Playing with Fire: Using Location Data to Track the Coronavirus
by Gus Rossi, Omidyar Network
Last week, the Washington Post reported that the U.S. government is in active conversations with Facebook, Google and other tech companies to consider using individual location data collected from the phones of people residing in the US in order to track, understand, and curb the spread of COVID-19.
This tactic may prove to be one of the ways that the surveillance infrastructure, built by the dominant tech platforms, can be repurposed as a key tool in this never-before-seen global health battle. But we must be cautious on how the government and companies are allowed to access, share, and use our location information. Big tech has a track-record of putting profit over our privacy, and, for a long time, been thirsty for our health-related data. And in the recent past, the U.S. government turned legislation theoretically designed to protect Americans, such as the Patriot Act, into instruments of domestic surveillance. Without proper safeguards, individual location data can easily be used against the public interest and expectations.
Location data has the potential to help public health authorities slow down the spread of COVID-19 and flatten its infection curve. South Korea and China have used location data to, for example, reconstruct the movements of people exposed to virus and identify others at risk of infection. Israel rushed an executive order to allow the police to track the cellphones of individuals who tested positive with the virus, or those who might have it, therefore mapping the spread of the infection and enabling the prediction of outbreak clusters. Singapore’s Ministry of Health made information about victims public, and a developer turned the information into an interactive map. More generally, startups like the Swedish Flowminder have shown how health data can be aggregated and used to improve public health and welfare.
But location data can just as easily be used in ways that expose people to new privacy and safety risks, as documented by Privacy International. In 2019, The New York Times also demonstrated how location data is already being collected by private vendors and made available for purchase, which ultimately allowed others to follow military officials with security clearances as they drove home at night. And in January, the FCC fined Verizon and other carriers for the wholesale selling of precise location data to companies that then lost or re-sold the data indiscriminately.
To ward off these concerns and scrutiny, Facebook has recently clarified that it will not be sharing data without asking users to opt-in to such a practice, though it’s not clear how much choice they will be offered if they want to continue using the free service. And Google claims that, for now, it’s just looking to anonymize and aggregate location information for research without exposing individualized details.
Some will say that a fast-spreading pandemic represents extenuating circumstances that require big tech and governments to use all of the tools at their disposal — and to that, I say, their good will needs to be matched with the appropriate safeguards and provisions.
The track record of the parties involved allow us to presume that both the government and tech companies could give each other access to vast amounts of physical location and health information that, if inappropriately used, could lead to discrimination by employers and insurers, unfair or deceptive targeting, harassment, arrests, and worse. It’s critical that appropriate safeguards and provisions are in place to guarantee that location data is only used for the public interest and not for private gain or unwarranted surveillance.
In this scenario, the appropriate safeguards include:
- limits on the purpose for the shared data
- limits on data retention
- restrictions on non-anonymized, re-identifiable data
- the creation of a data trust that only verified and competent parties can access
First, purpose limitations are necessary to ensure that all parties can only collect and share data for the purposes of combating COVID-19, nothing else. Without purpose limitation, the government and companies could use our location data for other commercial, law enforcement, or surveillance goals.
Second, data retention limitations would give users the peace of mind of knowing that their digital footprints are eventually going to go away. Americans’ identifiable or re-identifiable location data shouldn’t be indefinitely stored or accessed. Unlimited data retention policies also make data breaches more likely and problematic, as there’s more data to be leaked.
Third, all the data collected and shared for the purpose of understanding and fighting COVID-19 should not be re-identifiable. Americans need to feel confident that no one is going to use their data to stigmatize or discriminate for being sick (or outside their homes), now or in the future.
Fourth, the data should be integrated into a data trust governed by an institution such as the National Science Foundation and only made available to other trustworthy researchers, experts, and authorities. A data trust is a legal structure that creates explicit purpose and accountability mechanisms for the independent stewardship of data in service of a goal. Data trusts can take on the fiduciary responsibility to steward, maintain, and manage how location data is used and shared — from who is allowed access to it, and under what terms, to who gets to define the terms, and how.
Properly used, individual and aggregated location data analysis can provide powerful insights for the global fight against COVID-19 and for our collective health in the US and elsewhere. But robust safeguards must be in place to avoid misuse and abuse in any country and ideally, within permanent data protection laws. We call upon Members of Congress and all governments interested in using location data for combating epidemics to do so in a privacy-enhancing manner. As the Global Privacy Assembly has stated, “data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic”. Privacy and fighting COVID-19 can and should go hand-in-hand.