The value of technology – and its role in our nation’s productivity – has been amply demonstrated over the past month as it has enabled millions of businesses to remain operational through mandated shutdowns in response to the coronavirus. Technology has also helped counter and corral the virus through modeling and the analysis of human movement. It may be both a blessing and a curse.
Privacy advocates fear that some intrusive tracking and tracing measures taken by governments will put us one step closer to a surveillance state while others argue that public health considerations outweigh privacy concerns. The debate primarily centers around the use of communications and location data from applications and mobile phones and draconian tracking measures by some governments.
Apple and Google changed the debate yesterday by announcing that it had partnered to launch a comprehensive set of technology tools on their platforms to facilitate consent-based contact tracing of the coronavirus. With a heavy emphasis on privacy, the companies plan on leveraging Bluetooth technology (which can be turned on and off by the user) to enable mobile users to voluntarily use apps to provide information on whether they have been infected with the coronavirus. Devices using the apps will send a unique signal to other nearby devices that are in the proximity of an infected person, without any identification of of person or the location of the person.
Through close cooperation and collaboration with developers, governments, and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life.
What Governments are Doing
The Wall Street Journal (WSJ) reported at the end of March that the Centers for Disease Control and Prevention (CDC) and state and local governments have started to use mobile advertising data to analyze where people are and where they go. The goal is to create a database of geolocation data that can be used by local, state, and federal governments across the U.S. The data does not contain any identifying information but could reveal where people are going, what parks, stores or public spaces are drawing crowds, and whether people are complying with stay-at-home orders. The WSJ also noted that some companies are making their location data available to researchers, the government, or the public.
This is not a new practice. A month earlier, the WSJ reported that the Trump Administration had purchased access to a commercial database of mobile app location data to help it detect undocumented immigrants and enforce immigration laws. The company that operates the database, Venntel, is located outside of Washington, DC and has a close relationship with a company that is involved in mobile advertising. We must also be mindful that after 9/11, the U.S. government obtained access to a vast amount of communications data in order to counter terrorism – and some of these permissions still exist today.
With 3.8 billion smartphones deployed around the globe, numerous other governments are also using technology and mobile data to track and trace the coronavirus and keep their populations in check. The Washington Post reported that Taiwan, Singapore, China, South Korea, Britain, and Israel were using smartphone location data and/or location tracking technologies in their attempts to counter the spread of the coronavirus, while another report outlined the measures being used in Russia. This week, OneZero detailed coronavirus surveillance measures being taken by governments in these and 22 additional countries, which includes government-developed applications; the use of QR codes, electronic tracking bracelets, drones, and SIM cards; and datamining of credit card and camera footage.
Public Health and Safety versus Privacy
The privacy community is on high alert and government officials are struggling with how to balance public health and privacy concerns. Justifying access may seem easy when put in terms of public health and safety, but there are actually complex privacy and civil liberty issues that deserve serious consideration.
The Future of Privacy Forum (FPF) analyzed mobile apps and software development kits (SDK) that have been developed by private entities and governments to help manage the COVID-19 pandemic. They developed a very useful comparative chart, which details each app and its purpose, what personal data is collected and how, who can access it, what the data is used for, where and how long the data is stored, and what privacy issues exist and what safeguards are in place, and whether it is open source. The full chart and detailed information about each app/SDK can be accessed here. A common feature among them is their use of sensitive personal information, namely health-related information, and/or location data.
John Verdi, FPF’s Vice President of Policy, makes an important distinction, though, by noting that “Each of the applications in the chart use different technologies to infer whether a person was close to an infected person, and each technology has different implications for privacy.” Verdi suggests, “The first thing to consider is how to best use clinical and non-clinical data that is already being collected but not analyzed; the second is to come up with ways to trace contacts regarding public health with common sense privacy safeguards and oversight.”
There are accepted privacy principles that originated in the 1996 EU Data Protection Directive, influenced legal frameworks around the globe, and have been incorporated in privacy best practices and standards.
There is no cookie cutter: each use of data needs to be assessed on its own. Any use should be defined, specific, and have a sunset date.
Jim Dempsey, Executive Director of the Berkeley Center for Law and Technology, points out that almost every collection of data involves privacy issues, but that is only the beginning of the analysis. Privacy is context dependent, he notes, and deciding whether a given use is justified involves a multi-factor balancing of interests. Moreover, “Efficacy is a central consideration when analyzing any usage of personal data; you start with efficacy and end with efficacy.” Dempsey adds that, “There is no cookie cutter: each use of data needs to be assessed on its own. Any use should be defined, specific, and have a sunset date.”
Dempsey was appointed by President Obama to the Privacy and Civil Liberties Oversight Board (PCLOB), serving from 2012 to 2017 as a part-time member of the independent federal agency charged with advising senior policymakers and overseeing the nation’s counterterrorism programs. Speaking from experience, he suggests that, at a mimimum, the following questions be part of any assessment process:
· What is the purpose of the collection?
· How much data will be collected?
· Who is it collected from? An individual or a third party?
· Is there consent to collect the data?
· What notice and transparency was provided?
· What rights of control does the individual have?
· Will the data be aggregated or anonymized?
· What limits will there be on secondary uses?
· Who will the data be given to?
· Who will act or what actions will be taken on the conclusions derived from the data?
· Will the data be used for decisions about individuals or to guide more generalized policy or resource allocation decisions?
Apple and Google Offer A Voluntary Approach
Apple and Google’s announcement of a joint effort that enables a privacy-friendlier approach to contact tracing is a breath of fresh air. It replaces heavy-handed government action by putting the people — and their voluntary consent — at the center of the effort to contain the coronavirus. The user voluntarily decides on whether to use the app and whether to indicate they have been infected and their privacy is protected because their identity and location are not revealed in alerts to others they have come in contact with.
Since Apple and Google collectively service three billion mobile users, this has the potential of monitoring a third of the world’s population. Its potential reach is even broader than that since the apps can send alerts to devices not using Apple or Google software. This could be a game changer. That said, however, privacy assessments of the apps will still be essential, and the companies need to ensure that each app undergoes rigorous review and the findings are made public.