How to Contain the Spread of Contact Tracing Data
Privacy-Enhancing Technology is critical to protecting confidential health records in the aftermath of a pandemic
In these frightening and uncertain times, with health care systems and hundreds of thousands of lives at stake, governments and public health officials around the globe are pursuing unprecedented legislative action to slow the spread of Covid-19. In a frantic effort to address the many challenges posed by the pandemic, they are unfortunately ceding ground from a data privacy perspective, giving rise to a new threat by relentlessly collecting private data and mobilizing every resource at their disposal, including the private sector, to help “flatten the curve.”
Though it may seem impossible for governments to implement an effective contaminant strategy while also preserving data privacy, highly powerful, yet underutilized technology already exists that actually allows us to do both in parallel.
Contact tracing
One of the more controversial yet effective weapons in the health community’s arsenal is contact tracing, a technique designed to isolate infectious diseases through the collection of otherwise private information about infected individuals and their recent interactions. In the digital era, contact tracing has never been easier.
Sensitive geolocation data is already widely accessible to mobile app developers and industry tech giants like Google who are keen to track consumer behavior and generate revenue. Today, however, our data is being shared, stored and used, at scale, in the name of public health and safety. Regulations like the GDPR and CCPA restrict how this information can be utilized, but in the midst of this pandemic, many governments around the globe are turning a blind eye to data privacy concerns and seeking cooperation with technology companies to develop Coronavirus tracking apps and other geofencing solutions that have significant privacy implications.
The threat of contact tracing
Because contact tracing data accrues value as it is made available to health organizations and their software development partners, it has many attack vectors. The potential for mishandling and oversharing this information not only challenges existing data privacy laws, but can also result in leaks, hacks and other damaging exploits. Health and location data, for example, could be targeted by private companies seeking commercial gains, authoritarian governments looking to expand their surveillance reach, or even parties with a questionable social agenda that aims to dox infected individuals.
In light of these concerns, new privacy-preserving solutions that leverage Bluetooth technology are beginning to emerge. The framework recently unveiled by Apple and Google is a fantastic initiative aimed at protecting sensitive location data in the battle against Covid-19, even if its initial impact may be limited due to a number of constraints, including reliance on third-party public health apps that embrace a more conventional approach to contract tracing.
So what else can be done to minimize the potential for privacy violations, without hindering the use of important technologies that can clearly help slow the spread of a deadly virus? Is it possible for governments and companies to collaboratively use sensitive contact tracing data to save lives while also protecting it from mishandling and abuse?
PET may be the cure
Fortunately, due to innovations in advanced cryptography, these questions do not necessitate a zero-sum answer. Privacy-Enhancing Technology (PET), already endorsed by organizations like the World Economic Forum and in legislation proposed by US Senator Gillibrand, can be extremely useful in helping authorities compare and match data derived from confidential records, without exposing personally identifiable information (PII).
In the context of a global pandemic, privacy solutions powered by PET could help airport authorities compare names on a flight manifest against state-controlled quarantine lists to prevent travel by potential carriers of a highly infectious disease. Similarly, hotels might cross-reference customer names against confidential records kept by medical labs to verify that guests have undergone disease testing. PET-enabled platforms could also benefit health insurers seeking to prevent application fraud and hospitals that wish to confirm the medical histories of newly admitted patients.
The above examples represent just a small sample of use-cases in which data-driven, cross-organizational collaboration can take place while simultaneously guaranteeing that sensitive information is not shared for ethical, legal or business reasons. PET offers a viable way for governments and businesses to maintain ownership over data and preserve our privacy, without adversely impacting their use of technology to help curb a pandemic.
As evidenced by the Patriot Act, history has shown that temporarily-enacted emergency legislation has a way of outlasting crisis situations. As new, unbridled laws are being written, and as companies are being deputized to collect, share and use our data on an unprecedented scale, PET-enabled solutions couldn’t be more urgently needed. They are our best protection against pandemic-driven measures like contact tracing, and they are essential for mitigating risk, safeguarding personal data and preventing harmful overreach in the aftermath of this crisis, as well as those to come.
