COVID Contact Tracing Technology: How Do We Get it Right?
Cybersecurity experts discuss the intersection between privacy and public health.
In the wake of the coronavirus pandemic, governments, healthcare facilities and workplaces alike are more closely examining different technologies, namely contact tracing apps, to help monitor the spread of the virus in an effort to prevent an uptick in new covid cases, and to restore a sense of normalcy within daily life. While most of these apps are still in the development stages, many people have begun to wonder what exactly the tech will be able to retrieve from their smartphones. Is there anything “normal” about our employers or neighbors having access to our personal data?
Before unplugging from our devices and opening up a beginner’s guide to going off the grid, we spoke with Boston University computer science professor Mayank Varia and professor of electrical and computer engineering Ari Trachtenberg. The experts talked about the newfound tracking technology, pressing privacy concerns and whether pandemic-era data collection will actually work to keep us safer in the future.
What are the most urgent privacy concerns in the United States regarding Covid-tracking initiatives?
Trachtenberg: As with every national and international emergency, there is an overwhelming desire to do whatever is possible to save lives, and we, as a society, are willing to set aside many privacy concerns in the interest of this goal. Two elements distinguish the Covid crisis from others:
- We have a historically unprecedented technological capability of intruding on the private lives of almost every individual in the country.
- There is a fundamental void of scientific understanding of the virus, its related diseases, its transmission mechanisms, levels of immunity granted from sickness, etc.
In other words, we have a national threat that we do not understand, and, if we throw everything we have at it, we will be left with pretty much no privacy whatsoever. This has the capability of fundamentally transforming the nature of U.S. society, and, if experience with previous crises stands to bear, the capability will not go away when the crisis subsides.
How could digital contact tracing benefit healthcare providers?
Varia: The healthcare sector has many experts in manual contact tracing, but it is challenging to deal with a pandemic of this scale. Adding a digital component can provide a quicker way to identify the contacts of a diagnosed person, thereby allowing the healthcare community to use their resources more effectively in treating contacts rather than spending precious time trying to recreate the diagnosed person’s last few weeks of movements. Furthermore, digital contact tracing can identify close contacts that the diagnosed person does not know, such as people seated nearby on public transit or in a classroom.
Is there a danger in implementing tracking technology without established regulation outlining who can access the data and how it’s used?
Trachtenberg: Not necessarily. There are ways to do contact tracing, as outlined in some of our joint research, that would naturally preclude who has access to data in a manner that does not require regulation. Regulation may be needed to make sure that tracing is done in this naturally protective manner, but not necessarily beyond that.
Lawmakers introduced a bill aiming to provide a regulatory framework around pandemic era data collection, although academics, privacy advocates and democrats have cited shortcomings. What big picture questions or concepts do you think need to be addressed in any future legislation?
Trachtenberg: This is not an issue limited to pandemic era data collection. I do believe quite strongly that private individuals should have a fundamental right to decide how and with whom they share information. This is an extremely difficult area to regulate, especially because the technology is adapting much faster than the law. My personal recommendation would be to set up a concept of privacy liability, similar to product liability, where companies (or the government) can be sued for leaking private information of individuals without their consent.
What are your thoughts on the argument that civil liberties should be suspended in a pandemic? Is there a way to implement the surveillance needed to quell the virus while also protecting citizen privacy?
Trachtenberg: Civil liberties should not be suspended. They may be limited at times of need, but this needs to be done only with full and transparent third-party review (e.g. by the judiciary). On a technical front, there are certainly ways to get surveillance-like information without violating civil liberties (e.g., through Multi-Party Computation frameworks, in which a group of people compute something without any one of them knowing the full nature of the computation). However, these require knowing precisely what you want to learn from the community. With a pandemic based on an unknown virus, it is also important to be able to pivot quickly as the science adapts. So, I return to my earlier point: many of my concerns with civil liberties can be ameliorated with the use of a full and transparent third-party review of the desired activity in the context of the existing environment.
What happens if a user’s phone or the data being collected, including sensitive health information and location data, gets hacked or stolen? Is this a viable threat and what are the risks if this does happen?
Trachtenberg: This is a credible threat, but there are also many well-known methods of mitigating the resulting damage, most notably encrypting all data on the device (as is standard on phone operating systems today).
What do you think about workplaces implementing surveillance methods to track employees’ health information and office interactions in an effort to bring employees “safely” back to the office? Is this type of surveillance necessary? Are we headed towards a new normal where employers mandate access to this type of information?
Trachtenberg: I find this scenario truly terrifying, because your workplace is connected to your livelihood, even after the pandemic. Surveillance information can be deeply personal, even at the workplace, and it is scary for your job to have access to this.
If this technology is utilized on the mass-scale, how could it change the course of the pandemic? Do you think it will have a place in our lives once COVID-19 is behind us?
Varia: To the first question: yes, I think that digital contact tracing can be an effective component of a public response toward pandemics like COVID-19. As we move out of a general quarantine, these tools offer an alternative method to flatten the curve: providing advance notice to people before they even realize they are infected so that they can self-quarantine.
To the second question: no, and to the contrary I think it is important for this technology (like all technologies) to have a sunset provision in place. Even though substantial care has been taken to ensure that this technology is as privacy-preserving as possible, at its core any system that provides people with information about their contacts is a type of surveillance mechanism. In the current pandemic, I believe the public health benefits of such a system justify a prudently-designed contact tracing system. Once the pandemic is over, the benefits no longer justify the costs and any such system should be removed.
For additional commentary by Boston University experts, follow us on Twitter at @BUexperts. Follow Professor Varia on Twitter at @mvaria. For research updates from the Boston University College of Engineering follow @BUCollegeofENG. To read additional commentary from Professor Trachtenberg, visit The Conversation.