A well-designed, widely-used COVID-19 contact-tracing tool could offer public health benefit, the American Civil Liberties Union (ACLU) says, but a poorly designed one could pose unnecessary and significant risks to privacy, civil rights, and civil liberties.
Apple and Google last week announced a joint contact tracing effort that would use Bluetooth technology to help alert people who have been in close proximity to someone who tested positive for COVID-19. Similar proposals have been put forward by an MIT-associated effort called PACT as well as by multiple European groups.
These proposals differ from the traditional public health technique of “contact tracing” to try to stop the spread of a disease. In place of human interviewers, they would use location or proximity data generated by mobile phones to contact people who may have been exposed.
While some of these systems could offer public health benefits, they may also cause significant risks to privacy, civil rights, and civil liberties. If such systems are to work, there must be widespread, free, and quick testing available. The systems must also be widely adopted, but that will not happen if people do not trust them. For there to be trust, the tool must protect privacy, be voluntary, and store data on an individual’s device rather than in a centralized repository.
To help distinguish between the two, the ACLU is publishing a set of technology principles against which developers, the public, and policymakers can judge any contact tracing apps and protocols…
These policies, at a minimum, should include:
• Voluntariness — Whenever possible, a person testing positive must consent to any data sharing by the app. The decision to use a tracking app should be voluntary and uncoerced. Installation, use, or reporting must not be a precondition for returning to work or school, for example.
• Use Limitations — The data should not be used for purposes other than public health — not for advertising and especially not for any punitive or law enforcement purposes.
• Minimization — Policies must be in place to ensure that only necessary information is collected and to prohibit any data sharing with anyone outside of the public health effort.
• Data Destruction — Both the technology and related policies and procedures should ensure deletion of data when there is no longer a need to hold it.
• Transparency — If the government obtains any data, it must be fully transparent about what data it is acquiring, from where, and how it is using that data.
• No Mission Creep – Policies must be in place to ensure tracking does not outlive the effort against COVID-19.
MacDailyNews Take: Read more in the ACLU’s full contact-tracing article.
We know Apple and Google, like most everyone else, want to “do something,” but the ACLU’s contact-tracing concerns aside, the companies shouldn’t waste their time on “solutions” that are destined to fail due to technical issues (Bluetooth can travel through drywall, public transportation, etc.) and lack of compliance (Singapore, where people follow the rules, has a COVID-19 contact-tracing app which has been installed by just 12% of the population). That’s at least 48% short of “digital herd immunity.” In Singapore, no less).
No matter how well-designed the system is on paper, in practice too few people will install and use it*, while reliance on Bluetooth connectivity (range, materials penetrance, public transport, etc.) will result in myriad false positive issues.
This seems like something designed to provide a digital security blanket to help increase confidence for going back to work more than anything else.
*Beyond the obvious constitutional rights issues, 18% of the U.S. population, or nearly 1-in-5 people, do not even have a smartphone. So, with one of every 5th person roaming about by default, not to mention all of the opt-outs, contact-tracing via iOS and Android smartphones would be more of a feel-good security blanket than a useful, working system.