Contact-Tracing and Privacy

Privacy Plus+

Privacy, Technology and Perspective

Contact-Tracing and Privacy. This week, let’s consider the privacy concerns associated with contact-tracing, and how those concerns can be addressed.

 This is one of those times when something must be done fast.    In his testimony before House subcommittee this week, Dr. Rick Bright, a former program leader at the Biomedical Advanced Research and Development Authority, testified:

"Our window of opportunity is closing...I fear the pandemic will get worst and be prolonged...Without better planning, 2020 could be the darkest winter in modern history."

He explained the path forward as follows:

“We need to have the right testing for everyone who needs it,” he told the House subcommittee. “We need to be able to trace contacts, isolate, quarantine, and appropriately — while striving to develop a cure. “

You can watch the full video of Dr. Bright’s testimony by clicking on the following link:

https://t.co/2qnGXlaRG2   

Here, we focus on contact-tracing, which tracks the interactions between those diagnosed with COVID-19 and the wider community, so that the patients’ “contacts” may be warned and advised to protect themselves and people close to them. 

Dr. Bright and other scientists suggest that that contact-tracing is required in order to suppress transmission of the virus to low levels.  But the United States has been slow to act, and it is unclear whether contact-tracing itself can satisfy privacy concerns, especially where apps might be used in the United States to do that tracing.

So, rolling out contact-tracing fast isn’t good enough.  It must also be done right. 

Here, we see two hurdles: one conceptual, and the other practical.

The Conceptual Hurdle:

Personal Privacy vs. The Greater Human Good

The first hurdle is that any well-meaning contract-tracing requires surveillance that can invade personal privacy, deter free speech, and burden already vulnerable groups.  It is not inconceivable at all that a contact-tracing app could be used for mass surveillance beyond the original purpose of COVID-19 contact tracing.  But even if use of an app were appropriately limited to the purpose of contract tracing, a substantial amount of personal information still would be collected and used.  And in many ways, you “are” where you go, whom you see, whom you are around…

If contact-tracing is to work, then like it or not, your whereabouts and associations must all be revealed to others, albeit in the service of public health and the community good.  That will require a compromise of our most basic rights and principles of Privacy for the greater good.

So be it; but like every other compromise of personal principle we sometimes have to make in life, we should only do it with clear understanding of why we are doing it and how we are taking clear steps to limit the compromise as best we can.  We can accept contact tracing because our responsibility to one another is greater than our personal preference; and we can expect and require that the personal information derived from it be strictly limited and soon destroyed. 

The Practical Hurdle:

How to Contact Trace with Sufficient Privacy Safeguards

 The second hurdle is “how to do it.”  There are two ways.  One is by hand, and the other is through an app.  Neither way is easy or problem-free. 

Contact tracing has traditionally been done manually.  It requires trained individuals to interview patients, then search out and call those persons’ contacts and warn them that they’ve been exposed.  Small, expensive armies of workers will be required, and the process will take time. 

To contact-trace automatically using contact-tracing apps on smartphones may be more efficient than the manual contact-tracing technique, and, in fact, technologists and governments around the world have already developed and are using such apps.  Automated Bluetooth tracing is considered more privacy preserving than apps that purely rely on location data.  But contact-tracing apps themselves aren’t reliable enough yet, and therefore their effectiveness is controversial.  For more on the issues of contact-tracing apps and the problems they pose for public health authorities and the public, see The Economist’s excellent article here:

https://www.economist.com/leaders/2020/05/16/dont-rely-on-contact-tracing-apps

Regardless of how contact-tracing is done, traditional privacy principles should apply to protect against the threat posed by this surveillance.  To this end, the Electronic Frontier Foundation (EFF) has published helpful guidance for privacy protections in the context of surveillance for public health purposes, which is available at the following link:

https://www.eff.org/deeplinks/2020/04/how-eff-evaluates-government-demands-new-surveillance-powers

Here, we would highlight the importance of privacy by design, information security, anti-bias, and data minimization.  Further, any system that is deployed in the United States should be subject to a Privacy Impact Assessment (PIA) as contemplated by the E-Government Act of 2002. Such PIA should document the due diligence and oversight placed upon the information associated with the contract-tracing app in question and disclose to the American public what information is being collected, used, shared, and protected.

Let’s do this fast.  But let’s do it right. 

---

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.

 

Previous
Previous

A New Study on Privacy and Bias in Facial Recognition Technologies

Next
Next

CEO Indictment and Derivative Litigation May Foretell the Next Chapter in Privacy and Cyber Liability