Privacy Concerns Abound with Contact Tracing App

On April 10, 2020, Apple and Google announced a joint effort to help the government and health agencies with a COVID-19 contact tracing app utilizing Bluetooth technology. While this announcement represents unprecedented cooperation between two of the wealthiest companies in the world, it also leaves businesses and private employers with yet another decision. Can or will you make your employees participate in the program? How about requiring customers to show proof of participation to enter your store?

However, before I dive into the controversy let’s review contact tracing, what the app does and how it functions. The current contact tracing process requires the individual who tested positive to provide information about their recent activities. A public health worker then notifies the potentially impacted people to take appropriate action. The process requires us to know the people we have been in contact with recently. How can you possibly know everyone you have contacted at the grocery store, gas station or your hardware store?

This project utilizes technology to help speed the notification process, but also helps identify those individuals we interact with and do not know their identities. The two-phase approach will utilize Bluetooth technology to send out a beacon with a random string of numbers that change every 10-20 minutes. These numbers are stored on the user’s phone and compared daily to a list of updated beacon keys. If a match occurs the user is notified and given options about reporting. View a simple illustration of the process below.

When the project was first launched many began to ask privacy-related questions. Who has access to the data? Does it track my daily movements? Can the data be used to personally ID an individual user?

The choice to participate is an individual one, but regarding privacy, Apple has a long history of maintaining their user’s privacy even if it’s not popular. Apple is constantly asked by law enforcement officials to unlock iPhones of suspected terrorists and usually declines those requests over privacy concerns.

The companies have released detailed documents outlining the specifications and privacy requirements for software developers. Click here to view the documents. I will not pretend to understand everything covered in those documents, but I wanted to highlight the privacy requirement.

“Maintaining user privacy is an essential requirement in the design of this specification. The protocol maintains privacy by the following means:

• The Exposure Notification Bluetooth Specification does not use location for proximity detection. It strictly uses Bluetooth beaconing to detect proximity.
• A user’s Rolling Proximity Identifier changes on average every 15 minutes, and needs the Temporary Exposure Key to be correlated to a contact. This behavior reduces the risk of privacy loss from broadcasting the identifiers.
• Proximity identifiers obtained from other devices are processed exclusively on device.
• Users decide whether to contribute to exposure notification.
• If diagnosed with COVID-19, users must provide their consent to share Diagnosis Keys with the server.
• Users have transparency into their participation in exposure notification.”

I have bolded the protocols which concern most privacy experts and how they are proceeding. The first is the use of Bluetooth only and not paired with the phone’s GPS information to determine location. Second, the data is stored on the user’s phone and not transmitted to a server, which could lead to individual identification. The last two requirements put the user and not government or public health officials in charge of notifications.

The announcement of the project has also prompted the ACLU and various government entities to release statements and guidance on privacy/use. One topic of particular interest is private employers requiring their employees to participate. On May 1, 2020, Ropes&Gray, a global law firm, published a detailed document on the topic—click here to view.

They concluded, “private employers likely could lawfully mandate that employees utilize a contact-tracing app, provided that the mandatory program is administered in a manner that is no more intrusive than necessary to meet the legitimate business concern.” The ACLU has compared the requirement to use the app to drug testing as a condition of employment. Some have even speculated stores could require proof of the app as a condition to enter. On its face, it seems outlandish, but I never envisioned a time that I would be required to wear a mask to enter my bank.

For the app to be effective it will need about 60 percent of the population to consistently use. Other countries have launched similar programs and could only gain about half of the required amount to voluntarily participate.