Lack of privacy law complicates US debate over Covid-19 tracking

Analysis

App developers and state governments in the United States are churning out new technologies for tracking the spread of the coronavirus. In the absence of a national privacy law, experts raise concerns about surveillance and scramble to define the boundaries for data collection during the pandemic.

Senator Wicker at a hearing in 2019

As elsewhere around the world, health experts, technologists, and lawmakers in the United States are grappling with how to design countrywide monitoring systems that would serve as an early warning for regional or local Covid-19 outbreaks. The technology could also be used to identify and isolate those who test positive for the virus while allowing healthy individuals to slowly resume normal activities.

At the same time, the use of big data sets and advanced technologies to analyze them raise concerns about surveillance by governments and companies. In the United States, this debate is complicated by the lack of a unified federal response to the crisis as well as by the lack of a comprehensive federal privacy law. After more than a year of deliberations, Congress has yet to pass such a bill.

In early April, the Senate Commerce committee invited panelists to submit their testimonies on how big data can be enlisted to combat the pandemic. The ideas range from systems that would draw data from widespread diagnostic testing and hospitals to mobile phone-based apps that individuals would download voluntarily to identify themselves as infected in order to help others avoid contact.

The proposals raised concerns from senators engaged in drafting a federal privacy bill. “The potential benefits of big data to help contain the virus and limit future outbreaks could be significant,” Sen. Roger Wicker, R-Miss., chairman of the committee, said in a statement.  “To maximize these benefits, however, privacy risks to consumers will need to be minimized.” That means understanding how data is collected and whether it’s sufficiently “anonymized to remove all personally identifiable information and prevent individuals from being re-identified,” he said.

“Our public health agencies should use the best tools available to slow the spread of this epidemic, but an emergency can’t be an excuse to violate Americans’ rights,” Sen. Ron Wyden, D-Ore., said in an email. “It may be appropriate for companies to share some information with the government, but only if there is full transparency about what data is being shared, assurances it will never be used by law enforcement, and with strict protections in place to protect Americans’ information against abuse.”

Fears of surveillance

White House senior adviser Jared Kushner received pushback from lawmakers after Politico reported that he was discussing with tech companies about creating a national surveillance system to give the federal government a clear view of infections, patients seeking treatment, and hospital capacity.

The report, which relied on unnamed sources, led Democratic lawmakers including Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn., and Rep. Anna Eshoo, D-Calif., to write to Kushner about the secrecy surrounding his effort and how it might affect Americans’ privacy.

“While we support greater efforts to track and combat the spread of Covid-19 – and have been alarmed by the notably delayed response to the crisis by this administration – we have serious concerns with the secrecy of these efforts and their impact on the health privacy of all Americans,” the lawmakers wrote. “Your office’s denial of the existence of this effort, despite ample corroborating reporting, only compounds concerns we have with lack of transparency.”

Fears of surveillance may be exacerbated by different understandings of the term in the security and privacy community and the health community. The term surveillance used in the context of a pandemic is different from its everyday use and often causes confusion, said William Staples, a sociology professor at the University of Kansas, and director of its Surveillance Studies Research Center. Health experts often use the term surveillance “in the sense of keeping an eye on” a disease, Staples said.

It’s likely that Kushner’s plans to create a surveillance system are quite similar to what a group of health experts proposed in a paper published by Duke University last week. Establishing a surveillance system would require “ongoing coordination between health care providers and state and local public health authorities,” with support from the Centers for Disease Control and Prevention (CDC), the authors wrote. The system they propose should have the capability to identify individuals with symptoms and to monitor vulnerable populations. It should be connected to the existing National Syndromic Surveillance System – a collaboration between the CDC, state health departments, hospitals, laboratories, and doctors that collects, analyzes, and shares electronic patient data.

Apps emerge to fill gaps

Yet it remains unclear if the White House will set such a uniform national standard. For now, states and their governors are leading the effort in contact tracing, while private actors are already jumping in to fill the gaps. This could be risky, warns sociology professor Staples. “Technologies rushed into use in the midst of a public health crisis without adequate policy reviews, public hearings and other assessments could have downsides. We don’t know whether it works or not, we haven’t answered the question of who controls the data, who has access to it.”

