Contact Tracing and Privacy Rights
by George H. Pike
It’s mid-May in the western suburbs of Chicago as I write this, and we’ve been operating under the Illinois stay-at-home order for a bit longer than 2 months. I’ve been pretty good about it, limiting my outings and wearing a mask. I was able to get out a couple of days ago to play a round of golf (which is allowed but subject to enough restrictions that getting a tee time is like getting Springsteen tickets) and stop at the grocery store.
At the golf course, I interacted with only a couple of people: the starter who checked me in from a good 10 feet away and my playing partner, a gentleman I didn’t know. He was a good golfer, which helped with social distancing because he played the center of the fairway, while I was mostly in the rough. The grocery store wasn’t crowded, but I did go past some people in the aisles, which made 6 feet of separation difficult, and interacted with the checkout clerk from behind a Plexiglas barrier.
EMERGING FROM LOCKDOWN
As the nation and the world emerge slowly and cautiously from the COVID-19 lockdown, of critical importance may be the ability to identify random encounters, such as those with my golf partner and the checkout clerk, should any of us come down with the virus. This contact tracing is the attempt to identify and track all those who had contact with anyone who is infected, with the goal of limiting the spread of the disease by targeting, testing, treating, and/or isolating those who have been exposed.
There are obvious challenges with contact tracing, first among them being the anonymity of the majority of the contacts. There may be data from the golf course records about the starter and golfer that I encountered, and it may be possible to identify the clerk or clerks on duty at the store, but the people I passed in the aisles pose a much greater challenge. At best, the effort would require accessing secure information such as security camera footage or credit card data.
Gathering that data raises legal and privacy concerns. If state or federal agencies are involved, the concerns can approach constitutional rights levels. How that data would be gathered, used, stored, secured, transmitted, and discarded also poses challenges.
This data is right at the intersection of the strongest levels of privacy protection: healthcare data and location data. Healthcare data is protected at the federal level by the Health Insurance Portability and Accountability Act (HIPAA), which limits its sharing and distribution. HIPAA, however, does have exemptions from its privacy controls, including for public health activities, such as the need for public health authorities to “collect or receive such information for preventing or controlling disease. …” Still, healthcare data is recognized as privileged information entitled to the greatest degree of legal and ethical protections.
Similarly, location data has been found to be entitled to very high degrees of privacy protection, particularly in the smartphone era. In a 2018 decision, the Supreme Court ruled that cellphone-based location data is shielded by the Fourth Amendment’s protection against unreasonable searches and seizures and that a warrant is required for its collection. The court’s holding applied to a criminal case; however, it is less certain if a warrant would be required absent a criminal investigation.
The exchange and use of location information outside of the criminal context get less protection under general privacy law principles. In addition, those location records actually belong to the cellphone service company and not to the individual. Because of this ownership, the cellphone companies have more leeway to use and aggregate the data they’ve collected.
GPS AND BLUETOOTH
New contact tracing apps are being developed for the Apple and Android platforms. These apps would use Bluetooth and GPS location data and combine it with mandated and self-reported COVID-19 exposure data to facilitate contact tracing.
The challenge has been to create a system that is reliable but also anonymous in order to avoid the exchange of personally identifying information, particularly healthcare information. One such system was described in a recent article in The Washington Post. It would use the exchange of “temporary pseudonyms,” which the article compared to the exchange of business cards. Both the pseudonyms used by and collected by a particular user would be stored on their phone. If a person is infected, they would upload only the pseudonyms they’ve used to a database. Other users could check the database to see if they’ve had an exchange based on the pseudonym. They would only know that they’ve had a contact, not specifically with whom or where it occurred.
CENTRALIZED OR DECENTRALIZED
Systems such as this example are known as decentralized systems in that there is no central database housing personally identifying information; the only database is for pseudonyms. Other systems being developed are more centralized, consisting of a central database containing the location and identification data of its users. Decentralized systems are considered more private because less identifying information is made available. Centralized systems, however, allow aggregate data to be used by public health authorities, such as for identifying COVID-19 hot spots.
Both systems require users to opt in, which may limit their effectiveness. In addition, as the world begins to travel again, the problem of incompatibility will likely loom. Within the European Union, for example, it has already been reported that apps being developed in and for France and the U.K. would not be compatible with apps being developed for Germany, Austria, and Switzerland.
The U.S. Congress is already considering multiple COVID-19-related privacy proposals. The COVID-19 Consumer Data Protection Act is being developed (and may be introduced by the time this is published) by several Senate Republicans, while a similar proposal has recently been introduced by several Democrats from the Senate and House of Representatives. It is too early to tell if either bill will be enacted.
CONTACT TRACING, IMPROVED TREATMENT OPTIONS, AND CONTINUED DILIGENCE
Many health authorities have indicated that contact tracing will be critical to managing COVID-19 as schools, businesses, sports, and other organizations and activities emerge from lockdown. Others question its efficacy and its cost in lost privacy and other rights. With the rapid scale of developments and changing outlooks—as this is written in May and published in July—it can only be hoped that contact tracing, improved treatment options, and continued diligence will help in the fight to end this pandemic.