COVID-19 Contact Tracing Apps

The wild west of COVID-19 exposure mapping and why the U.S. needs a data protection law

The ongoing public health emergency has given rise to a market for tech tools for mapping exposure, monitoring symptoms, and providing individuals with health and safety information. When it comes to tools for exposure mapping, or “contact tracing” as it’s more commonly called, the largest players by far are Google and Apple. The two companies announced a partnership in April to create exposure mapping software that enables app developers to create exposure-mapping apps using Bluetooth capability in both Android and iOS devices.

Though these companies have taken pains to document and share the efforts they have made to protect the security and privacy of user data, most U.S. states looking to adopt exposure mapping apps have opted not to use the Google/Apple tool. Instead, many states have adopted a wide range of other mechanisms, from apps to online platforms, that collect some form of personal data. For example, South Dakota was an early adopter of the Care19 contact-tracing app. The app assigns users a random number to keep their information anonymous and relies on WiFi location data, cell tower data, and GPS location data to track users. In Berkeley, California, local authorities are using the Coalition app, which relies on Bluetooth to monitor users’ whereabouts. In Kansas, a COVID-19 platform analyzes anonymized cell phone data and compares GPS data from before and after the implementation of social-distancing measures to track the mandate’s effectiveness. The tool also offers county-level grades.

Across this wide range of tools, there are no federal safeguards in place to ensure data are meaningfully protected. Some apps, such as the HealthyTogether app that is being used in Utah, have privacy policies that provide details on data collection and retention measures. But the details in these policies vary widely across the apps in use, with no evident standard for important elements such as whether and when the data will be automatically deleted, with whom a company will share the data, or how the security of the data will be protected. It should therefore come as no surprise to see reports such as the one in North Dakota revealing that an official app shared sensitive user data with Foursquare and Google.

The lack of standard protections is a problem we should be fixing right now. There is no end in sight for the pandemic, nor, by extension, for use of these apps. While all states in the U.S. are in various stages of “re-opening,” public health data show we have not reached the end of the COVID-19 public health emergency, and health experts believe it may worsen. They continue to predict that the U.S. will experience a second wave of COVID-19 outbreaks in the fall.

The U.S. Congress is well-positioned to take the necessary steps to protect individuals’ privacy and civil rights as states implement COVID-19 response technology. Recently, several U.S. representatives introduced the Public Health Emergency Privacy Act, which is designed to safeguard privacy as a variety of exposure mapping and other COVID response technologies flourish. The bill follows many of the recommendations Access Now made in our recent report on privacy and data protection during COVID-19, including applying strong data protection principles such as imposing limitations on the collection and use of COVID-19-related data, and preventing these data from being re-used for commercial or advertising purposes.

No one should have to sacrifice their privacy or security to stay healthy, and privacy is critical for enjoying a broad range of rights. Importantly, the Public Health Emergency Privacy Act aligns with many civil-rights-respecting principles that are essential for any COVID-19 response technology, including prohibiting use of COVID-19 data for discriminatory purposes. These protections are essential to ensure that any technology used in the pandemic response will protect the civil rights of people in vulnerable communities who are already at risk of rights violations.

Regardless of the form the final bill will take, it is imperative that Congress take action now. Without the necessary protections in place, COVID-19 response technology will run rampant under a patchwork of rules, risking everyone’s privacy for what may be very little gain.