In the six months that COVID-19 has rampaged across the US, more than 108,000 people have died and many more suffered dangerous complications. While we wait for a possible vaccine, officials are scrambling to reduce the number of new cases. Contact tracing apps have come to the forefront of potential strategies.
But amid reports that authorities are using digital contact tracing to surveil peaceful protestors, we have to ask ourselves: How do we balance individual privacy against the public good? How far are we willing to go to keep each other safe?
We talked with cyberlaw scholar Anne Toomey McKenna of Dickinson Law and Penn State’s Institute for Computational and Data Science to help us understand what privacy rights US citizens have, how COVID-19 has affected those rights, and where we can go from here.
How do privacy rights in the US relate to cell phones and electronic data?
In the United States, the Fourth Amendment to the US Constitution prohibits unreasonable search and seizure. But we now have technology that enables all kinds of surveillance, particularly electronic surveillance that heretofore wasn't conceivable.
Any time a cell phone is on, it's pinging approximately every seven seconds. It gives very detailed location information to the mobile provider. Essentially, you are tracked because your mobile provider needs to know where you are for your phone to work. That location data is called Cell Site Location Information (CSLI).
For a long time, the courts disagreed about how to handle CSLI data, and we had a patchwork of court decisions from different jurisdictions that offered different protections. In short, some courts stated that law enforcement needed a probable cause-based warrant to get CSLI. But others determined a warrant was not required because we were already sharing our CSLI with a third party—our mobile service provider—and that it therefore wasn’t protected by the Fourth Amendment.
Finally, our Supreme Court addressed this in its 2018 Carpenter decision. The court ruled, in an opinion written by Chief Justice Roberts, that to get CSLI, the government needs a probable cause-based warrant.
The rationale was based in large part on the significant and vast amount of detailed, intimate information that CSLI provides. It’s possible to track if somebody went to an abortion clinic, or a bar that caters to gay patrons, or to a particular political event.
All of our mobile phones also contain GPS chips that work in conjunction with the Global Positioning System (GPS). So, in addition to CSLI, this means that all of our mobile phones are also embedded with hardware and software that enable location tracking through GPS. This is how Apple and other phone manufacturers and many of our apps, like the Maps app, are able to track our detailed location independent of CSLI.
How has the COVID-19 pandemic affected data and privacy?
In a pandemic, because of concerns about who is exposed to who, we're no longer just talking about location information. That’s part of it, but for contact tracing to work when there is risk of disease exposure, medical information is required. This isn’t the first time in the US that we've had to really think about medical information and someone’s location data and tracing their interaction with others.
Laws have existed across our country for ages that require medical disease information to be shared—even if someone doesn’t want to share that information. It may feel very invasive of one’s medical privacy, but it’s done to protect others.
For instance, we have mandatory partner notification laws in many states that require if you test positive for an STD, you must notify your sexual partner(s). We also have laws that mandate your medical care provider report certain test results of infectious disease to a centralized authority: the CDC. This includes infectious diseases like West Nile Virus. Again, the public health need is considered greater than the individual’s right to privacy.
While HIPAA provides certain privacy protections for our medical records, it also permits sharing of infectious disease information where required by other laws. Right now, we're in a public health emergency, and this significantly expands the power of the government to gather and share your medical information.
It was interesting to see that when COVID-19 began its early spread in the US, the Department of Health and Human Services and the CDC quickly provided online clarification about HIPAA’s applicability to sharing data about positive COVID-19 test results.
That clarification specifically stated that medical care providers could provide emergency dispatchers (e.g., 911) and first responders with a list of persons by name and address who were COVID-19 positive. Why? Because, on an as-needed basis, if a first responder was responding to call from a certain person or address, they were entitled to be notified by the dispatch that there was potential for coronavirus exposure.
It makes sense to protect first responders, but it’s important to understand that medical care providers are thus sharing, on a wide scale, the identity of persons who are COVID-19 positive with the government.
One thing to remember when we talk about contact tracing is that so much of what we're hearing talk of is “voluntary” contact tracing. But everyone should understand that our government is necessarily already engaged in knowing the identity and location of all persons who are COVID-19 positive, and that’s not occurring voluntarily. The medical information about who's positive is being provided to a centralized authority—the federal government—in full compliance with the law. And that information is being disseminated electronically.
