Privacy vs. Health in the World of COVID-19
by Chris Bowen
Chief Privacy & Security Officer and Founder
Google and Apple, two companies I admire in many ways, are trying to save the world. By uniting their efforts toward identifying those who may have been exposed to COVID-19, these tech giants are probably the only two organizations on the planet that have a chance to be successful. Collectively, they comprise 99% of the smartphone device market.1 Envision billions of smartphones tracking the Coronavirus - something both inspiring and terrifying at the same time!
Smartphones first played a role in COVID-19 tracking in China, where the regulations are different than in the US, Europe, and many other parts of the Asia Pacific region. Chinese citizens were given colored barcodes in their smartphones that depicted whether they were infected.2 A modern-day “scarlet letter” identifying people as infected is a boon for health tracking and a disaster for privacy.
The overall approach by Apple and Google seems reasonably straightforward and well-intended. You download a public-health authority sanctioned app (like Health & Human Services) to your smartphone. You click a button that indicates your consent to track people with whom you've been in contact using Bluetooth (roughly 30-foot range). Your smartphone then starts broadcasting an ID code four or five times an hour to your surrounding area. Smartphones surrounding you do the same.
The propensity for falsely identifying someone as having COVID-19, however, looks unnervingly high, which may not be a big deal until you grapple with the consequences.
For example, suppose I'm in my car, stopped at a stoplight, windows up, and a person who has also downloaded the app crosses the street. Three days later, he tests positive, and I receive a notice that I was near someone who tested positive for COVID-19. I'm not exposed. But my alert sounds, and I end up in quarantine for 14 days. That's a terrible outcome for what was no issue in the first place. And worse, I have no right to protest.
What happens if I don't download the app?
The alternative is one that trumps the right for you to consent to give up your privacy rights in exchange for public health. Apple and Google are already talking about placing contact tracing technology into their mobile operating systems. The plans are for a pop-up to appear, requesting consent to turn on tracking. The two companies say the tracking data will remain on the phone. But privacy-minded skeptics will say that they've heard that before with great disappointment.3 There's a huge trust issue here, which is unfortunate but justified.
Many privacy experts, myself included, shudder to contemplate that privacy expectations during and after the pandemic could tilt toward the model of the Chinese color-codes. Tech giants commit to keeping data on the device, and any use of the data will remain aggregated. Data would never be identifiable, they say. Yet, when you start to think about personal freedoms like privacy, you realize that some technologies and services can rapidly make sense of thousands of disparate data sources. It's reasonable, then, to conclude that this kind of surveillance would expose personal information.
While intentions seem to be pure at the moment, it’s inevitable that a bad actor will find this kind of information useful and somehow figure out how to take it and misuse it. We've seen this play out historically.
Even if you trust that these smartphones are secure and that the companies won't offload that data from your mobile device, you are unwittingly collecting information about others. This data is rich with details about everyone's social relations. Any intelligence service in the world would love to have access to a list of who knows who.
Equally concerning is that, too often, governments that temporarily remove privacy rights in the name of crisis response cement that response into permanence. Slovakia just passed a law that allows its public health officials only to collect geolocation data from its citizens - without their permission.4 Let's hope that the Slovakian government restores privacy rights at the end of the crisis.
Nothing can be perfect, and we have to employ measures to tamp down this virus. But the fact remains that technology won't be perfect and AI assumptions - which will sometimes be wrong - may impact people in terrible ways.
This pandemic provides governments and technology companies with the opportunity to earn back trust. The most important question is, will they?