turn this information into tracking information, for only areas in which they had already recorded beacons, for a limited time segment and for only users who have disclosed their COVID-19 status, once a device's set of daily encryption keys have been revealed.

[37] On April 17, 2020, the UK's Information Commissioner's Office, a supervisory authority for data protection, published an opinion analyzing both Exposure Notification and the Decentralized Privacy-Preserving Proximity Tracing protocol, stating that the systems are "aligned with the principles of data protection by design and by default" (as mandated by the GDPR).

Under this system, a health authority provides parameters specific to their implementation (such as thresholds, branding, messaging, and key servers), which is then processed to generate the required functionality.

Nothing has however been issued on the one year anniversary of the launch of the “Exposure Notification Interface” API in spite of important changes on the pandemic front such as vaccination, variants, digital health passports, app adoption challenges as well as growing interest for tracking QR codes (and notifying from that basis) on a mostly airborne transmitted virus.

[47] In June 2021, Google faced allegations that it had automatically downloaded Massachusetts' "MassNotify" app to Android devices without user consent.

[33] On May 25, Switzerland became the first country to launch an app leveraging the protocol, SwissCovid, beginning with a small pilot group.

[54] On June 18, the NHS announced that it would focus on using Exposure Notification to complement manual contact tracing, citing tests on the Isle of Wight showing that it had better cross-device compatibility (and would also be compatible with other European approaches), but that its distance calculations were not as reliable as the centralized version of the app,[55] an issue which was later rectified.

[58] A study of the impact of Exposure Notification in England and Wales estimated that it averted 8,700 (95% confidence interval 4,700–13,500) deaths out of the 32,500 recorded from its introduction on 24 September 2020 to 31 December 2020.

[59] Canada launched its COVID Alert app, co-developed in partnership with BlackBerry Limited and Shopify,[60] on July 31 in Ontario.

[62][63][64] In May 2020, Covid Watch launched the first calibration and beta testing pilot of the GAEN APIs in the United States at the University of Arizona.

[82][83][84] August 19, 2020 (released) November 9, 2020 (statewide) Some countries, such as France, have pursued centralized approaches to digital contact tracing, in order to maintain records of personal information that can be used to assist in investigating cases.

[142] On August 9, the Canadian province of Alberta announced plans to migrate to the EN-based COVID Alert from its BlueTrace-based ABTraceTogether app.