Moving Forward to the New Normal: 10 Key Questions About Digital Contact Tracing ApplicationsPrint PDF
Just as the terrorist attacks of September 11, 2001 fundamentally changed our approach to national security, the COVID-19 pandemic of 2020 will fundamentally alter our approach to public health. September 11th caused us to abandon significant privacy in order to ensure national security. The post-lockdown stage of the COVID-19 pandemic will also require privacy tradeoffs as governments, companies, and individuals attempt to create and maintain a system of testing and contact tracing to prevent the exponential spread of the virus. In response, the tech industry is scrambling to create digital tools to ease the process of contact tracing. In this advisory, we explore 10 key questions that app developers and users must address before widespread, mobile contact tracing solutions are accepted.
How Does Mobile Contact Tracing Work?
The idea is simple—allow our mobile phones to keep track of each individual with whom we come in contact each day. If one of those individuals becomes infected, the mobile app would direct the people the infected individual had contact with to self-isolate. Automating contact tracing would certainly save enormous resources and appears to offer a useful tool to help end the lockdown while minimizing risk to overall public health. Indeed, several other countries have adopted versions of the concept. Although it seems highly unlikely that the federal government will mandate such a solution, that hardly means that the concept is dead here in the U.S. Instead, use of contact tracing apps will be driven by a combination of voluntary adoption by individuals encouraged by their local governments and, perhaps, by employers who require it for their employees. Indeed, Google and Apple recently joined forces to modify their respective mobile operating systems to allow widespread use of Bluetooth enabled contact tracing apps on their devices—thereby creating the technical pathway to allow these apps to work. However, the simplicity of the idea should not obscure the many complicated privacy tradeoffs and other policy considerations that these apps pose.
10 Key Questions Before Implementing Mobile Contact Tracing Solutions
- Where will the contact data be stored? The contact data will include information about every individual that each participant had contact with each day. This is incredibly detailed information that could easily be misused. Will the data be centrally stored or maintained only on users’ individual phone?
- Who will have actual access to this data? Regardless of where the data is stored, some level of central access will be required for the system to work. Whoever controls this access, will control the data.
- Will there be any legal limit on access or use of the data? In addition to limiting access through technical means, it will be necessary to create a legal framework that dictates how the data can be used. For example, can our employers use it to track productivity or investigate allegations of wrongdoing? Can tech companies use it to create behavior profiles for advertising or other purposes? Can the government obtain the data for criminal investigations unrelated to COVID-19 tracing? What about civil litigants?
- How long will the data be retained? Because of its sensitive nature, the data ought to be retained no longer than is necessary for contact tracing purposes. Perhaps the data should be deleted shortly after the virus’ incubation period ends, at which point it is presumably no longer useful for contact tracing.
- How can we adequately protect the data from hackers and data loss? Hackers are opportunistic and frequently develop new methods. A data breach can be problematic in numerous ways: hackers could reveal the identities of COVID-19 positive individuals or perhaps infiltrate the app with false positives to cause panic.
- Can these apps be required by governments, employers or others? The apps are unlikely to be effective unless they are widely adopted. Is it reasonable for governments, employers, landlords, or others to require that their constituents use the apps? What about numerous individuals who lack access to compatible mobile devices?
- How much information will the apps share about a person who has been infected? Merely knowing that a person has been “in contact” with an infected individual, absent any additional details, may not convince people that they should self-isolate. On the other hand, the more information the app shares about the infected individual, the more obvious the identity of that person will be. Who decides what is the appropriate balance? This is especially hard to conceptualize in the abstract as the amount of information it takes to identify an infected contact will depend heavily on the specific circumstances.
- How will the apps know that a person has tested positive for COVID-19? Will the apps rely on self-reporting or will public health authorities be able to identify an individual as COVID-19 positive in a central database?
- Will public health authorities be informed if the app believes a person should self-isolate? If so, what information will the public health authorities be given and will they seek to encourage or enforce the self-quarantine?
- How effective will these app really be? The apps work by tracking the other devices in proximity to the user’s device and noting the length of time that these devices were in proximity to each other. But proximity and time are only two of the variables that determine likely exposure to the virus. How do you filter out the false positives that come from two individuals who are physically close together, but separated by walls or floors? For example, the person in the office above mine might be in close proximity to me for long periods of the day as measured purely in time and distance, but it is unlikely that they can infect me since we probably don’t share the same air. Additionally, the apps seem to be focused on transmission through the air, even though considerable research suggests that it may be possible to get sick through touching a surface that has the virus on it. If that is true, a person might well become infected without ever coming in close physical proximity to an infected individual.
Our list of questions is by no means exclusive. Overall considerations about using a contact tracing app turn significantly upon the circumstances of use, impacting government entities in distinct ways from employers. We are following these developments closely and can help companies and organizations navigate their way forward.
This advisory was prepared by Seth Berman and Laura Martin in Nutter’s Privacy and Data Security practice group. For more information, please contact Seth, Laura, or your Nutter attorney at 617.439.2000.
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.