Privacy During a Pandemic

Carey Lening & Raj Raghavan

The recent pandemic has thrown a wrench in the progress made around the world in strengthening privacy rights.

While there is no question that social distancing and quarantining programs do a great deal of good in helping to “flatten the curve”, they are blunt tools that have profound, and oftentimes, devastating psychological, social, and economic impacts. The world cannot stay at home indefinitely, waiting on scientists to discover a vaccine or build out rapid testing procedures, or for society to develop “herd immunity.” Obviously, a medium-term solution needs to be developed.

One such solution is the development of contact tracing applications, which are being rolled out in countries around the world. The question we consider in this piece is how to develop applications and processes, while still preserving the important gains in privacy and data protection that have been made thus far. The good news is that regulations such as the General Data Protection Regulation (GDPR) and recent guidance from regulatory bodies, may provide us with a framework for developing a sensible solution.

The State of Pre-Pandemic Privacy

While the GDPR technically applies to the data of EU residents, the practical implications of compliance have reverberated worldwide. We believe that it would be prudent for policymakers, health officials and technologists to consider the GDPR and related guidance from regulatory bodies, as a starting point when developing tools and policy for combating the spread of COVID-19.[1]

The GDPR provides allowances for the processing of personal data, including health data. The goal, of course, is to strike a reasonable balance between the rights of data subjects and legitimate uses of their data. Thus, the GDPR requires that any data processed must be “necessary” and proportional to fulfill a specific lawful purpose as defined by Article 6.

Examples of “lawful purpose” include consent, compliance with a legal obligation (Art. 6(c)), processing necessary “to protect the vital interests of the data subject or of another natural person,” (Art. 6(d)), processing to carry out tasks “in the public interest” (Art. 6(e)), or where the processor has a “legitimate interest.” (Art. 6(f)).”[2] Crucially, the GDPR gives wide latitude to Member States and regulatory bodies to introduce specific provisions or guidance when it comes to compliance around Art. 6(c) and (e), and specifically calls out the processing of personal data in the context of “monitoring epidemics and their spread.”[3]

In stark contrast with many other countries, data protection authorities and policymakers in Europe, including the European Data Protection Board (EDPB), European Commission, and European Parliament, have been responsive to these concerns, and have issued guidance and recommendations, with an eye towards development of a pan-European approach to balancing public health needs against the rights of data subjects.[4] The European Data Protection Supervisor also submitted comments outlining a number of safeguards for protecting telecommunications data such as cell phone records.[5]

For example, on April 14, the EDPB issued guidance on data protection considerations for development of technical approaches to combatting COVID-19, including contact tracing and post-diagnosis “exposure notification” systems. Crucially, the EDPB noted that in the case of technical approaches, a “one-size-fits-all” solution is not practicable, and that solutions should be considered on a “case-by-case” basis, preferably in consultation with data protection authorities. Furthermore, development should be done accountably, keeping data minimization principles in mind. For software, the EDPB encouraged source code to be released “for the widest possible scrutiny by the scientific community” and that a Data Protection Impact Assessment (DPIA) should be conducted.[6]

The EDPB also stressed the importance of “voluntary adoption” of contact tracing technology, as opposed to compulsory governmental mandates. Interestingly, the guidance stopped short of extending this recommendation to the private sector. [7]

Finally, EDPB guidance notes that information about specific individuals with COVID-19 should not be disclosed, and that the data collected should be destroyed once it no longer fulfills its stated purpose (e.g., after an infected person tests positive for COVID-19 antibodies, or the virus is contained).

Contact Tracing As a Tool

Contact tracing has a long history of success, both in past epidemics, including Ebola, HIV and Tuberculosis, as well as current efforts against COVID-19. But traditional forms of contact tracing, which normally employ skilled healthcare workers and trained investigators, are time-consuming, manual affairs. Due to the sheer volume of COVID-19 cases (over 4 million cases reported worldwide as of this writing), relying on skilled personnel alone is no longer tenable.