Google and Facebook as well as data brokers that collect location information from mobile phone apps have mapped out the drop in economic activity worldwide by examining the movement of mobile phone users who allow their location to be tracked.

The Google dashboard, for example, shows that restaurants, cafes, shopping centers, and museums in Washington D.C. had seen a drop in traffic of 66 percent as of Sunday, April 5 compared with a median Sunday during the baseline period Jan. 3-Feb. 6.

Kinsa, maker of a smart thermometer that connects to a web-based app, also has launched a website that tracks fever spikes and other flu-like symptoms across the United States.

Apple and Google also unveiled on Friday that they were collaborating to create new tools that would allow smartphone users to use apps to indicate whether they have tested positive for the disease. The apps then would broadcast a Bluetooth signal that would allow other users with similar apps to figure out if they crossed paths with an infected individual.

Some app makers are trying to design their products to high privacy standards. Ramesh Raskar, a professor at the Massachusetts Institute of Technology has led a consortium that includes hospital and public health specialists to develop an app called Private Kit that allows an infected individual to opt for a 28-day tracking using the app.

The patient’s doctor or a state health official would use a secure website to redact all personally identifiable information of the infected person. The infected person’s location trail would then be broadcast from his or her phone using a Bluetooth signal that other phone users can see and determine if they have come into close contact with a diagnosed patient. The transmission of information would use “encrypted trail match with mathematical guarantees of privacy,” Raskar said in an email. No data from the healthy users of the app leaves their devices, according to MIT.

Raskar said his consortium is in touch with Massachusetts officials to see if the app can be used as part of the contact-tracing program. Massachusetts is one of the first states to launch a statewide contact-tracing program in partnership with the non-profit Partners in Health that plans to hire people who would track and trace patients, advise them on quarantine, and get them tested.

Drawing the line between justified and excessive use

The dilemma for app makers like Private Kit is that they will have to work hard to gain consumer trust. A U.S. data privacy law similar to the European Union’s General Data Protection Regulations (GDPR) could have helped “assuage consumer concerns about how apps are dealing with data” and given people confidence that data being collected from them in a crisis wouldn’t be misused, said Graham Dufault, senior director for public policy at The App Association.

App developers are taking into account existing privacy guidelines such as GDPR but they would have “more difficulty with deciphering” rules that are still being formulated under the California Consumer Privacy Act (CCPA), Dufault said. California’s far-ranging privacy legislation went into force this year, but is still in the early implementation phase.

In the absence of clear legal standards, privacy experts have been busy defining the criteria to draw the line between justified pandemic surveillance and disproportionate intrusions into citizens’ rights.

The American Civil Liberties Union (ACLU) said that “policymakers must have a realistic understanding of what data produced by individuals’ mobile phones can and cannot do.” Phone location data “contains an enormously invasive and personal set of information about each of us” and can reveal sexual, social, religious, and political identities, ACLU said.

On the other hand, aggregate data used to determine whether people are staying home or congregating in places, or determining travel patterns from areas of high infection to other areas could help predict where medical services may be urgently needed, said Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.“ Those uses of aggregate information are creative, useful, and can be done in a privacy protected way,” Nojeim said. “But disclosure of more individualized data can be problematic.”

Also, not all uses of tracking information may be accurate for the purposes they’re intended, Nojeim said. Location information drawn from cellphone towers isn’t accurate enough to say whether two individuals were in close proximity to each other, for example, he said. GPS signals are more accurate to calculate proximity and Bluetooth signals are likely the most accurate, he said.

Another important consideration is whether there is an exit strategy, not just for ending the virus-related lockdowns but also for ending excessive data collection and tracking. “The goal of such questions isn’t to stop applications of technology but to pause and ask how to prevent their misuse, said Staples, the sociology professor and surveillance expert from Kansas. It would be important to ask if those technologies were still being used, “two or six years after a crisis,” and whether they were put to other uses by government agencies.