By Reed Turry, CIPP/US
Reed Turry, Certified Information Privacy Professional/United States and former Senior Online Editor of the Journal of Intellectual Property law, shares his insight into several of the major privacy and cybersecurity risks that consumers should be aware of when participating in COVID-19 public health measures.
As the world remains paralyzed by the COVID-19 pandemic, Americans find themselves desperate for a return to normalcy. Health experts, however, caution that this return will not happen unless the disease is properly extinguished through a widespread testing and contact tracing regime.[i] Leading scientists insist that combining a rigorous tracing program with testing will reduce transmission by 50-65%.[ii] It is unclear what a successful testing and tracing regime would actually look like. However, many of the ideas proposed by both the private and public sectors involve the collection of sensitive personal information thereby putting Americans’ privacy rights at risk. This leads to a collision between privacy rights and public health concerns. As data collection measures are implemented throughout the country, an important consideration for Americans is the potential impact to their personal privacy.
I. Contact Tracing: What Americans Can Expect
Public health authorities hope to swiftly identify and isolate potentially infected patients. To do so, authorities would likely need to thoroughly search individuals’ phone and medical records, beacons of our most sensitive personal information.[iii] To anticipate the surveillance steps that the US government may implement, Americans can look to other countries’ already established surveillance and tracing plans.
Many countries around the world are utilizing cell-phone data to analyze citizen movement patterns. For example, Belgium, Austria, and Italy signed a deal with telecommunications operators to collect anonymized location data, and Singapore developed an app for contract tracing which can identify people who have been in close proximity to coronavirus patients using Bluetooth technology.[iv] Other countries have gone a step further: South Korea is tracking individuals’ phones and credit card records and utilizing such data to allow others to check whether they may have crossed paths with any coronavirus patients; Israel approved a new measure that allows the government to track individuals’ phones without a court order.[v] Taking measures even further, the police in Noida, India are requiring installation of a contact tracing app, with violations punishable by law.[vi] Other countries are utilizing artificial intelligence. Poland, for example, developed an app that requires users to upload selfies, after which facial recognition and location data are assessed to ensure that the person has not violated quarantine orders.[vii]
To date, the most intrusive measures have not yet been implemented in the United States; however, technology companies such as Apple and Google have already begun partnering with state governments to conduct digital screening of patients through the collection of data on their symptoms, recent travel, location, age, and underlying health conditions.[viii] State governments are among the actors leading the push. In May, Georgia Governor Brian Kemp asked all citizens to schedule appointments to be screened for symptoms as part of a statewide testing campaign (the state screens citizens through an online application run by Augusta University and healthcare providers).[ix] Meanwhile, Utah recently developed a tracing app that uses phone location data to track infected people and anyone they may have had contact with in public.[x] With the widespread collection of health information increasingly common in the US, the question arises: what are Americans’ privacy rights and what risks are they facing?
II. Legal Rights & Other Risks
a) Law & Privacy
Though governments have an obligation to treat and control epidemics, increased surveillance measures will be inappropriate unless the government can show that the measures implemented are provided for by law, are necessary, proportionate, time-bound, and implemented with transparency and adequate oversight.[xi] By sacrificing privacy rights during this crisis, Americans run the risk of never gaining them back as evidenced by the renewal of the post-9/11 Patriot Act long after the 2001 attacks.[xii]
While many Americans would likely agree to provide anonymized information,[xiii] the risk of privacy being compromised increases substantially through the collection of personally identifiable information, or information that when used alone or with other relevant data can identify an individual.[xiv] Additionally, the risk is increased if technology companies retain the information collected for a longer duration of time than is necessary or if the companies share the information with third parties.[xv]
Americans might think that because of its sensitivity, health information is likely to be given heightened protection. However, the leading health privacy law, the Health Information Privacy Protection Act (“HIPPA”), includes language that allows federal officials to waive privacy rules in case of a public health crisis.[xvi] This specific scenario is currently being played out as the Department of Health and Human Services has already indicated that the Privacy Rule is to be suspended during this crisis, allowing patient information to be shared.[xvii] Additionally, a provision under HIPPA at play in this crisis permits health care providers to share patient information necessary to prevent or lessen a serious and imminent threat to the health and safety of the public.[xviii] Lastly, HIPPA was originally enacted in the 1990s, before the dot-com boom so it only applies to healthcare providers.[xix] This limitation means that Google, Facebook, Apple, and other technology companies are not “covered entities” under the law, despite the fact that they are readily collecting health information during this time, and thus have no amplified obligation for health information gathered on their platforms.[xx]
While HIPPA does not apply in some areas, various state laws may, such as the California Consumer Privacy Act (“CCPA”).[xxi] Under the CCPA, most apps will be required to provide consumers with a notice of the types of information collected and the purposes for their collection.[xxii] Additionally, consumers have the right to opt-out of the sale of this information and request deletion of personal information collected.[xxiii] However, collection of de-identified information, information that does not tie to a particular person, shields companies from CCPA liability as long as they implement technical safeguards and business processes that prohibit re-identification of the consumer to whom the information pertains.[xxiv]
b) Cybersecurity Risks
Americans’ privacy is at even greater risk when considering the fact that largescale collection of personal data increases the likelihood of cyber intrusions, particularly when considering the potential value of the information.[xxv]Cybercriminals are already targeting and undermining organizations vital to the pandemic response such as the World Health Organization and the U.S. Department of Health and Human Services.[xxvi]
While many technology companies insist that they only share information with public health entities, consumers are still put at increased risk, as these authorities and entities are consistently being targeted by cybercriminals.[xxvii]Additionally, entities within the healthcare industry remain particularly vulnerable.[xxviii] For example, 83% of all medical imaging devices run out-of-date operating systems.[xxix] This makes them particularly susceptible to a data breach. In fact, nearly ¼ of all phishing data breaches in 2019 occurred in the healthcare industry.[xxx] This fact, when combined with the increased focus that cybercriminals are placing on organizations involved with the pandemic response, makes Americans’ sharing of health information particularly risky.
