Protect Privacy When Contact Tracing

• ensure that government benefits—including employment, subsidized housing, and receipt of other services—are not conditioned on participation in any contact tracing program;
• condition any federal support for state and local contact tracing programs on adoption of clear and strict policies to minimize the collection and retention of individualized data;
• ban the use of any personally identifiable information (PII) collected and stored for pandemic response from being used for any other purpose;
• mandate that all pandemic‐​related PII be purged, with external audits for verification, within 30 days of acquisition;
• mandate adoption of decentralized methods for data retention on individual user devices to the maximum practicable extent;
• make use of aggregate location data for trend‐​mapping purposes but avoid reliance on individualized GPS or cell site data as a proxy for exposure; and
• limit retention to the minimum time necessary to accomplish a specific, defined public health purpose where centralized data collection is unavoidable.

#CatoCOVID

Amid the ongoing pandemic, lawmakers and other government officials worldwide have turned to technology‐​assisted contact tracing as a means to track infected people and those they may have exposed to SARS‐​CoV‐​2, the virus that causes COVID-19. While experts estimate that 60–80 percent of the population would need to install contact tracing apps to fully replace manual contact tracing, there is evidence to suggest that digital contact tracing may provide significant value as a supplement to traditional manual efforts.

Because contact tracing technologies analyze sensitive information about citizens’ locations, they raise civil liberty concerns. A significant proportion of the population must trust and willingly embrace contact tracing tools for them to be effective. This in turn requires that people see them as effective and protective of sensitive data. Lawmakers can best achieve these ends by minimizing reliance on less‐​accurate proxies for exposure, limiting centralized data collection, and providing strong legal safeguards against either coercive imposition of contact tracing apps or nonconsensual repurposing of personal data collected for public health purposes.

Traditional manual contact tracing has limitations. The process is labor intensive, and most states still lack the necessary trained workforce and related infrastructure. Moreover, human contact tracers are often unable to quickly locate and notify all of a patient’s contacts. Tracers cannot always reach even known contacts, and we routinely share space with strangers whom we have no way to identify after the fact. Thus, technologists and public health authorities around the world have sought to complement manual tracing by leveraging modern technology, especially smartphones. Because people typically carry their phones, determining that two phones have been close will usually indicate that their owners have been as well. Technology‐​assisted contact tracing, or TACT, can take a range of forms, however, with varying levels of likely efficacy, as well as dramatically different implications for privacy and civil liberties. In designing or choosing tools for TACT, therefore, developers and policymakers have a series of critical choices to make.

Perhaps the most basic question for any smartphone‐​based approach is how to determine when two phones have been close to each other. Two primary methods have emerged.

The first is to rely on the phone’s location, as determined either by an embedded global positioning system (GPS) chip or by signals the phone sends to and receives from cellular towers, known as cell site location information (CSLI). Using GPS for contact tracing typically requires purpose‐​built software to be installed on the phone, but CSLI can be obtained in bulk from cellular carriers.

The second approach is to measure proximity directly, typically using the Bluetooth short‐​range radio protocol enabled on most modern phones. With appropriate software, phones can signal their presence to each other, using the strength of the signal as a rough proxy for the distance between them. One of the first widely deployed TACT apps, Singapore’s TraceTogether, adopted this approach, which Apple and Google also prominently use in their contact tracing toolkit. Their operating systems power most smartphones and similar mobile devices.

Relying primarily on location for the core contact tracing function has several drawbacks. First, neither GPS nor CSLI are precise enough to reliably determine whether people have been within the critical two to three meters range of each other that presents the greatest risk of contagion. Under ideal conditions, GPS can pinpoint horizontal location to within about five meters. Vertical position measurements are typically less accurate, and if conditions are less than “ideal”—such as when the GPS receiver is indoors, where the risk of transmission is far higher—precision is further reduced. CSLI is less reliable, typically situating a phone only within about the radius of a city block—and still less precisely than that in rural areas. A purely location‐​based approach, therefore, would often fail to distinguish between people in close enough contact to truly risk exposure and those merely in the same general location—for example, occupying separate rooms in a hotel, apartment, or office building. Bluetooth signaling sometimes falls prey to similar errors but to a far lesser extent. Despite issues with GPS accuracy, North Dakota, South Dakota, Wyoming, Rhode Island, and Utah have deployed GPS‐​based apps, which have not been widely adopted.

