Contact-tracing apps could help contain COVID-19 but raise thorny legal and privacy issues
In April, Donald Trump called smartphone proximity technology to combat the spread of COVID-19 “an amazing thing” that nevertheless raises “constitutional problems.”
“We have more of a constitutional problem than a mechanical problem, but we will be making a determination on that,” Trump said during an April 13 press briefing at the White House.
That was in response to a reporter’s question about Apple and Google’s partnership to create Bluetooth technology for Android and iOS phones to curb the virus. Contact tracing through smartphone proximity technology measures the strength of a users’ Bluetooth signal, and allows people who have contracted the virus to voluntarily report to public health authorities.
The decentralized system that Apple and Google are proposing will alert other users who come into proximity with an infected person’s phone. The Bluetooth-based technology is more secure than GPS, which can reveal location data.
However, the president admitted: “A lot of people have a problem with it.”
Some of those people include privacy advocates and legal experts. They are concerned that contact-tracing apps could violate privacy rights and civil liberties; criminals and foreign adversaries could use them to harvest data; and the technology might linger long after the pandemic is over.
Electronic Frontier Foundation senior staff attorney Adam Schwartz also cautions that contact-tracing apps should be part of a broader effort that includes widespread testing for the virus and the traditional method of tracking people who have had it, which involves reaching out to people infected with the virus and interviewing them to establish who else they have been in contact with. The Centers for Disease Control and Prevention also wants to pursue this traditional method, according to the New York Times.
“I think there is a tendency in many places, including in Silicon Valley, to assume that if we are just clever enough with engineering the perfect app that we can nerd our way out of the crisis,” Schwartz said in an interview with the ABA Journal. “Our first, most important message is that, at best, a proximity app is going to be a piece of the puzzle.”
Protecting people and their privacy
Proponents of the technology say that it protects the public health by telling users when they have been exposed to the virus, allowing them to immediately self-isolate. The technology, they say, protects users’ privacy while stemming the spread of the virus.
Carmela Troncoso, a security and privacy researcher residing in Lausanne, Switzerland, co-authored a white paper published April 2020 that outlines a similar Bluetooth protocol. She says her group’s proposal by design protects against long-term storage of data because there would be no centralized server to draw personal information from.
She says that the random identifiers that smartphones send to each other using Bluetooth are “completely decoupled from who the person is,” and that phones would not preserve any identifying information.
“It doesn’t encode any information about relationships with others, how many people this person has seen or how frequently. This is how we ensure that the server does not have enough information to do any surveillance,” Troncoso says.
Troncoso adds that there should be “strict laws” in place to complement the technology so that individuals and corporations are prevented from surveilling people using the apps in public places, and that people do not face mandates from employers or businesses that require them to use the apps. Meanwhile, her white paper, titled “Decentralized Privacy-Preserving Proximity Tracing,” states that it is “of paramount importance” that any digital contact-tracing technology protects privacy and is in compliance with the European General Data Protection Regulation, or GDPR.
Google and Apple say that users can decide whether to opt in or out of the technology. The tech giants plan to roll out an application program interface, or API, in May, and then release the underlying technology for use with third-party apps.
“Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders,” Apple said in a statement on April 10.
Schwartz says Apple and Google deserve credit for giving users the ability to consent or not. For all contact-tracing apps, he wants safeguards in place to protect against attacks by bad actors; voluntary participation so that people who decline to use contact-tracing apps are not denied access to commercial or government spaces; and assurances that the technology will only identify devices that were proximate, and not their users. The group would also like limits on how long data is retained.
“The amount of time that information should be kept is measured in weeks and not months,” Schwartz says.
In March, Singapore released a contact-tracing app called TraceTogether that allows the government to automatically access people’s personal information after the novel coronavirus has sickened them. The app has been downloaded more than a million times. The EFF is critical of this approach, and Singapore’s National Development Minister Lawrence Wong said that the app had shortcomings.
“In order for TraceTogether to be effective, we need something like three-quarters—if not everyone—of the population to have it. Then we can really use that as an effective contact-tracing tool,” Wong told The Strait Times of Singapore.
Apple and Google has reportedly refused to support a similar centralized system that the National Health Service in Britain has proposed, according to the Guardian.
John Christiansen is a member of the ABA Health Section and provides IT legal services to the healthcare industry. He believes it would only be a matter of time before “unscrupulous people” counterfeited contact-tracing apps to harvest users’ data.
“If Google and Apple rollout surveillance apps, or contact-tracing apps, they better also police their own app stores to make sure that all those endless counterfeits that people are going to be popping up to steal data get quashed,” he says.
Privacy and security rules under the Health Insurance Portability and Accountability Act, or HIPAA, could also come into play if so-called “covered entities,” including health plans, or health care providers partner with tech companies to create their own contact-tracing apps, Christiansen says.
If Kaiser, for example, were to contract with Google to build a contact-tracing app “because this would be a service to Kaiser and would be surveilling people who are Kaiser patients—that information would definitely be covered by HIPAA,” says Christiansen.