Privacy Issues Abound as Contact Tracing Initiatives Take Shape

May 1, 2020

By: Linda A. Malek, Jason E. Johnson, and Khaled Mowad

With more and more countries having flattened their COVID-19 curves, local and federal governments are looking ahead and discussing what going back to business will look like as shelter in place and stay at home orders are lifted.  Most proposals for re-opening contemplate contact tracing measures to help control resurgence of COVID-19 outbreaks.  Contact tracing involves public health authorities engaging in systemic reporting and tracking of disease cases among individuals.  The use of contact tracing to help slow or contain the spread of a disease is not new.  In more recent history contact tracing was utilized to control the spread of HIV and tuberculosis.  Public health workers have typically utilized “low-tech” approaches - such as undertaking interviews with infected individuals and then contacting each individual who may have been exposed, either by phone or in-person.  With the current wide spread availability of smart phones, contact tracing for COVID-19 is poised to potentially look significantly different and will likely utilize a combination of technology and personal contact with affected individuals.  

In the United States, industry has taken the initiative on creating a working framework.  Google and Apple recently announced a joint effort to enable the use of Bluetooth technology to track an individual’s movements through their smart phones to help governments and health agencies reduce the spread of the virus, “with user privacy and security central to the design”.  Individual countries in the EU are also working on their own versions that rely on similar types of tracking technology.  The Google/Apple solution appears to involve the collection and use of a vast amount of information about an individual and their movements.  There is an obvious public benefit to being able to quickly and more precisely identify who may have been in contact with an individual in order to help slow the spread of a disease, but this comes at a potentially significant cost to our privacy and civil liberties.  The stakes are amplified when the contact tracing program is meant to track nearly all or most of a country’s population.

This article will explore the implications and risks inherent to the type of contact tracing likely to become widespread in the United States, and raise key policy and legal issues that should be considered more closely, using the Google/Apple approach as a guide. 

There are many factors that are relevant including what technological approach is ultimately utilized (e.g. Bluetooth, geolocation) and whether a decentralized or centralized approach to data reporting is established. 

The Google/Apple Approach

The Google/Apple approach contemplates that users will download an app created by a public health authority to their devices.  The app broadcasts the device’s Bluetooth beacon to other enabled devices in the vicinity.  When a device receives another beacon, it records and securely stores that signal on the device.  At least once per day, the system will download a list of beacons that have been verified as belonging to people confirmed as positive for COVID-19 from the relevant public health authority. Each device will check the list of beacons it has recorded against the list downloaded from a server.  If a match is made the app notifies the user through a text message informing him or her of the exposure, potentially including information regarding the duration of the exposure and proximity. Importantly, beacon pings are stored on the user’s device and not sent to a centralized server.  In this way the model is decentralized, a key component advocated by consumer interest and civil rights groups. 

Centralized versus De-centralized

With Bluetooth pings stored on a device, no entity has central access to the massive amount of data that would be collected through individual devices.  Instead, with a decentralized approach users would have to provide their affirmative consent to share data with public health authorities or other entities.  Such users may also consent to sharing of contact information or details of their symptoms – making it easier for health authorities to communicate and give advice and conduct follow-ups.  In a centralized approach, these decisions might rest with the custodian of the central server. 

From a public health perspective, a centralized approach is ideal because a public health authority could audit and run analytics on the data collected which could lead to insights that inform outreach strategies and policy.  However, such an approach elevates the privacy concerns.  Depending on who has control over or access to the server there is a risk that data could be used for other purposes outside of addressing the public emergency.  Without robust oversight the risk could be significant.  Furthermore, with so much data stored in one place the scope of a data breach would be vast - potentially exposing personal data of hundreds of thousands of individuals.  

Google/Apple have stated that access to the technology, at least initially, will be granted only to public health authorities which must develop their own apps. These apps must meet Google/Apple’s specific criteria around privacy, security, and data control.  One risk area here is that scammers may attempt to introduce their apps into the marketplace preying on unsuspecting users who download them only to have private information accessed by unauthorized parties.  This has already happened in other contexts as apps purporting to provide real-time COVID-19 tracking that turned out to be malware were downloaded by many unsuspecting users. App providers will need to work with health authorities and other government entities to police their own app stores to make sure that counterfeit products that threaten user privacy are not made available for download. 

Bluetooth or GPS

Though the Google/Apple Bluetooth approach is decidedly more protective of user privacy compared to the use of geolocation data which can pinpoint exact location of individuals, placing them in sensitive places such as a place of worship, or healthcare facility, the Bluetooth approach is not without privacy and security concerns.  Bluetooth technology, though less data rich then geolocation, can still facilitate invasive tracking of an individual’s movements and habits.  This is in large part because Bluetooth beacons are pervasive.  In addition to smart phones, Bluetooth beacon devices are placed throughout retail locations, supermarkets and stores, and are utilized as powerful tools for marketers to understand consumer habits.  Apple/Google have promoted a solution that should not result in the obtaining identifiable information and data from Bluetooth pings.  Additionally, they tout an encryption sufficiently secure which refreshes frequently that prevents other devices from being able to track other specific devices and establish patterns. However, these safeguards are not perfect and may only go so far to protect privacy. 

