The Covid-19 pandemic has spawned a number of novel technologies aimed at suppressing the spread of the coronavirus. In China, for example, the most popular messaging and payment apps contain technology that requires a user to provide his or her national identity or passport number, cellphone number, travel history, and physical symptoms.
A centralized system analyzes the data and assigns a color code – red, amber or green – that signals whether a person may safely be admitted to a restaurant, an office building or other public place. It also assigns a QR code to users that indicates where the user has been in the last 14 days. A visit to a questionable location may result in denial of access. There is no public explanation of how the color codes are assigned or what other data is embedded in the QR code.
Other countries have rolled out similar contact-tracing apps, with mixed rates of adoption. In the United States, developers have been quick to promote such technologies, but state and local governments have so far been reluctant to commit to them. Instead, they appear for now to be planning to engage in traditional, labor-intensive contact tracing. New York, for example, has announced plans to hire as many as 17,000 contact tracers.
Meanwhile, employers are eager to adopt best practices for avoiding Covid-19 infections at their facilities as they resume operations. Facilities where workers must come into close contact with each other are especially apt to transform into Covid-19 hot spots. Contact-tracing technologies may help prevent the spread of Covid-19 at these places of business. However, existing and proposed privacy laws may pose some limitations on their use in the United States.
The Health Information Privacy and Portability Act (HIPPA) imposes strict privacy requirements on health providers and their associated entities. However, that law generally does not apply to companies that are not in the health care arena. Thus, if a frozen foods maker were to collect data regarding the blood temperatures of its employees, HIPPA would have nothing to say about it. Other privacy laws might.
Contact Tracing Apps: Centralized or Decentralized?
Public debate about contact tracing apps has focused on whether they should involve a centralized or decentralized database. A centralized system like the one in China might be more effective but also more subject to scope creep or to hacking that could threaten civil liberties or lead to massive identity theft.
Privacy advocates prefer decentralized tracing apps because, among other things, they do not involve the creation of a massive database that may be susceptible to compromise or misuse. They would prefer, for example, a system in which cell phones interacted with one another in providing warnings about Covid-19 rather than a system in which data about who was in proximity with whom would be uploaded to a central repository. Authorities might then use information from a centralized system to disseminate health warnings or for some purpose unrelated to public health.
In April, Apple and Google announced plans to collaborate on a Bluetooth technology that will enable a decentralized approach and allow for contact tracing across their platforms. The companies’ announcement suggests that they will look to others to develop the apps that utilize the new technology. These apps will cause cellphones to emit Bluetooth “chirps” that will be detected by phones in close proximity. Records of these encounters will be stored on the phones, but location data will not be.
When a user is diagnosed with Covid-19, public health authorities may then cause a message to be sent to those who have been in proximity to the patient warning those people of their recent encounter with a Covid-19 victim. The identity of the patient will not be disclosed. The codes used to identify a device will change frequently, thus protecting user privacy.
Google and Apple intend to release APIs in May that will enable developers to create apps that conform to this standard. Later this year, they intend to build this capability into their cellphone operating systems, so that all Android and Apple phones with current OS updates will emit Bluetooth chirps.
The Google-Apple approach quickly gained support from privacy advocates worldwide and caused Germany to reverse course and commit to the same approach. France, meanwhile is tussling with Apple over its refusal to cooperate with the French plan for contact tracing, which would be more centralized than Apple believes to be appropriate.
While the Google-Apple plan has been lauded as decentralized, that is not entirely correct. Apple’s FAQ no. 6 describes a system that will allow health officials to learn who has been in contact with a Covid-19 patient, requiring transmittal of data to a central repository. The system is sensitive to privacy concerns in that location data will not be included, Apple will not have access to the data, and it will not support targeted advertising. Apple intends to make it available only to highly credible public health entities. The system will be disabled when public health concerns no longer require it. Nonetheless, it has an element of centralization.
Apple has expressed concern about potential profiteering by newcomers to public health. Apple’s developer website indicates that it will only accept Covid-19 apps that are submitted from recognized entities such as government organizations, health-focused NGOs, companies deeply credentialed in health issues, and medical or educational institutions.
What’s an Employer to Do?
Contact tracing technology is more effective if its user base is large. The massive market share of Google and Apple makes it probable that apps based upon their collaboration will eventually be the gold standard, and Apple’s commitment to privacy is likely to ensure compliance with most US privacy laws if the system is used as intended.
Businesses that can’t wait for the rollout of apps using this standard should analyze existing apps with regard to these questions:
There are already contact tracing apps and devices on the market targeted at employers. When considering a rollout, companies should pay attention to the app’s data collection and sharing attributes. A survey published in April by the Future of Privacy Forum contains key information regarding six such apps. Many more are on the way.
Both the facts and the law in this area are changing rapidly. A group of four Republican senators announced a plan on April 30 to introduce the “Covid-19 Consumer Data Protection Act” that would:
The proposed legislation would be effective only while there is a declared public health emergency in place. Covered entities would be prohibited from collecting more data than is necessary, and the FTC will issue data minimization guidelines. The bill would preempt state law regulating the collection of data for Covid-19 purposes.
While it is not clear that this bill will become law, it sets out a roadmap of best practices when considering the use of a contact tracing app.
The Covid-19 crisis has triggered a new chapter in privacy law, where the concern for public health and the right to privacy conflict. Contact tracing apps are at the tip of the spear. Employers wishing to deploy them now to protect their employees should undertake a serious review of the privacy compliance aspects of the apps that they are considering.
Companies that can afford to wait for the rollout of apps designed around the Google-Apple alliance should, for the most part, be able to rely on the work that those companies are doing to protect privacy.