So, what are the concerns? First, oversight: how is the information being gathered, and how and when is it being shared? Second, privacy: the public health emergency has enabled a situation where the Fourth Amendment and your privacy rights are being put on the back burner.
Right now, we're in this weird world where health information and health laws, public health, emergency, and electronic surveillance laws are clashing. The pandemic has prompted significant expansions of governments’ electronically surveilling their citizens through sweeping efforts using multiple means of electronic surveillance for tracing and network analysis purposes. And all this is being done in conjunction with the private sector and massive entities (like Apple and Google) that already have vast quantities of our data.
Adding to this, we now have widespread and historic-scale civil protest over police brutality, the death of George Floyd, and systemic racism, which brings the First Amendment into this complex mix.
It seems like this clash came to a head in Minnesota, where media have reported that the government is using contact tracing to see who the protesters are and where they’re from. Can you expand on what’s happening there?
According to media reports, Minnesota is using contact tracing to build out a picture of protestors and their affiliations, as opposed to contact tracing to build out an image of affiliations that were exposed to COVID-19. These are totally different purposes.
Contact tracing is a tool that is very hard to refute the need for, given our failure at a federal level to appropriately and effectively contain the virus at the outset. But now we’ve taken tools that employ surveillance technology to assist us in containing a pandemic, and we're using it to build a non-coronavirus-related picture of American activity.
It appears commentators’ worst fears are realized: the government appears to be misusing this technology in ways that threaten one of our most highly protected activities that has been a cornerstone of our Democracy since its birth—political speech and our first amendment rights.
We already have lost more lives than any nation in the world to COVID-19, so we have a need for contact tracing. We can do this appropriately, but we should be doing it only to protect public health.
Instead we're taking information gathered by law for a specific health and safety intention and using it to see ‘who's complaining about police brutality, where are they, and with whom are they associated.’
In light of these abuses, can we talk about the idea of “immunity passports?”
Countries are considering immunity passports for individuals who have tested positive for COVID-19 antibodies but are no longer positive for COVID-19 and so aren’t infectious. The immunity passport would function as a certification to return to work or go to a restaurant.
Immunity passports require the merger of your medical data with other types of data to be able to say: ‘This is who this person is; this is their medical status; this is where they are right now; and it’s safe for others that they’re there.’
But what does an immunity passport really mean in the face of a novel virus? Right now, according to scientists, we don’t know. Does it mean that you're good for three months or six months? Can someone who has had the virus be re-infected? And how are the rights of people who don’t have antibodies affected? Are they then not able to go out because they haven’t had COVID-19 yet?
This raises real discrimination concerns. It sets aside a group of people who can't do things because they don't have antibodies, and elevates a group of people who do—on shaky medical evidence. And all of this may occur in this magic waiting period for a vaccine that may or may not ever exist or even be successful.
Where can we go from here? What needs to be done to protect privacy rights?
The pandemic is here for the foreseeable future. Clearly, data and technology should be used to fight COVID-19. I'm not saying we should stop using these resources. But you can use the data and still protect privacy. It's a balance.
The data that’s being collected is not just your location data. It's every person you're interacting with, where you are, what time you're there, and what you're doing while you're there. That’s needed for effective contact tracing, combating the pandemic, and saving lives. It’s not needed for tracking and intimidating citizens engaged in our most important civic duty: First Amendment speech and peaceful civil protest about matters of grave public concern.
We need limitations that say this data can't be used for other purposes. And we need an understanding of where the data is stored, who has access to the data, and how the data is being used. Without transparency and central oversight of data access and data use we have significant problems.
I think there's a lot to learn from right now in terms of privacy and data. The US continues to treat data differently depending on where it comes from. Financial data is protected by one set of laws. Health data is protected by another set of laws. I think what this really should hopefully trigger is an understanding and recognition that technology doesn't treat data differently.
It’s time we recognize that data privacy is a fundamental human right. That’s going to require an evolution of laws in the US. Until that happens, we will continue to struggle, we will continue to experience disproportionate privacy harms on the most vulnerable among us, and our privacy rights will continue to be trampled upon. These times are unprecedented in the modern era, and the law has got to step up.