As many countries around the world are lifting their stay-at-home orders, public health agencies are scrambling to implement contact tracing to limit a resurgence of COVID-19. Several app-based contact tracing solutions have arisen in the past few weeks, some of which are based on Google and Apple's Exposure Notification API, and now developers of public health agencies have access to another COVID-19 contact tracing API: Huawei's Contact Shield API.

In an update to version 4.1.0.301 of HMS Core, Huawei's alternative to Google Play Services, Huawei's new Contact Shield APIs were added "to provide fundamental capabilities to help minimise the spread of COVID-19."

HMSCore Contact Shield API

Huawei has not yet formally announced its new Contact Shield APIs, but a spokesperson for Huawei pointed us to its documentation on Huawei's developer site. According to the API's Service Introduction page, the Contact Shield API "provides privacy-protecting contact tracing services for Huawei device users." The API "utilizes the Bluetooth low energy (BLE) technology to detect nearby devices, exchange data with detected devices, and record contacts with user information anonymized." Google and Apple's Exposure Notification API also uses Bluetooth for contact tracing.

A separate page provides further details on Huawei's new API. The page does not explicitly answer whether or not Huawei's API is related to Google and Apple's Exposure Notification API, but Google told the press back in April that the company "intends to publish a framework that those companies [such as Huawei] could use to replicate the secure, anonymous tracking system developed by Google and Apple." Huawei's Contact Shield FAQ page continues by listing several bullet points on how its contact tracing API is alleged to protect user privacy, all of which are similarly worded to privacy guidelines outlined in Google and Apple's implementation.

For quick reference, here are the bullet points:

How does the HUAWEI Contact Shield protect user privacy?

  • Users can determine whether to enable Contact Shield, whether to upload anonymous identifiers to the cloud, and whether to obtain diagnosis results by themselves.
  • Using anonymous identifiers will not record or store any personal information such as user locations. These identifiers will only be stored for 14 days.
  • After a user uninstalls your app, the user's historical data stored on the device will be deleted. A user can also manually delete all historical data.
  • Only developers authorized by governments and strictly assessed by Huawei can use Contact Shield APIs to develop apps.
  • Huawei will sign an additional service agreement stating the user privacy protection requirements with eligible developers.

So far, only a handful of countries have implemented Google and Apple's Exposure Notification contact tracing API into their applications. The latest version of Google Play Services includes the API, but several Huawei and Honor-branded smartphones released after the U.S. trade ban do not have Google Play Services pre-installed. On those devices, which include the Huawei Mate 30, Huawei P40, and Honor 30 series, users will be able to partake in COVID-19 contact tracing once developers of public health agencies implement Huawei's new Contact Shield API.

Thanks to Discord user SerjSev for the tip!

Update 1: More Details

A Huawei spokesperson shared a few additional details about the new Contact Shield API. According to the spokesperson, Huawei's API follows the internationally-developed Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol. Contact Shield is said to be interoperable with other contact tracing solutions, including Google and Apple's Exposure Notification API. As was also noted in the FAQ, the spokesperson told us that the API can only be accessed by an app if the developers for a public health organization sign an agreement with Huawei. In addition, Huawei told us they will also have the developers sign an additional agreement to require compliance with user privacy protection regulations.

The API is contained within HMS Core version 4.1 and later. Users who are running older HMS Core versions will be prompted to update to the latest release rolling out this month.