Public Health Versus Privacy

In times of emergency, how much privacy should—or will—Americans give up?

After the attacks of September 11, 2001, the U.S. government expanded its power and established new surveillance measures. At that time, the fight was against terrorism. Now the fight is against COVID-19. Tech companies and the government must decide how far to go with treading on individual privacy.

In a viral outbreak, contact tracing, which means identifying all the recent interactions of sick individuals to determine who they might have infected, can be an effective and sometimes necessary public health response.

But traditional contact tracing methods—which involve a manual process of asking infected individuals with whom they have come in contact—“are not fast enough” for the novel coronavirus, according to a group of Oxford researchers. Digital contact tracing, they say, could help control the spread of the virus.

Digital contact tracing involves combining health and location-related data to inform users or public health officials where the risk of exposure to COVID-19 is highest and to alert users if they have come into contact with someone who is infected. Instead of relying on in-person interviews, digital contact tracing relies on cell phones and smartphones, which have several means of tracking movements.

In the United States, policymakers and privacy advocates are raising concerns about data privacy as reports of tech companies working with the federal government to respond to coronavirus surface.

Amid this growing concern, Apple and Google announced their own partnership, which involves enabling the use of Bluetooth technology on cell phones to inform users of potential infection and aid public health officials in contact tracing efforts.

The technology—which will be opt in—will allow the user’s phone to exchange Bluetooth signals with nearby phones. If the user tests positive for COVID-19, they could report it through the system, and everyone who had been in recent contact with the infected user would receive a notification about possible exposure. The companies are also creating a set of tools that will allow public health authorities to develop apps that interact with Apple and Google phone operating systems and the Bluetooth exposure notification system.

“Privacy, transparency, and consent are of utmost importance in this effort,” according to the companies.

Because the technology works by exchanging Bluetooth signals, it does not collect or use location data. All user data are de-identified. To prevent anyone from tracking a specific phone over time, each phone will generate a new identifier on average every 15 minutes. In addition to other privacy protections, users must opt-in and give explicit consent before sharing any data.

But experts—both those who are concerned that there are too many privacy protections and those who are concerned there are not enough—doubt that a tracking system in the proposed form could be effective.

Stewart Baker, a Washington, D.C. attorney who has argued that limits on the government’s surveillance powers contributed to the security lapse before 9/11, asserts that the proposal “compromises public health in the name of privacy.”

The biggest mistake, Baker argues, is that the proposed program would be “completely independent of any central health authority” that could ensure that anyone who tests positive for the virus reports their status in the app. Instead, the program depends on individuals choosing to report a positive diagnosis of COVID-19 and consenting to the app notifying their contacts that they have been in contact with an infected person.

Others have raised similar concerns about the voluntary nature of the technology. “To the extent that technology-based contact tracing has been effective” in other countries, these efforts “have not been voluntary, self-reported, or involved self-help,” Ryan Calo of the University of Washington School of Law explained at a recent paper hearing of the U.S. Senate Committee on Commerce, Science, and Transportation.

South Korea, for example, slowed the spread of the virus using some of the most extreme surveillance measures available—reportedly including minute-by-minute logs of infected persons’ movements.

In the United States, mobile phone infection tracking is unlikely to work without widespread use, Baker argues. Instead, he argues that governors can and should take measures to ensure all residents of their states use contract tracing technology. For example, governors of the 40 states that adopted a version of a model public health emergency law after 9/11 likely have the authority to force Apple and Google to auto-download apps to every Android and iPhone in their states, Baker argues.

Moreover, Baker claims that “governors likely have authority to require that residents of their states activate the app.” The model law grants states authority to conduct “any diagnostic or investigative analyses necessary to prevent the spread of the disease” during a public health emergency. To ensure that residents comply with the requirement, states could, Baker argues, order Apple and Google to identify the phones on which the contact tracing app has not been activated.

Although federal law prohibits companies from sharing this information with the government without a subpoena, it provides an exception for “an emergency involving danger of death or serious physical injury to any person.”

Some privacy advocates, despite favoring a decentralized voluntary approach, worry that any attempt to mandate the tracking of the spread of COVID-19 at an individual level using mobile apps threatens privacy and civil liberties.

Advocates warn that, although Google and Apple claim the data will be anonymous, “de-identified” data can and have been re-identified.

Advocates are also concerned about future uses of the data. Since 9/11, information acquired by surveillance on national security grounds has been used to prosecute “commonplace, domestic crimes” such as mortgage fraud.

Although data collected today would be used for public health purposes, the question remains: Could tech companies or the government hold onto it and use it for commercial or law enforcement purposes? Apple and Google plan to “disable” their program on a regional basis “when it is no longer needed,” but have not released the criteria the companies will use to determine when to “self-destruct” the program, the American Civil Liberties Union has noted.

Alan Rozenshtein, a professor at the University of Minnesota Law School, notes that the Fourth Amendment will determine the limits of any government surveillance. He says that the U.S. Supreme Court’s decision in Carpenter v. United States, which held that the Fourth Amendment applies to cell phone location data that the government acquires from a mobile provider, could provide additional protections for searches of health information in private databases, as others have argued.

A bipartisan group of former public health officials recently called for the use of a different tool: a contact tracing workforce of 180,000 around the country.

Meanwhile, several states are reportedly using or considering using digital apps to help with contact tracing. So far, however, public health officials in states such as Massachusetts, New York, and California are choosing to hire and train an unprecedented number of human contact tracers. How and whether states use digital apps to supplement or replace these efforts remains to be determined.