Second, the prevalence of false positives with location‐​based exposure notifications would initially lead many individuals at no real risk of exposure to seek testing or to unnecessarily isolate. Over time, however, as it became clear that location‐​based notifications were poorly correlated with actual risk, many people would likely treat the notifications as spam and either disregard exposure warnings or opt out of them. Indeed, some countries that adopted a location‐​based notification approach have already seen such a public reaction. In those countries, large numbers of users who had installed a TACT app subsequently uninstalled it—likely in part because of the high volume of false positive alerts.

Third, in some of the places that present the most serious risks of mass contagion, location‐​based tracking will not function at all. Both CSLI and GPS location tracking require devices to be able to connect to external networks and therefore will not work in contexts where those networks cannot be reached, such as underground public transit systems and parking garages. Measuring proximity via Bluetooth, by contrast, requires only that radio signals can reach nearby phones.

Fourth, granular location data constitutes sensitive information about the activities of individuals, most of it unrelated to any legitimate public health purpose. It does not (to pick a crude example) require a Sherlock Holmes to solve the mystery of who might have traveled from your residence to your workplace in the morning and back in the evening. Any government repository of such data would thus represent a massive encroachment on individual privacy.

Worries about data sensitivity apply most forcefully when location information is centrally stored. An alternative is for location‐​based exposure notification tools—whether they rely on proximity, location, or some hybrid—to operate on a decentralized model, with users’ location histories stored only on their own devices.

In a centralized approach, data generated by individual smartphones are gathered in a unified database and analyzed by a public health authority to determine when individual users should receive exposure alerts. In a decentralized model, most data remain on individual devices, which compare shared data from diagnosed COVID-19 carriers against locally stored visited locations or Bluetooth identifiers previously received from other phones to determine whether alerts should be displayed to users.

Both approaches have advantages and disadvantages. Centralization gives health authorities additional data about how a pathogen is spreading. In one narrow respect it may also mitigate certain privacy risks, depending on the mechanism used to gauge exposure. On a more centralized model, an alert can be sent to individuals with potential exposure without additional data about the time, place, or other circumstances that might provide clues to the identity of the COVID-19 carrier. Of course, as long as alert recipients can compare notes and isolate shared contacts, the risk of reidentification cannot be wholly eliminated under any exposure notification scheme, but the potential for reidentification attacks at scale is far more pronounced when location history is broadcast as structured, machine‐​readable data.

Although decentralized models may not raise the specter of population‐​scale surveillance, the potential for reidentification means that they still entail significant risk to the privacy of diagnosed COVID-19 carriers, who in some regions have faced intense stigma and harassment. In practice, however, given the other limitations of location data, arguments for location‐​based TACT typically focus on the value of location data to public health authorities and assume their access to it. For instance, a variety of government health officials have criticized the Apple/​Google virus exposure notification protocol precisely because the companies have refused to permit such sharing on privacy grounds. In August 2020, Virginia was the first state to release the Apple/​Google COVID-19 contact tracing protocol app.

While the core function of direct individual exposure notification may not be best served by models that use GPS or CSLI, location information can be of use to health authorities in other ways. It may be helpful to know where potential exposures are occurring—not simply to facilitate individual notifications but to gauge whether specific types of locations are contributing disproportionately to the spread of the virus. Such information allows policymakers to appropriately target interventions. Location data can also be of assistance to manual contact tracers.

For the most part, however, these functions do not require the large‐​scale collection of detailed, individualized location data. Instead, the goal of mapping broad population‐​level trends can be met by analyzing aggregated data of the sort that some large online platforms are already publicly providing, such as Facebook’s Disease Prevention Maps and Google’s Community Mobility Reports.

To the extent that granular, individual location data from patients who have tested positive to COVID-19 may be of use to manual tracers, TACT apps can, in principle, be designed to store location history locally on each device. They can also be designed to let patients who have tested positive review the information and then choose which portions they wish to share. Israel deployed a TACT app, HaMagen, that uses GPS to track exposure without centralized collection of location history from users who have not tested positive; instead, the locally stored location history is compared, on the device, against the health ministry’s repository of geographic data gleaned from COVID-19 patients.

Important practical considerations, however, weigh against even this more limited use of location data. Security researchers have already found an array of serious problems in location‐​based TACT tools. The Care19 app that North Dakota and South Dakota used violated its own stated privacy policy by sharing user location information with an outside company, while security vulnerabilities in a GPS‐​based TACT app that India deployed would allow technically sophisticated attackers to pinpoint the locations of COVID-19 patients. Such missteps inspire public mistrust. In one recent poll, more than 70 percent of Americans who responded said they had no plans to download and install a TACT app, and privacy concerns topped the list of reasons given for abstaining. Against that daunting backdrop, eschewing any use of location data may be a more effective means of reassuring prospective users than attempting to persuade them that such data is adequately protected.

