A Critique of the Google Apple Exposure Notification (GAEN) Framework

As a response to the COVID-19 pandemic digital contact tracing has been proposed as a tool to support the health authorities in their quest to determine who has been in close and sustained contact with a person infected by the coronavirus. In April 2020 Google and Apple released the Google Apple Exposure Notification (GAEN) framework, as a decentralised and more privacy friendly platform for contact tracing. The GAEN framework implements exposure notification mostly at the operating system layer, instead of fully at the app(lication) layer. In this paper we study the consequences of this approach. We argue that this creates a dormant functionality for mass surveillance at the operating system layer. We show how it does not technically prevent the health authorities from implementing a purely centralised form of contact tracing (even though that is the stated aim). We highlight that GAEN allows Google and Apple to dictate how contact tracing is (or rather isn't) implemented in practice by health authorities, and how it introduces the risk of function creep.