What Do COVID-19 Tracking Apps Mean For Data Privacy?

As COVID-19 cases around the world continue to rise, it is clear that we are not out of the woods yet when it comes to this pandemic. Just as doctors are finding new ways to treat the virus, countries are adopting new ways to combat the virus. As predicted previously, this includes the use of new apps which use some form of data tracking in order to determine whether or not people came in contact with a positive case of COVID-19.

Updated as of 1/11/2021

What Apps Are In Play?

The state of New York recently announced that it is rolling out its own voluntary tracing app, “Covid Alert NY”. This app will be in conjunction with several surrounding states, including New Jersey. New Jersey’s, similarly, is called “Covid Alert NJ”. As a reminder, New York recently passed the NY Shield Act, which limits the ways in which a consumer’s data can be used.

It’s worth noting that several other states have also implemented their own tracking apps. Arizona, North Carolina, and Delaware are among the 14 states to have rolled out similar contact tracing apps. In general, these apps are most effective when 60% of the population is using them, but it is not the silver bullet for defeating COVID-19 and must be used in tandem with other efforts such as human contact tracing.

How Does It Work?

At its core, the app is similar to the PEPP-PT app proposed by the European Union discussed in the first version of this article. If two phones are within six feet of each other for more than ten minutes, the phones will use Bluetooth technology to generate a unique code between the two of them, signaling that the two individuals have been in close contact. Those unique codes will be stored on the phone’s internal memory.

When someone tests positive for COVID-19, provided they have the app, a case worker will ask if they are comfortable sharing the codes to a list of known infected codes. When they do, the unique codes their phone has stored will be added to that list. Each day, the list of close contact codes are sent to all phones with the app so the user’s phone can cross check this list of infected codes with their own internal codes to see if there’s a match. If there is a match, the phone will alert the user that they have been in close contact with a positive COVID-19 case and will encourage the user to seek testing.

What Data Does It Reveal?

Aware that data privacy concerns are growing, Governor Cuomo and the creator of the New York contact tracing app have assured the public that no private information from individuals is released. The app may collect a combination of demographic information from you, if you choose. However, the alerts sent to individuals letting them know that they’ve been in close contact with a positive case only reveal that they may have been exposed. The alert does not say where, when, or by whom. The data stored in each personal device is intended to only include the unique codes generated by the phones and nothing more.

The creator of the app has also asserted that copious amounts of cybersecurity tests had been run on the app to ensure that it was safe to use, acknowledging that people are becoming more aware of how their data is being used and how insecure its storage and use can be.

So What Now?

There’s no doubt that this app, when coupled with existing measures, could be beneficial in slowing the effect of COVID-19. It also offers a sort of peace of mind to users who may have existing concerns about whether or not they have been exposed. Certainly, for individuals who work in jobs which require that they be in close proximity with a large number of people, such as grocery store clerks or food service staff, it can offer extra data for them to make informed decisions.

It is possible that once the COVID-19 pandemic is over, that the realization of how precisely location can be tracked – such as mere proximity to another individual just through their phones – will further fuel the discomfort that people feel about their data. That the creator of the app had to take extra precautions to protect data is evidence that the data is there and readily available and that it was only via the creator’s discretion that more isn’t being done with it.

In fighting COVID-19, these apps can help bolster current efforts to stem the spread. After COVID-19, however, these apps and their creators will need to contend with the growing awareness of the public of just how their data can be used and how much of it can be used.

There’s no doubt that the question on everyone’s mind as May draws near is when will everything return to normal? And to take that a step further, what does the “new” normal look like? It’s no secret that the COVID-19 pandemic has caused massive disruptions across all areas of life, from a surge in remote work to widespread measures of containment, which often include quarantine or “stay at home” orders. A growing number of countries have even pursued more aggressive measures to combat COVID-19, including using private data to track infected citizens. It’s quickly become abundantly clear that one of the greatest resources right now is data – specifically, location data.

Pinpointing COVID-19 Cases with Location Data

Countries that are trying to be proactive in their response to the threat of COVID-19 have resorted to using location data in phones to varying degrees. Taiwan, a country globally praised in its response, has instituted a “data fence” policy for those who are meant to be in quarantine. Similar to an ankle bracelet, the phone transmits the user’s location data to the local officials and police. If the phone goes outside of the allowed area or stops transmitting, authorities are dispatched to make sure quarantine rules are being followed.

