How will Apple and Google provide 5-minute data on Covid exposures using 10-minute interval numbers in the hash?


The goal of COVID-19 exposure notification is to notify people that they were exposed to someone who later tested positive for the virus. Protecting privacy in this process requires some cryptography, and avoiding excessively granular detail on user locations. But providing data useful for disease prevention requires adequate detail in measuring the length of exposures.

There is a new API for such exposure notification from Apple and Google, but it has a tension between 5- and 10-minute numbers that I don’t see how to resolve.

The cryptography specification, v1.2.1, specifies 10-minute intervals as inputs to the hash: “in this protocol, the time is discretized in 10 minute intervals that are enumerated starting from Unix Epoch Time. ENIntervalNumber allows conversion of the current time to a number representing the interval it’s in.”

Meanwhile the FAQ, v1.1, specifies 5-minute increments in the output: “Public health authorities will set a minimum threshold for time spent together, such that a user needs to be within Bluetooth range for at least 5 minutes to register a match. If the contact is longer than 5 minutes, the system will report time in increments of 5 minutes up to a maximum of 30 minutes to ensure privacy.”

How will the system report times in 5-minute increments when the interval numbers are only updated for the hash once every 10 minutes?