This piece first appeared on Just Security.
If asked to give up their privacy in the interests of stemming the coronavirus, many Americans might be inclined to say yes. But the answer requires more nuance, both because there are serious tradeoffs to be made, and because sacrificing privacy may actually backfire.
Consider, for example, serious discussions reportedly underway between the tech industry and the White House over how our cellphone location data might be used to help in the fight against COVID-19. Having defended privacy for 100 years, we at the American Civil Liberties Union recognize that in extraordinary times, different balances may be warranted. The virus poses grave risks, so we should not write off tools that might help mitigate the problem. But we should be skeptical about calls to embrace Chinese-style tracking as a helpful measure in the current emergency. And any uses need to incorporate privacy protections if they are not going to be counterproductive.
Some have suggested, for example, that companies might share anonymized, aggregate data to help epidemiologists answer questions such as how many people are moving between adjacent neighborhoods, towns, or states each day. Anonymization alone does not solve all privacy problems; such data can often be re-identified, for example, by tracing a person’s movements to their home and workplace. On the other hand, given the urgency of our situation, analysis of aggregate data by companies might prove valuable if it comes with strict safeguards.
There may also be other privacy-protective ways that we could make use of individualized location data once we get beyond the current world of universal social distancing and hospitals in crisis. Some experts say that we may enter a phase of chronic, lower-level waves of infection where traditional epidemiological contact tracing and targeted isolation once again become a principal means of combatting the disease. In this mode, some countries have used location data in cooperation with those who are infected to help them retrace their movements, and provide the public with lists of places and times where infected people have been each day so people can determine for themselves whether they might have been exposed.
But the risk is that without the strongest privacy safeguards, such uses of location data may deter people from stepping forward and getting tested for COVID-19 in the first place—and that serves no one’s interest. South Korea’s program, for example, which lacks such safeguards, has left many people more afraid of social humiliation than of the disease itself.
If location data is to be used, there must be strict policies ensuring that, whenever possible, the patient has consented to such uses; minimizing any data sharing; requiring deletion of the data when there is no longer a need to hold it; and, where it is anonymized, ensuring that no effort be made to re-identify it. If the government obtains any data, it must be fully transparent about what data it is acquiring, and from where, and how it is using that data. Any programs should come with clear sunsets to ensure they don’t outlive the effort against COVID-19.
If we are to deploy location data for public health, policies must also ensure that it’s not used for any purposes beyond that effort. In particular, it should not be used for punitive or law enforcement purposes. Public health experts have found that a law enforcement approach to combatting disease typically sparks counterproductive resistance and evasion, and tends to sour the relationship between citizens and their government at a time when trust is of paramount importance. Good public health measures leverage people’s own incentives to report disease and help stop its spread.
Overall, good privacy protections are vital for engendering public trust, which is vital to an effective fight against the pandemic. The lack of such safeguards risks having the opposite effect.We should also not overestimate the effectiveness of location data in fighting COVID-19 — and should be especially leery of indiscriminate mass collection of location data. The urgent need at the moment, according to public health experts, is to ramp up testing capability, suppress transmission through social distancing measures, and ready our under-prepared hospitals for a mass influx of patients who can’t breathe. We are not hearing a cry from the public health profession for phone tracking — and the last thing we want to do is divert attention, expertise, and financial resources from these critical tasks.
That’s not stopping self-interested, privacy-invading private companies from embracing the coronavirus epidemic as a way to market their products, legitimize their activities, and launder their reputations. Some of those companies engage in mass location tracking without individuals’ meaningful awareness or consent and for questionable purposes. They would no doubt love to normalize these practices and cement them in American life. We should also be closely scrutinizing any government attempts to exploit this crisis to grab additional surveillance powers not necessary for defeating COVID-19.
But even if we had more trust in the companies that are pitching these proposals, there would be significant practical and legal problems with using Americans’ mass location records to fight this disease. Technology and policy experts are saying that the tools the government might use to monitor the public’s movements and interactions won’t work against the virus. Unlike China, we do not have or want a comprehensive system for accurate tracking of every person. The data that exists is dispersed among different companies that collect it using a variety of technologies and that store it in different formats. The government would also face steep legal hurdles in demanding access to any location data.
Cell phone location data is also often unreliable. Anybody who has opened a map application only to discover that their phone thinks they are two blocks away from where they’re standing understands that this is true. Even China reportedly found that location data calculated through cell-tower triangulation generated too many false positives and was wasting manpower. This is yet another reason that government officials need to listen to stakeholders and technologists who are not trying to promote private companies’ interests in infection control programs.
We are facing a terrible crisis, and Americans are rightly frightened. Times of emergency require a different weighing of privacy considerations. We need to seriously consider how technology can help us—but we also need to make sure that, when we’ve made it past this crisis, our country isn’t transformed into a place we don’t want to live.
Jay Stanley, Senior Policy Analyst, ACLU Speech, Privacy, and Technology Project