Perhaps more importantly, Google and Apple have committed to a policy that bars location tracking in apps that make use of their Bluetooth‐​based notification protocol when the app is not actively open and running. While public health authorities can implement their own Bluetooth protocols, this limitation on background transmission makes any apps far less useful and reliable in practice. Although once widely discussed in media, the Apple/​Google contact tracing protocol and other technology like it have become less prominent as the COVID-19 pandemic continues. This is in part due to privacy concerns but also because many governments have struggled to make their contact tracing apps work on Apple phones.

There is substantial value in convergence on a single protocol that could be interoperable across state and national boundaries. And because Apple and Google’s protocol will soon be integrated into the two dominant mobile operating systems, it will have the further advantage of allowing users to opt into logging Bluetooth proximity signals before they have installed a local TACT app. In light of these advantages, state (and national) governments that have chosen to reject the protocol because they regard the attendant privacy restrictions as too onerous are likely to be making a poor trade, sacrificing the most viable implementation of a more accurate technology—Bluetooth proximity sensing—to collect less accurate location data poorly suited to the core function of exposure notification.

As with the choice between location and proximity sensing, the trend among freer societies has been to embrace the virtues of more distributed TACT design. American authorities should adopt TACT principles that give users hard, architecturally enforced assurances that they can install tracing tools without unnecessarily placing personal data in the hands of third parties.

Even a highly decentralized TACT infrastructure will have some centralized elements. Fully decentralized TACT might allow any user to generate alerts by self‐​identifying as a COVID-19 carrier without relying on a public health authority to validate diagnoses or publish proximity or location data. Most developers have, understandably, not chosen this path, fearing that a system that failed to distinguish confirmed positive diagnoses from trolls or hypochondriacs would leave users inundated with false positives. Most protocols therefore depend on a limited number of trusted entities with the authority to validate diagnoses and disseminate alerts. Decentralization, in other words, need not be religiously maximized along every conceivable dimension in every part of a TACT system. Rather, it should be seen as a generally desirable design principle to be departed from only when centralization provides compelling benefits that cannot feasibly be realized by other means.

On the whole, well‐​designed decentralized architectures have significant privacy and security advantages. Because data from most participants in a decentralized TACT system never leave a personal device, there is no cache of data to create temptations for misappropriation. Assuring users that their data never leave their device without their specific consent would help build trust and encourage adoption of TACT apps. The best way to inspire trust is to make the questions moot by minimizing central collection of data.

Considerations of both efficacy and civil liberties weigh strongly in favor of Bluetooth proximity detection over location‐​based approaches for exposure notification. This is, notably, the course most European nations that have deployed TACT apps have chosen, while the countries that have embraced location‐​based TACT are biased toward those. The shorter list of those countries include Iran, China, and Turkey, which few would regard as models for safeguarding civil liberties. The wisest course for public health authorities at present would be to rely exclusively on Bluetooth proximity detection for individualized app‐​based COVID-19 exposure notification while making use of aggregated location information for broader mapping of population‐​level trends. Proposals to collect individualized location data, even if nominally “anonymized,” should be met with skepticism.

A final critical dimension to consider is the voluntariness and transparency of TACT tools and systems. In the United States, state and federal data privacy laws, as well as protections embedded in the Constitution, already present a formidable obstacle to the sort of nonconsensual bulk collection of citizen data or legal mandates to use particular TACT tools. The Supreme Court’s recent decision in Carpenter v. United States recognized the particular sensitivity of location data, placing it outside the scope of the Court’s “third party doctrine,” which allows government to obtain many other types of personal data from “third parties” (such as cellular carriers) without observing the niceties of the Fourth Amendment’s warrant process. Policymakers should strenuously resist any proposals to dilute or circumvent these established protections—even “temporarily.”

There are, nevertheless, some additional safeguards that policymakers can take to ensure that participation in TACT is fully voluntary and noncoercive. Government benefits—including employment, subsidized housing, and receipt of other services—should not be conditioned on participation in any TACT program. Moreover, because legal protections against transfer of personal data between levels of government are often less robust than safeguards against initial acquisition of data, additional legislation may be appropriate to provide additional assurance that whatever information public health authorities must centrally collect cannot be used for any unrelated purpose or transferred to other government entities.

While it may be tempting in the short term to accelerate adoption of TACT tools via quasi‐​coercive means, contact tracing in both its traditional and technology‐​assisted forms is ultimately highly dependent on public trust and active, willing cooperation. Citizens who feel as though surveillance is being imposed on them are likely to react in ways that undermine the aims of public health authorities.