As a workaround, countries around the world have begun hiring thousands to conduct manual contact tracing. While many jurisdictions promote that these individuals have been trained on how to perform contact tracing, it’s unclear whether there are consistent standards in place, what the training entails, if personnel are adequately vetted, or if privacy and data protection principles are being applied.[8]

For example:

● Contact tracing in South Korea incorporates patient interviews as well as the use of medical records, cell phone GPS records, credit card transaction records, and closed-circuit television.[9] When someone tests positive for COVID-19, information is sent out to potential contacts, which may include an individual’s last name, sex, age, residence information and purchase history, as well as where they traveled to. According to a report in The Atlantic, “Even overnight stays at ‘love motels’ have been noted.”[10]

● Singapore also used a combination of technology and manual tracing to effectively control outbreaks. Teams of people conduct interviews, obtaining information on patient whereabouts, contacts, and interactions for the last 14 days. They also corroborate this evidence against the ubiquitous CCTV networks that exist in the country. Those who had come in contact with a patient are also checked for the virus. The nation has also made use of TraceTogether, a mobile app that uses Bluetooth signals to determine when users are near each other.[11]

● At least 41 states, Puerto Rico and the District of Columbia are recruiting nearly 40,000 contact tracers in the United States, or around 1 tracer for every 8,200 people. Some experts doubt this will be enough, and suggest the government should aim to hire between 100,000–300,000 contact tracers.[12]

Privacy considerations abound. Manual contact tracers are given access to a wide array of sensitive personal data about COVID-19 patients and their potential contacts. By necessity, contact tracing must include the collection of this sensitive personal information, as well as details on other underlying conditions of a particular individual. However, too much detailed information on individuals can lead to unwanted consequences like social ostracization, harassment, or targeting of vulnerable groups. This has already occurred in a number of situations. For example, an American army reservist was rumored to Patient Zero for COVID-19 in the US. Her personal information, including her home address and email was leaked and spread online by conspiracy theorists, leading to a wave of harassment and threats.[13] In the UK, a doctor was evicted from her home due to her landlord‘s fears of contracting the virus.[14] And in India, officials in New Delhi are selectively targeting Muslim groups for violating bans on social gatherings, while ignoring similar gatherings by non-Muslims. [15]

Still, even in a perfect world, manual tracing alone is unlikely to be enough. Some countries have begun to enlist the help of technology. From Australia to Taiwan, a growing number of systems are being developed by governments, health authorities and the private sector. For example:

● Taiwan has taken a novel approach, with the public and government working together to develop digital tools for tracking the virus, achieving user-buy in via collaborative means.[16]

● Russia has developed a Social Monitoring app for citizens who have tested positive for Covid-19, that obtains user call logs, location information, camera, storage, network and other information to ensure that users are quarantining.[17]

● The Israeli government is working with the controversial NSO Group to develop software that would track infected persons by gaining access to citizens mobile data, without necessarily obtaining their consent.[18]

● On April 10, 2020, Apple and Google released a technical specification for using Bluetooth Low Energy (BLE) technology for after-infection “exposure notification.” They also released a limited-use API to developers working with public health authorities for building contact tracing apps.

● Similarly, a MIT-led effort known as Private Automated Contact Tracing (PACT), uses a similar approach to the Apple & Google BLE specification, but also allows patients to upload their digital IDs to phone broadcasts, allowing others to check a database to see if there are mutual matches.

● A consortium of scientists and academic researchers in Europe have also developed an open protocol for proximity-tracing of COVID-19. The Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol ensures that personal data stays entirely on a user’s device, and that only specific, deanonymized data of affected, consenting users, is uploaded to allow for contact tracing. Officials from Switzerland, Austria and Estonia announced they plan to implement the DP-3T protocol.[19]

The Apple/Google, MIT, and DP-13 efforts are notable in that each include a number of ‘privacy preserving’ considerations, including rotating identification keys that expire after a fixed period of time, decentralized storage of personal information, and user consent. However, it is unclear based on this reading if any of these specifications can be useful for performing true contact tracing, or if they instead function as “exposure notification” tools for future contact with infected persons.

The question is, can we build technological solutions and policies that preserve a healthy balance of personal data while still providing an effective strategy to fight the virus? At the most extreme level, we have countries such as South Korea and Russia. While South Korea’s policies are bordering on a police state, it’s clear they work — with overall cases falling from a high of 7,362 on March 11, to just 1,654 as of April 28, a 77% decrease.[20]

By comparison, the privacy-preserving standards developed by Apple & Google appear to strike a better balance, but they have yet to be formally tested, as tools currently in development have yet to be released publicly. Moreover, the technology itself seems to be used for post-hoc exposure notification, rather than allowing for contact tracing of individuals prior to testing.