Even though Bluetooth technology does not capture an individual’s precise location in the same way as geolocation technology, the use of Bluetooth still allows potential real time tracking of infected individuals.  Imagine walking down the street and receiving a notification that you are in close proximity to someone who has tested positive for COVID-19 and then the only individual you see is walking down the sidewalk toward you. It may be that the person you see on the sidewalk isn’t even the infected person. Perhaps you are pinging to someone who is quarantined in a nearby apartment instead.  It is unclear how people may react in such a situation. These types of issues are more likely to arise in densely populated urban areas, like New York, where the volume of people makes it more difficult to interpret a real time signal.  Though current protocols do not contemplate such real time notifications that could be where things go in the not so distant future.

In addition to the Bluetooth information, it is not clear what metadata may ultimately be accessible by the app designer.  Public authorities that contract with Apple/Google or develop apps should seek to ensure that the risks of identification are sufficiently low.  Additionally, they must be on guard to ensure that the framework remains consistent and that tweaks that materially alter privacy practices are disclosed.  This would be particularly important as Apple/Google transitions from a phase where users utilize downloadable apps to one where the contact tracing functionality is incorporated directly into devices automatically as part of routine updates. 

It is important to bear in mind that both Bluetooth and geolocation have drawbacks.  Bluetooth requires that users enable the function and keep it running which can drain a device’s battery thereby reducing compliance.  Bluetooth is also potentially under inclusive in that it won’t capture a potentially risky exposure with a COVID-19 positive individual that does not occur simultaneously in time, for example if someone were to use an ATM that a COVID-19 positive individual used ten minutes prior.  Although geolocation data could be used to identify a potential exposure such as in the foregoing example, geolocation often does not work well indoors or in urban areas with densely erected tall buildings or in poor weather conditions.    

Expanded Data Access and Use

The decentralized approach allows contact tracing information to be potentially available to health plans and large providers such as regional hospital systems that develop their own apps to enhance patient engagement or who want to rely on existing applications to assist in slowing the spread of the virus.  These entities will potentially face a higher security standard given that contact tracing data and disease state could be considered protected health information under HIPAA for the information they access and for any further uses of that data.  That would potentially trigger a range of protections that would need to be implemented from a security perspective as well as affording users specific rights with respect to such PHI.  In addition, if government entities wish to enter into partnership with health plans facilitating contact tracing, they should ensure that such health plans agree to not make coverage decisions based on COVID-19 exposure or disease status as doing so would be prohibited under existing law.  Though beyond the scope of this article, similar concerns abound from an employment perspective.  Employers that roll out contact tracing apps for their employees will have to work through a maze of considerations about how to use such apps and what actions they can take to protect their workforce based on the data they obtain in accordance with applicable employment law.  The same considerations are also salient with regard to use of these apps by undocumented immigrants that make up a significant portion of urban workforces.  From a public health perspective, controls need to be maintained that create trust that contact tracing data will not be used for non-public health purposes.

Mulitfaceted Approach

Although apps and digital technologies will play an important role in contact tracing with respect to COVID-19, health authorities across the country will still need to field large numbers of well-trained contact tracers to suppress flare ups of the infection.  To make that approach successful and to manage the significant human resources involved, public authorities will need to ensure resources are deployed efficiently and that workflow is optimized.  With hundreds or even thousands of contact tracers deployed per state interacting directly with the public, public health authorities and the universities, institutions, and third party solution providers they partner or contract with will inevitably come into contact with large amounts of personal information.  Just like with mobile contact exposure technologies, maintaining the trust of the public in this endeavor is paramount to generating compliance and cooperation. 

Here, a few important points can be made.  First, contact tracers will need to be trained on key privacy and security strategies.  This includes things as basic as securing laptops and working papers and imposing strict confidentiality obligations.  Next, entities involved in contact tracing initiatives, in addition to public health authorities, will have to interact with providers, employers, labs and other parties to identify and trace positive cases.  This will create complex data flows of sensitive information governed not just by HIPAA but other state privacy laws.   Accordingly, structured methods for obtaining consent, authorizations, and utilizing existing permissions and waivers under HIPAA will all need to be carefully considered in order to comply with complex state and federal privacy laws.   Aside from strict legal obligations, individuals who are interviewed or engaged with by contact tracers must feel that they have some ability to consent to information they choose to disclose and that any information they share will not be used in a manner that will prejudice their employment, housing or access to benefits.  To this end, public authorities and collaborators should implement privacy best practices and governance controls to secure and maintain public buy-in.  Additionally, the nature of the contact tracing program, the parties involved, and a help-line or other method to ask questions or make complaints should all be disclosed or provided to individuals. Finally, the various entities and organizations that public health authorities recruit to assist them must ensure they have obtained sufficient consent and authorization to handle and process personal information of individuals.  Inevitably the data sets generated by contact tracing will be of significant interest to researchers and other entities, but strict standards of deidentificaiton and follow-up protocols must be maintained for any secondary use. 

Conclusion

Contact tracing in any form, even with robust protections, represents an intrusion on privacy.  That intrusion is only justifiable in light of the public health benefits to society at large. Striking the right balance between public health and privacy is incredibly challenging, but is achievable through an adequate and robust analysis of these competing concerns.