South Korea uses similar information to aid in the process of contact tracing. When a citizen is confirmed to have COVID-19, the location data from their phone can be leveraged to create a map of potential contaminated areas – which is then relayed to an app that anyone in South Korea can download to see locations that should be avoided. The authorities can also send out mass alerts to the phones of its citizens alerting them of a confirmed case that includes detailed information all the way down to the age of the person and all previous locations visited.

Taiwan and South Korea are not alone in utilizing location and tracking data, though they do represent some of the more far-reaching cases. Certainly one of the most unexpected countries to adopt a tracking app, however, is the EU.

How Far is Too Far?

In 2018, the EU adopted the General Data Protection Regulation (“GDPR”), which limits what companies can and can’t do with their users’ data. It classifies certain attributes as “personal data” – location, demographics, name, address, etc. was the direct result of a growing concern over privacy in the age of big data.

Despite the crackdown on data use, the EU has managed to create the Pan-European Privacy-Preserving Proximity Tracing (“PEPP-PT”) app in compliance with GDPR by using anonymous Bluetooth technology. Data would be stored on the phone, rather than a server, and the collected data from phones would only be accessible by authorities for contact tracing purposes or to privately alert an individual that they may have come into contact with a positive COVID-19 case.

But the sentiments that created GDPR in the first place are ever looming as the EU moves quickly to adopt a set of common rules for the use of any and all proposed apps that track data in order to monitor the spread of COVID-19. While the urge for solutions to the current situation is present, it hasn’t abated the concerns over privacy.

Bringing Location Tracking Apps to America

Americans have recently expressed similar concerns over the amount of personal data that is made available. Two states, so far, have rolled out protection acts including:

These acts set some boundaries on how personal data can and can’t be used, as well as allowing for easier opt out options. Like GDPR in the EU, these concerns arose from how personal data is treated. Currently, however, there has not been a single, unified data protection legislation for the United States. Case law and the laws of individual states exist, making up a patchwork of rules that a contact tracing app would have to navigate in order to stay compliant country-wide. Which begs the question: are people willing to give up some of the privacy they have over their personal data in order to combat COVID-19 and, if so, what happens after this is all over?

Countries who were early adopters of these apps, Taiwan and South Korea in particular, have seen positive results. There is no doubt that such tracking can greatly help contact tracing, which is considered one of the key components of being able to control a pandemic. However, the existing laws in the US were put into place out of a very real concern for data privacy and protection. While the proposed EU app does not necessarily cross the lines drawn in the sand, it certainly toes them.

In January, the idea of an app that tracks and distributes that much personal data would have been nearly unthinkable, however, Google and Apple have announced that they are teaming up to create an US-based version of the app. According to interviews, the app would be entirely voluntary and responses kept anonymous. The proposed app would track people’s proximity to one another to determine if they were close enough for long enough to potentially catch the virus. If a user who was close to others tests positive and updates the app, an alert is sent to other users that they were in close contact to a positive case and may have potentially contracted the virus.

Both Google and Apple have stressed their interest in maintaining the privacy of the users who voluntarily submit to having their location tracked in this way. As an act of good faith, they have stated that they will publicly release information on their work to be as open as possible.

So What Happens When We Reach Our New “Normal”?

The COVID-19 pandemic will end, it’s just a matter of time. When it does, everyone will be anxious to develop some semblance of normalcy. When countries are at the point where they can look back at the reliance placed on location tracking during this time of crisis, what will people make of how fast and easy it was for their privacy to become negotiable? In the midst of a pandemic, individuals may be far more willing to let their data be used in ways that can help mitigate the rising risks. But after it’s over, will people be even more unsettled by the extensive use of their personal data?

Prior to the COVID-19 outbreak, the US was on the path for wider adoption of data privacy protection acts. Whether or not the app proposed by Google and Apple comes to widescale adoption, criticism has already been voiced about the slippery slope created by the apps that already do exist. A desire for a unified right to personal data privacy was a major driving force in adopting what policies the US does have in place long before the COVID-19 outbreak.

The backlash of these apps, while helpful during the COVID-19 pandemic, may very well trigger another round of privacy protection policies, such as the ones currently being considered by the EU even as they proceed with the PEPP-PT. The US may see far more policies come into place like the NY Shield Act and CCPA when the current crisis ends and people come to terms with having relinquished their privacy.

If you have any questions, please
contact a member of Withum’s Technology and Emerging Growth Services Group.

Technology and Emerging Growth Services

Previous Post

Next Post