Both BLE and GPS also have a number of technical challenges and security vulnerabilities that can potentially limit their effectiveness for critical use-cases such as contact tracing and eventually social distancing and quarantine enforcement.[21] This may lead to a number of unintended consequences. If a COVID-19 patient fails to self-quarantine, and goes to a grocery store, for example, will there be a sudden flurry of mobile alerts, creating a new panic?

There will also be challenges around privacy and surveillance when it comes to enforcing stay-at-home orders for those identified through contact tracing. But we believe that technology can also play a part here. Some tools, like Taiwan’s ‘electronic fence’ already do this, by using cellphone triangulation to identify if a quarantined subject has left their home, or turned off their phone.

Many Americans have already begun challenging statewide stay-at-home orders, which are in some respects easier to enforce, as police can target anyone who appears to be violating the order. But how do you identify and enforce quarantining when normal day-to-day functions return for some, but not all of us?

Recommendations For Dealing With the New Privacy Normal

The GDPR, and related guidance offers the world a good starting point. But we all should at a minimum consider the following when it comes to further development of contact tracing standards:

1. Decentralized Approach. When it comes to technological solutions, countries should favor decentralized approaches, in line with EDPB recommendations.[22] Personal data should be stored locally on people’s phones, and any information stored centrally should be limited and de-anonymized as much as possible. Additionally, once the pandemic subsides, any data kept on individuals should be deleted, or fully anonymized (assuming there is a legitimate public-health basis for keeping such information).
2. Privacy By Design. Development of applications and standards should consider ‘privacy-preserving’ features whenever possible, similar to the proposals outlined by the DP-3T, PACT, and the Apple/Google partnership. Such standards could include randomly-generated keys or tokens that expire, limited (or no) device location collection, and user-controllable limitations on what data can be collected.
3. Consent. Any digital contact tracing system should be voluntary. Earned trust is more effective than compulsion, especially given the legitimate concerns that many have about government and private-sector surveillance. For these systems to be effective, a large percentage of the population must opt-in.
4. Purpose Limitations. Legally-binding guidelines about what information will be collected and how it will be used must be established. Similarly, decisions made as a result of contact tracing, or self-quarantining applications, should not include decision making based on solely automated means. Local and federal law enforcement agencies should be barred from accessing this information to pursue criminal matters not related to the epidemic, and employers should be limited in how much they can rely on any application in terms of making decisions on personnel matters.
5. Transparency. Any applications or standards should be transparent. Making standards and software development open-source is essential. Not only will this make it easier to build robust, compliant tools, but it will also foster collaboration amongst localities, and increase user trust.
6. Collaboration & Education. Developers should work with patients, policy makers, and public health and data protection authorities in developing the software, training, policy and procedures for performing contact tracing in a sensible, privacy-aware manner. Ideally, there would be regional collaboration and national standards for tracing efforts — perhaps coordinated through an existing group like the WHO or CDC.
7. Oversight & Termination. Independent advisory boards (both at national and supra-national level) focused on privacy and civil rights should be established. These panels should be empowered to hold hearings and collect information, from documents and witnesses, to provide this oversight and review, and set turn-down dates for any data that does not have ‘epidemiological relevance.’[23]

We believe that the sensible recommendations outlined above will allow for effective, reasonable and privacy-aware solutions to be developed that balance individual privacy considerations with the common goal of combating the COVID-19 epidemic.

[1] Primarily Articles 6 and 9, and Recitals 41 and 46.

[2] GDPR, Art. 6.

[3] See also: GDPR, Recital 46. “Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”

[4] Dr. Gabriela Zanfir-Fortuna, of the Future of Privacy Forum, has a comprehensive summary of these EU-led efforts at: https://fpf.org/2020/04/30/european-unions-data-based-policy-against-the-pandemic-explained/.

[5] See: “Subject: Monitoring spread of COVID-19” European Data Protection Supervisor, 25 March, 2020 at: https://edps.europa.eu/sites/edp/files/publication/20-03-25_edps_comments_concerning_covid-19_monitoring_of_spread_en.pdf.

[6] “EDPB Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic.” 14 Apr. 2020, at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpbletterecadvisecodiv-appguidance_final.pdf.

[7] Id.

