Zephyr_p / Shutterstock

Policy

Congress Hears Options—And Concerns—for Using Smartphone Data to Fight Coronavirus

Other countries have been using various forms of location- and proximity-tracing to slow the spread of the disease, with widely varying levels of privacy protections.

Aaron Boyd

|
Aaron Boyd
By Aaron Boyd
Senior Editor, Nextgov

Americans are being told to stay at home and keep their distance from others in an effort to slow the spread of COVID-19. But for populations that can’t or won’t abide by social-distancing protocols, government officials are considering using smartphone location data to track individuals and how they might be spreading the disease.

During a paper hearing held Thursday—Congress’ social-distancing method, in which written testimony was submitted to legislators, who then asked questions of the witnesses in writing and gave them 96 days to respond—the Senate Committee on Commerce, Science and Transportation heard from big data and privacy experts about the potential uses for location data in staving off a pandemic, as well as the potential damage such systems can do to society as a whole if left unchecked.

In his open remarks, committee Chair Sen. Roger Wicker, R-Miss., cited reports of mobile advertising companies using consumer location data to track the spread of the disease.

“This location data is purported to be in aggregate form and anonymized so that it does not contain consumers’ personally identifiable information,” he wrote. “Data scientists are also seeking ways to combine artificial intelligence and machine learning technologies with big data to build upon efforts to track patterns, make diagnoses and identify other environmental or geographic factors affecting the rate of disease transmission.”

Related: Will An App Tell You Who Will Give You COVID-19?

Related: How the Coronavirus Became an American Catastrophe

Related: The Prognosis: Latest News on Coronavirus & National Security

While these programs claim to anonymize the data, Wicker stressed the importance of keeping consumers informed about how their data is being used and what steps are taken to ensure bad actors can’t reidentify people using multiple data points.

“There can be little doubt that better access to and analysis of information will play a prominent role in addressing the ongoing pandemic,” wrote Ryan Calo, a professor at the University of Washington School of Law and co-director of the university’s Tech Policy Lab. “Yet even as we bring to bear the considerable ingenuity of our academic, public, and private institutions, my research into privacy and technology counsels a measure of humility and caution regarding the use of data analytics to address this crisis.”

Calo said big data can and is being used primarily in two distinct ways: first, to analyze broad trends and get a better idea of how the virus spreads; and second, to track infected persons to determine where they went and who they came into contact with.

He offered an example of the first use case in Google’s mobility app.

“Google’s COVID-19 Community Mobility Report sheds light on social distancing compliance across the country and the world by displaying month-by-month reports on how much given communities are traveling to work or using public transportation relative to a pre-coronavirus baseline,” he wrote. “Google is using consumer location information, which is a highly sensitive form of data. But because the data is aggregated and displayed only as a relative percentage, the risks to individuals are mitigated. Meanwhile, the data is useful to policymakers in determining where additional social-distancing measures might be needed and to health officials in assessing the correlation between social distancing and rates of viral transmission.”

Calo said he understands the utility of that use case but is highly skeptical of the second, “as I fear that it threatens privacy and civil liberties while doing little to address the pandemic.”

“The appeal of contact tracing apps is intuitive,” he said. “Many Americans today face a Hobson’s choice: remain at home in isolation, leaving social relations—and the economy—in tatters, or venture out into the world and potentially contract and spread COVID-19. The developers of contact tracing apps hope to offer a third way: safe mobility even in the absence of herd or vaccine immunity by crowd-sourcing the detection and avoidance. Laudable as this goal may be, the technique is unproven and the drawbacks potentially significant.”

Calo offered a number of scenarios in which that data could be abused, including by foreign operatives or “unscrupulous” politicians or government officials. Meanwhile, “The process of threat modeling apps that purport to trace the prevalence of coronavirus is limited or nonexistent.”

For Calo, any such tracing program would need to include significant safeguards to ensure it does not become a tool of oppression and abuse.

“To paraphrase the late Justice Robert Jackson, a problem with emergency powers is that they tend to kindle emergencies,” he wrote.

Michelle Richardson, director of the Data and Privacy Project at the Center for Democracy and Technology, categorized tracing programs being used in other countries into two buckets: location comparisons and proximity detection.

Location tracking has been used in China, South Korea and Israel to differing degrees.

In China, a government-built app tells people whether they are at risk of spreading the disease with a color-coded ranking system: green, yellow and red. According to a New York Times report, that data is shared with law enforcement and connects with health checkpoints that feed into the central government.

Israel is using a similar tactic, tapping its domestic spy agency, Shin Bet, to monitor cellphone locations throughout the country and text people who might have been exposed to COVID-19, telling them to quarantine.

“Shin Bet states that this program has led to the isolation of more than 500 people who later tested positive for COVID-19,” Richardson wrote. “The program has been criticized by privacy advocates and is also facing scrutiny by the Israeli Parliament.”

On the other side of the divide is proximity monitoring currently being used in Singapore and India, in which users install an app on their phone—either by choice or government decree—that uses Bluetooth to determine if the user has been within six feet of an infected person.

For India’s version of the app, “According to reports, the anonymized data collected by the app is checked against a database of known cases and their movements,” Richardson wrote. “If an app user tests positive or has been in close contact with someone who has, the app will share that data with the Indian government.”

Technologists in the European Union have been working on a similar system that would also comply with the eurozone’s General Data Protection Regulation, a multinational consumer privacy law.

The Privacy-Preserving Proximity Tracing, or PEPP-PT, “model does not collect location data, contact information, or identifiable features of the end devices,” she said. “Instead, the app will generate temporary IDs. When two or more smartphones running the app come into proximity, they exchange these IDs, encrypt and save them locally on the device.”

Richardson offered a checklist for governments to think through before instituting any such program:

  • Focus on prevention and treatment, not punishment.
  • Ensure accuracy and effectiveness.
  • Provide actionable information.
  • Require corporate and government practices that respect privacy.
  • Build services that serve all populations.
  • Empower individuals when possible.
  • Be transparent to build trust.
  • Be especially rigorous when considering government action.

However, Richardson also argued the lack of federal consumer data privacy laws in the U.S. is the biggest problem. Without such laws, she said, citizens do not have assurances their data is being used and protected properly.  

“Instead, we have a patchwork of federal, state, and local laws that regulate specific sectors or data sets like education records, financial records, children’s information, and health records if they are held by certain entities,” she wrote. “This has led to the explosion of risky and exploitive data-driven behaviors in the vast unregulated space in between.”

Further, “It has reduced public trust in technology companies, and as a result, may discourage people from using legitimate services or waste precious time and resources on untested products. This in turn may inhibit the coronavirus response,” she said.

Wicker agreed.

“Strengthening consumer data privacy through the development of a strong and bipartisan federal data privacy law has been a priority for this committee,” he wrote. “The collection of consumer location data to track the coronavirus, although well intentioned and possibly necessary at this time, further underscores the need for uniform, national privacy legislation.”

NEXT STORY: Pentagon Delays Budget Deadline to Help Staff Work from Home

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.