Best in Law: Protecting Privacy on COVID-19 Contact Tracing Apps
Glen Price Discusses Privacy Issues Around COVID-19 CA Notify App and Others
By Glen Price
From the beginning of the COVID-19 pandemic, public health officials around the world have looked to use the benefits of big data and the ubiquity of smartphones to help track and stop the spread of the virus. The ability to track smartphone users with location data and Bluetooth to better understand community interaction and the geographic spread of the virus appeared to be a practical and societal good.
But the promise of digital tracking hit two roadblocks: First, compliance with the legal requirements of data privacy regulations, such as the California Consumer Privacy Act, the European Union General Data Protection Regulation and federal and state protections of personal health care information, such as HIPPA and, secondly, general concerns that sensitive personal information could be subject to government misuse or unauthorized disclosure by hackers.
With the recent revelations concerning a massive breach of government computer systems, including sensitive systems related to national security, the concern that personal data is at risk — regardless of legal compliance and ordinary security protocols — is a valid one.
One of the common features of privacy regulation is the ability to collect data if users consent to the collection and use of that data through a voluntary opt-in process. Most contact tracing apps released so far by governments are voluntary. This also extends to the contact tracing system set up by the California Department of Public Health, called California Connected.
The Department of Public Health requests information from individuals on a voluntary basis to conduct contact tracing of potentially infected individuals and provide them with counseling and advice on how to stay safe and quarantine. Health information collected by California Connected is confidential under federal and California law but can be accessed through a court order and the question of data security from a potential unauthorized breach remains.
Another common feature of privacy regulation is to allow the use of data if it is aggregated or anonymized so that any personally identifying information is stripped out. This is done routinely by government agencies and businesses as a way to legally mine information about groups of individuals, including patterns and preferences.
As a practical matter, aggregated or anonymous data has remained a concern because the prevalence of digital tracking of individuals across multiple databases can allow individuals to be identified if the right characteristics are chosen. Furthermore, aggregate and anonymous data, while potentially useful by public health officials to track trends and statistical variations in COVID-19 infections, is also not particularly useful for the work of stopping the spread of the virus in our communities. That effort requires the ability to trace individuals who may have been exposed.
The new CA Notify app attempts to avoid these pitfalls by making the process of exposure notification and contact tracing as voluntary and anonymous as possible. It does this by using the express model of the Google/Apple Exposure Notification System, which uses Bluetooth on phones to exchange random identifiers between phones that have been in proximity with each other and where virus transmission could have occurred.
These random identifiers are stored on the phone and no identifying information concerning the location or identity of the user is collected or stored by the government. When an individual finds out that he or she has tested positive, it is the user’s choice to enter a code into the app that will then send an anonymous notification to everyone whose phone exchanged the random identifier. This lets people know that they are potentially at risk and should look for symptoms, get tested and consider quarantine.
At no time is the identity of the person who tested positive, or where they were when the contact occurred, stored or revealed. Unlike some other states that use the Google/Apple system, California does not ask for supplemental information from users that could create privacy concerns.
In a shopping season where it is clear how much individuals are tracked online, as a click in a browser on a computer shows up almost immediately as an ad on mobile social media streams, people have good reason to be concerned about an app that could track their location and interactions at all times. But the CA Notify app goes about as far as possible legally and practically to protect privacy while attempting to save lives.
This article first appeared in The Press-Enterprise and other Southern California Newspaper Group publications online on Dec. 24, 2020. Republished with permission.