Privacy Protection in COVID-19 Tech Surveillance
Negotiating privacy is ubiquitous in technology — the more we benefit from its consumption, the more desensitized we are to potential breaches. Currently, urgent focus is on testing efforts and establishing a surveillance system for contact tracing, a public health technique that is employed to determine who came in contact with a person who tested positive for COVID-19. The process concludes with communicating exposure risk to relevant individuals and determining whether quarantining is necessary.
CDC Surveillance Systems Guidelines
As technologists develop surveillance systems in response to COVID-19, the Centers for Disease Control and Prevention (CDC) recommends adhering to the following principles to meet efficacy standards:
Timeliness - How rapidly data is processed and available for public health authorities to take appropriate action.
Sensitivity - The extent a surveillance system can detect all or most cases in a target population.
Predictive Value Positive - The proportion of identified cases that truly are cases. Are the reported cases really cases?
Validity - Refers to whether surveillance data is measuring what it is intended to measure. Is the surveillance system detecting the outbreaks it should?
Quality - Reflects the completeness and validity of the data used for surveillance.
Representativeness - Whether findings of the surveillance system accurately portray the incidence of a disease within subgroups of the population.
Flexibility - The surveillance system’s ability to adapt to changing information needs or operating conditions with little additional costs in time, personnel, or funding.
Acceptability - The willingness of individuals and organizations to participate in the surveillance system.
Stability - The reliability of the methods for obtaining and managing surveillance data and to the availability of those data. This characteristic is usually related to the reliability of computer systems that support surveillance.
Simplicity - This refers to both the system’s structure and ease of operation. Surveillance systems should be as simple as possible, while still meeting their objectives.
Besides the epidemiological surveillance criteria for COVID-19, additional standards that protect the privacy of participants during and after the surveillance period are equally important. With this in mind, how can we best leverage technology to carry out prompt COVID-19 contact tracing?
ACLU’s Recommendations for COVID-19 Surveillance
Conversation around privacy preservation continues to evolve as we seek to accommodate solutions for this global pandemic and its devastating ramifications. Historically, the privacy advocacy organization The American Civil Liberties Union (ACLU) has been at the forefront of tackling such issues. The organization reviewed Technology-Assisted Contact Tracing (TACT) surveillance proposals from technology companies such as GitHub, PACT (Private Automated Contact Tracing), TCN Coalition and a joint collaboration between Apple and Google. All reviewed proposals endorsed bluetooth low energy between neighboring mobile phones as a means to determine COVID-19 exposure risk. The proposed surveillance systems were designed with the assumption that a significant majority of the population has access to mobile phones.
In a white paper outlining principles for evaluating TACT proposals, the ACLU juxtaposed public health benefits with the potential significant risks to privacy, civil rights, and civil liberties. The organization argued that for a TACT surveillance system to be effective, it must be widely adopted, an achievement that can be accomplished through public trust. In this case, public trust is a significant determinant for willingness to participate in TACT, and warrants implementation of robust safeguards to protect personal health data. The ACLU detailed the following principles for evaluation of TACT mobile phone applications proposals:
Not displacing non-technical measures - Resources allocated towards TACT efforts should not come at the expense of other public health interventions such as testing and treatment.
Voluntary - Every step of the TACT application on mobile phone surveillance should be voluntary. Mandatory participation is likely to foster untrustworthiness and dissuade people from carrying out the necessary actions for successful surveillance.
Non-punitive - For a TACT application to be widely adopted, the general public must trust that the collected information will not be used for punitive purposes. Legal and technical safeguards must be in place to protect users from perceived harm.
Built with public health professionals - Public health professionals such as infectious disease epidemiologists, immunologists and other subject matter experts should guide TACT application developers to ensure the surveillance system’s efficacy.
Privacy-preserving - All data collected by the TACT application must be specifically relevant to COVID-19 public health interventions. Measures to protect sensitive personal records must be enforced technically and not by policy alone, since policies can be amended in the future or without the participants’ consent.
Non-discriminatory - The TACT surveillance deployment should identify typically misrepresented or excluded populations, and not further worsen existing social inequities. To reach those who may not have access to bluetooth-capable devices or high speed internet, TACT surveillance efforts can be supplemented with traditional contact tracing methods, led by members of the affected community.
Minimal reliance on central authorities - Reduced dependence on central authorities is imperative given the risk for abuse of sensitive data once it is reported in the TACT application. Thus, personal identifying data should not be sent to central authorities, or be stored. Instead, TACT developers should aim for transparently communicating which central authorities are receiving user information.
Data minimization everywhere - This refers to efforts to limit the collection of sensitive data to only include information that is relevant to the purpose at hand. In turn, collected data should not be stored by central servers after it is no longer necessary, and must be enforced through technical and legal measures. Basic data minimization aspects include data encryption, scheduled data destruction and only retaining aggregated de-identified data.
No data leakage - Data collected in the TACT surveillance system should not be released by neither the end-user nor central authorities to uninvolved parties. Meticulous legal, procedural and technical safeguards should be in place to prevent data breaches by law enforcement agencies or others with punitive intentions.
Measurable impact - The TACT surveillance system’s performance metrics must be made available to the public in order to openly communicate its impact, pertinent aggregate findings and the overall intended outcomes.
Have an exit strategy - A TACT surveillance system designed for COVID-19 reporting should not be used beyond this scope for other purposes, and must have a built-in phasing out plan.
Narrowly-tailored to target a specific epidemic - The TACT surveillance system must adhere to COVID-19-specific characteristics and reporting requirements only.
Auditable and fixable - Software-based surveillance systems require transparency to generate trustworthiness in its end users. An open source component with all published iterations of the software should be made available for end users and other entities to audit or fix when needed.
Sustainably maintained - The sustainability of a TACT surveillance system is predicated on ongoing maintenance efforts with the purpose of mitigating potential breaches and other threats to personal health records.
Apple and Google’s Response to ACLU Privacy Concerns
In response to the ACLU these privacy-preserving recommendations, Apple and Google amended their TACT proposal to include:
A pledge to disable the TACT after the pandemic has been contained
An updated list of frequently asked questions to address additional privacy concerns
Changing from a “Contact Detection Service” to an “Exposure Notification Service”
Randomizing the generation of tracking keys that are linked to the user’s device
Defining the proximity and length between devices needed to catalyze the TACT application
Metadata protection through encryption
Users have the ability to opt in or out of exposure notification
Users can choose whether or not to share their positive COVID-19 diagnosis with public health authorities.
Even as Google and Apple plan to continually strengthen privacy protections, privacy concerns persist. A 2019 study that tested the vulnerability of top mobile health applications determined that third party data sharing is a common practice in 79% of the reviewed applications, unbeknown to users. Rightfully, the researchers concluded that loss of privacy is not a fair cost for digital health services.
An additional privacy concern is the Department of Health and Human Services’ stance on HIPAA liability as it pertains to mobile health applications. In 2019, the department determined that once the user consents to sharing personal health data to third parties through a mobile application, the information is no longer subject to HIPAA protections. To manage privacy expectations and improve the public’s willingness to participate in COVID-19 TACT surveillance systems, developers and policymakers must recognize the privacy risks and proceed with utmost transparency.