III. Be Aware: Read the Fine Print
While most applications generally require users to consent to sharing their location data[xxxi], users often click “accept” without reading the fine print.[xxxii] One pre-pandemic study showed that 91% of consumers consent to legal terms and services without reading them.[xxxiii] In fact, many platform users may be already sharing their information for pandemic planning purposes without even knowing. For example, Facebook collects data from users who have already opted into sharing their location when using the Facebook smartphone app.[xxxiv] Recently, Facebook began sharing this data with academic and nonprofit researchers analyzing the spread of the coronavirus as part of its “Disease Prevention Maps” program.[xxxv] While Facebook insists that the data does not personally identify users[xxxvi], many users may be completely unaware that their data is being used for this purpose. Considering Facebook’s previous privacy controversies with Cambridge Analytica, some Americans may be uncomfortable with Facebook using their information in this manner.[xxxvii]
Google’s “Project Baseline” (via Alphabet sister company Verily) aims to screen survey users for coronavirus symptoms and refer them to testing appointments.[xxxviii] In order to begin the survey, users must sign in with their Google account, essentially linking the survey with users’ personally identifiable account information.[xxxix] Users must consent to the program’s authorization letter which states that the data collected will never be joined with other data provided in Google products without user consent.[xl] What this future user consent looks like is uncertain. Google could theoretically permit sharing of this data through your future acknowledgment of an updated Gmail privacy policy, which many Americans are unlikely to read.[xli] Even still, the current Verily privacy policy does not prevent all sharing of information as the authorization acknowledges that data collected through this program will be shared with “federal state and local health authorities and other entities that assist with the testing program.”[xlii] These “other entities” are not specified and include “service providers engaged to perform services on behalf of Verily, including Google.”
The reality is that a crisis is a prime opportunity for the rolling out of untested new technologies with the usual oversight tossed out in the name of public safety.[xliii] Americans are going to have different responses to this information. Many users will likely not object to sharing their health information with public health authorities (including government entities), considering it to be worthwhile to help the public health response. Some may hesitate, choosing not to provide information because of concerns regarding the security of their personal information. Others may choose to provide information in this limited emergency circumstance, but be more vigilant in the future, watching to ensure that this technology doesn’t creep into everyday life. In any event, users should read privacy policies closely before filling out any symptom survey or downloading any app, to ensure that users are aware of the potential risks to their personal privacy before deciding whether to participate going forward.
[i] Maggie Fox, ‘We Need An Army’: Hiring of Coronavirus Trackers Seen as Key to Curbing Disease Spread, STAT (Apr. 13, 2020), https://www.statnews.com/2020/04/13/coronavirus-health-agencies-need-army-of-contact-tracers/.
[ii] Adam J. Kucharski et al, Effectiveness of Isolation, Testing, Contact Tracing, and Physical Distancing on Reducing Transmission of SARS-CoV-2 in Different Settings, MedRxIV (Apr. 29, 2020), https://www.medrxiv.org/content/10.1101/2020.04.23.20077024v1.full.pdf.
[iii]Casey Ross, After 9/11, We Gave Up Privacy For Security. Will We Make the Same Trade-Off After COVID-19?, STAT (Apr. 8, 2020), https://www.statnews.com/2020/04/08/coronavirus-will-we-give-up-privacy-for-security/.
[iv]10 Countries Are Now Tracking Phone Data as the Coronavirus Pandemic Heralds A Massive Increase in Surveillance, Bus. Insider, https://www.businessinsider.in/undefined/slidelist/undefined.cms#slideid=74744865 (last visited May 8, 2020).
[v]Id.
[vi]Pranav Dixit, An Entire City Has Been Told To Download A Controversial Contact Tracing App- Or Face Jail, Buzzfeed News(May 6, 2020 at 10:52 AM), https://www.buzzfeednews.com/article/pranavdixit/india-coronavirus-aarogya-setu-noida-contact-tracing.
[vii]COVID-19, Surveillance and the Threat to Your Rights, Amnesty Int’l. (Apr. 3, 2020, 2:58 PM), https://www.amnesty.org/en/latest/news/2020/04/covid-19-surveillance-threat-to-your-rights/.
[viii]Ross, supra note 3.
[ix]Greg Bluestein & Tamar Hallerman, With More Virus Test Supplies, Kemp Urges All Georgians to be Screened, Atlanta J. Const., (May 7, 2020), https://www.ajc.com/news/state–regional-govt–politics/with-more-virus-test-supplies-kemp-urges-all-georgians-screened/eC9sNh6Yck2aLncOU8wuFP/.
[x]Erin Burnett OutFront (CNN television broadcast May 7, 2020).
[xi]Supra, note 7.
[xii]Ross, supra note 3.
[xiii]Id.
[xiv]Jake Frankenfield, Personally Identifiable Information (PII), Investopedia (Jul. 9, 2019), https://www.investopedia.com/terms/p/personally-identifiable-information-pii.asp.
[xv]Data Risk in the Third-Party Ecosystem, Ponemon Inst. (Sept. 2017), https://cdn2.hubspot.net/hubfs/2575983/Ponemon_report_Final%20(1).pdf (data breaches caused by third parties are on the rise).
[xvi]Ross, supra note 3.
[xvii]Notification of Enforcement Discretion Under HIPPA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19, DHS,https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf (last visited May 8, 2020).
[xviii]Julie A. Sullivan et al, Sharing Protected Health Information During the COVID-19 Public Health Crisis, Natl. L. Rev. (Mar. 19, 2020), https://www.natlawreview.com/article/sharing-protected-health-information-during-covid-19-public-health-crisis.
[xix]Ross, supra note 3.
[xx]Supra, note 9.
[xxi]Mobile Applications for COVID Tracking & Tracing – Balancing the Need for Personal Information and Privacy Rights in the Time of Coronavirus, Crowell Moring LLP (Apr. 15, 2020), https://www.crowell.com/NewsEvents/AlertsNewsletters/all/Mobile-Applications-For-COVID-Tracking-Tracing-Balancing-the-Need-for-Personal-Information-and-Privacy-Rights-in-the-Time-of-Coronavirus.
[xxii]Id.
[xxiii]Id.
[xxiv]Id.
[xxv]Stark & Stark, COVID-19: Balancing Privacy Laws and Privacy Rights with Public Welfare, Natl. L. Rev. (Mar. 16, 2020), https://www.natlawreview.com/article/covid-19-balancing-privacy-laws-and-privacy-rights-public-welfare.
[xxvi]King & Spalding LLP, Be Prepared: COVID-19 Security Incidents Are Coming Webinar (Apr. 8, 2020).
[xxvii]Kat Jerich, Cybercriminals Are ‘Already Taking Advantage’ of the COVID-19 Crisis, Healthcare IT News (May 7, 2020, 3:14 PM), https://www.healthcareitnews.com/news/cyber-criminals-are-already-taking-advantage-covid-19-crisis.
[xxviii]Aaron F. Brantly, The Cybersecurity of Health, Council on Pub. Rel. (Apr. 8, 2020), https://www.cfr.org/blog/cybersecurity-health.
[xxix]Id.
[xxx] Kat Jerich, supra note 27.
[xxxi] Burnett, supra note 10.
[xxxii]Caroline Cakebread, You’re Not Alone, No One Reads Terms of Service Agreements, Bus. Insider (Nov. 15, 2017, 7:30 AM), https://www.businessinsider.com/deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11
[xxxiii] Id.
[xxxiv]Rebecca Robbins, Can Location Data From Smartphones Help Slow the Coronavirus? Facebook is Giving Academics a Chance to Try, STAT (Mar. 24, 2020), https://www.statnews.com/2020/03/24/facebook-location-data-coronavirus-spread/.
[xxxv]Id.
[xxxvi]Facebook Data for Good, Facebook, https://dataforgood.fb.com/approach/ (last visited May 8, 2020).
[xxxvii]Robbins, supra note 34.
[xxxviii]Baseline COVID-19 Testing Program, Project Baseline by Verily, https://www.projectbaseline.com/study/covid-19/(last visited May 8, 2020).
[xxxix]Id.
[xl]COVID-19 Public Health Program Authorization Form, Project Baseline by Verily, https://baseline.google.com/enroll/u/1/study/registry/consent?tag=covid19mtch&hl=en-US (last visited May 8, 2020).
[xli]Faine Greenwood, Google Wants Your Data in Exchange for a Coronavirus Test, Foreign Policy (Mar. 30, 2020, 3:45 PM), https://foreignpolicy.com/2020/03/30/google-personal-health-data-coronavirus-test-privacy-surveillance-silicon-valley/ (“this wording implies that Google may ask you to give permission at some point in the future and it almost certainly will because Google is well aware of the immense value of joining different huge data sets together”).
[xlii]Id.
[xliii]Id.