[8] “Contact Tracing Could be Key to Easing Social Distancing Rules,” NPR, 13 April 2020 at: https://www.npr.org/2020/04/13/833045473/contact-tracing-could-be-key-to-easing-social-distancing-rules?t=1588164153094

[9] “Test, trace, contain: how South Korea flattened its coronavirus curve”, The Guardian, 23 April 2020 at: https://www.theguardian.com/world/2020/apr/23/test-trace-contain-how-south-korea-flattened-its-coronavirus-curve.

[10] “Contact Tracing Could Free America From Quarantine”, The Atlantic, 7 April 2020 at: https://www.theatlantic.com/ideas/archive/2020/04/contact-tracing-could-free-america-from-its-quarantine-nightmare/609577/.

[11] ” ‘There’s an App for That’: Use of COVID-19 Apps in Singapore and South Korea,” Asia-Pacific Foundation of Canada, 27 April 2020 at: https://www.asiapacific.ca/publication/theres-app-use-covid-19-apps-singapore-and-south-korea.

[12] ” States Nearly Doubled Plans For Contact Tracers Since NPR Surveyed Them 10 Days Ago”, NPR, 28 April 2020 at: https://www.npr.org/sections/health-shots/2020/04/28/846736937/we-asked-all-50-states-about-their-contact-tracing-capacity-heres-what-we-learne.

[13] ”Exclusive: She’s been falsely accused of starting the pandemic. Her life has been turned upside down,” Business Insider, 27 April 2020 at: https://edition.cnn.com/2020/04/27/tech/coronavirus-conspiracy-theory/index.html.

[14] ”Coronavirus: NHS doctor ‘evicted from home due to landlady’s fears over COVID-19'”, Sky News, 26 March 2020 at: https://news.sky.com/story/coronavirus-nhs-doctor-evicted-from-home-due-to-landladys-fears-over-covid-19-11963799.

[15] ”India’s Muslims feel targeted by rumors they’re spreading Covid-19,” CNN, 24 April 2020 at: https://edition.cnn.com/2020/04/23/asia/india-coronavirus-muslim-targeted-intl-hnk/index.html.

[16] ” If We Must Build a Surveillance State, Let’s Do It Properly”, Bloomberg, 22 April 2020 at: https://www.bloomberg.com/opinion/articles/2020-04-22/taiwan-offers-the-best-model-for-coronavirus-data-tracking?sref=60g7QQE7.

[17] ”’Cybergulag’: Russia looks to surveillance technology to enforce lockdown,” The Guardian, 2 April 2020 at: https://www.theguardian.com/world/2020/apr/02/cybergulag-russia-looks-to-surveillance-technology-to-enforce-lockdown.

[18] “Coronavirus: Israeli spyware firm pitches to be Covid-19 saviour”, BBC News, 2 April 2020 at: https://www.bbc.com/news/health-52134452. “Israel is tracking phone location data to fight COVID-19, reports say”, CNET, March 17, 2020 at: https://www.cnet.com/news/israel-is-tracking-phone-location-data-to-fight-covid-19-reports-say/.

[19] See: https://www.swissinfo.ch/eng/digital-solution_contact-tracing-app-could-be-launched-in-switzerland-within-weeks/45706296 (Switzerland); https://www.ots.at/presseaussendung/OTS_20200422_OTS0052/stopp-corona-app-weiterentwicklung-mit-hilfe-der-zivilgesellschaft (Austria); https://e-estonia.com/trace-covid-19-while-respecting-privacy/ (Estonia).

[20] “South Korea — Worldometer.” https://www.worldometers.info/coronavirus/country/south-korea/.

[21] See: ” Limitations of BLE in smart home,” DevelopX, 4 December 2017 at: https://developex.com/blog/limitations-of-ble-in-smart-home/; ”GPS Accuracy,” GPS.gov, at: https://www.gps.gov/systems/gps/performance/accuracy/.

[22] ” EDPB Letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic,” 14 April 2020 at: https://edpb.europa.eu/our-work-tools/our-documents/letters/edpb-letter-concerning-european-commissions-draft-guidance-apps_en. To date, Ireland, Germany, Austria and Switzerland have all spoken in favor of applying a decentralized approach.

[23] See: ” eHealth Network: Mobile applications to support contact tracing in

the EU’s fight against COVID-19. Common EU Toolbox for Member States” ver. 1.0, 15 April 2020 at: https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf.