Balancing Privacy Rights and Public Health
BU Law experts Tiffany Li and Andrew Sellars argue privacy should be at the forefront of digital contact-tracing apps that can help identify and notify people who may have been exposed to COVID-19.
As government officials and technology companies began to consider how to use smartphone location data to track the spread of the novel coronavirus COVID-19 this spring, BU/MIT Technology Law Clinic Director Andrew Sellars posed a question to the email listserv of the BU Cyber Security, Law, and Society Alliance.
“Perhaps unsurprisingly, the idea that consumer location data could be used like this is met with a mix of concern, surprise, and alarm among most of my circles,” Sellars wrote, going on to ask whether it was possible “to keep data like this useful and anonymous at the same time.”
“Anyone have any good ideas or examples?” he asked.
In short: Yes. Less than three weeks later, a trio of BU computer scientists and engineers who are part of the alliance published “Anonymous Collocation Discovery: Harnessing Privacy to Tame the Coronavirus” (Sellars got a shout-out in the acknowledgements of the paper). And that paper, in turn, helped lead to the development of Private Automated Contact Tracing (PACT), a Bluetooth-enabled app that is designed to protect the privacy of everyone who uses it.
Contact tracing—identifying and notifying people who may have come in contact with someone who is sick—has long been used by public health professionals to combat the spread of deadly infectious diseases. But digital contact tracing through cell phone data is a new practice, and one that is being rapidly adopted by local, state, and national government officials in countries all around the world. Speedy interventions are necessary to keep people safe but also increase the potential for the misuse—or abuse—of massive amounts of personal data.
Sellars wasn’t alone in thinking about the implications of such technologies on privacy rights. In early April, Boston University School of Law Visiting Clinical Assistant Professor Tiffany C. Li penned a piece for Slate about privacy rights and digital contact tracing.
It really came down to thinking about how we could solve these public health problems without losing privacy as a value. I don’t think those two things are mutually exclusive.
Although the essay has the provocative headline “Give All My Data to Google and the CDC,” Li’s argument, which contemplated how to protect constitutional rights in the middle of a global pandemic, was more nuanced than that.
“It really came down to thinking about how we could solve these public health problems without losing privacy as a value,” she says. “I don’t think those two things are mutually exclusive.”
So far, most digital contact-tracing technologies have fallen under two basic frameworks, according to Li: Data is either stored under one, centralized authority (usually a government), or on individual smartphones that communicate with each other in a decentralized manner. The PACT app, developed in partnership with researchers at the Massachusetts Institute of Technology and others, is a decentralized contact-tracing app.
There are potential pitfalls to both approaches.
“Some people are concerned that whoever the central authority is might abuse the data they collect, especially in countries without human rights protections,” Li says, adding that private companies can also misuse—or inadvertently disclose—the data running through their platforms and operating systems.
The biggest hurdle for any contact-tracing technology is winning people’s trust, Li and Sellars say.
“If people don’t trust the apps, if they don’t like the apps, if they don’t understand how to use the apps, that’s a really difficult problem to solve,” Li says. “You can design the app as privacy-preserving and efficacious as possible, but, if people don’t use it, it’s pointless.”
One problem in establishing trust is that the law hasn’t kept up with the kind of location data cell phones collect almost constantly, sometimes without users’ awareness or understanding. In December, the New York Times published “One Nation, Tracked,” an investigation that explored how supposedly anonymized location data can be used to identify and track specific people and the regulatory void in which the smartphone tracking industry began to proliferate.
Li and Sellars argue that even the legal concept of privacy needs to be reconceived.
“In the US, we mostly rely on the idea that, if you give people notice of what’s being done and the opportunity to consent, then an entity should be able to do almost whatever it wants to with the data,” Li explains.
But, because such notice usually comes in lengthy “Terms of Service” agreements, “consent is a bit of a fiction,” Sellars adds.
New data privacy laws could spell out explicitly what can be done and what cannot be done with data (like the laws governing the US Census, for instance). Or they could be premised on the concept of fiduciary duty, as proposed by a professor at Yale Law School, which would obligate companies that possess data to put the interests of the people the data came from above their own.
The idea behind privacy-preserving apps like the one developed by BU and MIT is to remove even the potential for abuse or misuse of data by building limits into the technology (in April, Apple and Google announced a contact-tracing collaboration that makes user privacy “central to the design”).
“If it’s done well, you wouldn’t have any data to disclose, or the data would be so incomprehensible except in this one particular context,” Sellars explains, adding that such technologies should be subjected to independent, third-party audits. “Social trust ends up being so important here. Anything you can do or show to demonstrate that the facilitator couldn’t harm you with this data even if they wanted to is something that’s going to be essential.”
No matter how advanced the technology, Sellars and Li argue digital contact tracing shouldn’t take the place of more traditional contact-tracing methods. In April, Massachusetts Governor Charlie Baker announced that his administration would deploy approximately 1,000 contact tracers in the state to call individuals who have been infected and ask them to self-quarantine.
“What we should be doing is not focusing on one or the other but on having both,” Li says. “We have decades of research on manual contact tracing showing that it can be effective. If we have something proven to be even slightly effective, we should continue doing that as opposed to turning all our resources to a digital method that we don’t know enough about.”