This piece first appeared on Just Security.

If asked to give up their privacy in the interests of stemming the coronavirus, many Americans might be inclined to say yes. But the answer requires more nuance, both because there are serious tradeoffs to be made, and because sacrificing privacy may actually backfire.

Consider, for example, serious discussions reportedly underway between the tech industry and the White House over how our cellphone location data might be used to help in the fight against COVID-19.  Having defended privacy for 100 years, we at the American Civil Liberties Union recognize that in extraordinary times, different balances may be warranted. The virus poses grave risks, so we should not write off tools that might help mitigate the problem. But we should be skeptical about calls to embrace Chinese-style tracking as a helpful measure in the current emergency. And any uses need to incorporate privacy protections if they are not going to be counterproductive.

Some have suggested, for example, that companies might share anonymized, aggregate data to help epidemiologists answer questions such as how many people are moving between adjacent neighborhoods, towns, or states each day. Anonymization alone does not solve all privacy problems; such data can often be re-identified, for example, by tracing a person’s movements to their home and workplace. On the other hand, given the urgency of our situation, analysis of aggregate data by companies might prove valuable if it comes with strict safeguards.

There may also be other privacy-protective ways that we could make use of individualized location data once we get beyond the current world of universal social distancing and hospitals in crisis. Some experts say that we may enter a phase of chronic, lower-level waves of infection where traditional epidemiological contact tracing and targeted isolation once again become a principal means of combatting the disease. In this mode, some countries have used location data in cooperation with those who are infected to help them retrace their movements, and provide the public with lists of places and times where infected people have been each day so people can determine for themselves whether they might have been exposed.

But the risk is that without the strongest privacy safeguards, such uses of location data may deter people from stepping forward and getting tested for COVID-19 in the first place—and that serves no one’s interest. South Korea’s program, for example, which lacks such safeguards, has left many people more afraid of social humiliation than of the disease itself.

If location data is to be used, there must be strict policies ensuring that, whenever possible, the patient has consented to such uses; minimizing any data sharing; requiring deletion of the data when there is no longer a need to hold it; and, where it is anonymized, ensuring that no effort be made to re-identify it. If the government obtains any data, it must be fully transparent about what data it is acquiring, and from where, and how it is using that data. Any programs should come with clear sunsets to ensure they don’t outlive the effort against COVID-19.

If we are to deploy location data for public health, policies must also ensure that it’s not used for any purposes beyond that effort. In particular, it should not be used for punitive or law enforcement purposes. Public health experts have found that a law enforcement approach to combatting disease typically sparks counterproductive resistance and evasion, and tends to sour the relationship between citizens and their government at a time when trust is of paramount importance. Good public health measures leverage people’s own incentives to report disease and help stop its spread.

Overall, good privacy protections are vital for engendering public trust, which is vital to an effective fight against the pandemic. The lack of such safeguards risks having the opposite effect.We should also not overestimate the effectiveness of location data in fighting COVID-19 — and should be especially leery of indiscriminate mass collection of location data. The urgent need at the moment, according to public health experts, is to ramp up testing capability, suppress transmission through social distancing measures, and ready our under-prepared hospitals for a mass influx of patients who can’t breathe. We are not hearing a cry from the public health profession for phone tracking — and the last thing we want to do is divert attention, expertise, and financial resources from these critical tasks.

That’s not stopping self-interested, privacy-invading private companies from embracing the coronavirus epidemic as a way to market their products, legitimize their activities, and launder their reputations. Some of those companies engage in mass location tracking without individuals’ meaningful awareness or consent and for questionable purposes. They would no doubt love to normalize these practices and cement them in American life. We should also be closely scrutinizing any government attempts to exploit this crisis to grab additional surveillance powers not necessary for defeating COVID-19.

But even if we had more trust in the companies that are pitching these proposals, there would be significant practical and legal problems with using Americans’ mass location records to fight this disease. Technology and policy experts are saying that the tools the government might use to monitor the public’s movements and interactions won’t work against the virus. Unlike China, we do not have or want a comprehensive system for accurate tracking of every person. The data that exists is dispersed among different companies that collect it using a variety of technologies and that store it in different formats. The government would also face steep legal hurdles in demanding access to any location data.

Cell phone location data is also often unreliable. Anybody who has opened a map application only to discover that their phone thinks they are two blocks away from where they’re standing understands that this is true. Even China reportedly found that location data calculated through cell-tower triangulation generated too many false positives and was wasting manpower. This is yet another reason that government officials need to listen to stakeholders and technologists who are not trying to promote private companies’ interests in infection control programs.

We are facing a terrible crisis, and Americans are rightly frightened. Times of emergency require a different weighing of privacy considerations. We need to seriously consider how technology can help us—but we also need to make sure that, when we’ve made it past this crisis, our country isn’t transformed into a place we don’t want to live.

Jay Stanley, Senior Policy Analyst, ACLU Speech, Privacy, and Technology Project

The COVID-19 coronavirus outbreak that has ravaged our nation and world has had many jarring moments. For parents and their children, one of those came with the mass closing of our schools. Tens of millions of children faced having their educations grind to a halt, including 1.1 million children in New York City’s public schools alone — a number which includes two of my own.

While Americans have grown understandably weary of the tech industry, which repeatedly puts its profits ahead of Americans’ personal privacy, recent offers by companies like Google (via its Google Classroom app) and GoGuardian to provide their remote learning platforms to students for free during the pandemic seemed like a godsend. After all, it would enable U.S. students, at no cost, to continue to learn from the safety of their own homes. 

Maybe the tech industry tiger is changing its stripes. Or maybe the tech industry devil just glued a fake halo on top of its horns. The answer to that question all depends on whether they will insist on undermining students’ privacy as a condition of helping them.

For years, the ACLU has expressed concerns about how the tech industry’s educational products — often classified under the name EdTech — are used to gather massive amounts of highly personal student information. Further, some of these products troublingly enable EdTech companies and schools to spy on students despite no evidence of wrongdoing — a practice that further exacerbates the over-disciplining of students of color. We at the ACLU have launched national efforts to encourage states to pass laws protecting student privacy, offered suites of model bills to assist their efforts, and spoken out against ever-increasing student privacy invasions.

Now that the COVID-19 pandemic has created an unprecedented opportunity for EdTech companies to make the use of their privacy-violating educational products nearly universal, there is a real risk that these companies, under the guise of a generous act, will use this opportunity to create personal information dossiers on an entire generation of young Americans.

One could argue that such an interpretation is very cynical; it is a textbook example of looking a gift horse in the mouth. Perhaps it is. In fairness, the tech industry has made trillions of dollars giving away “free” products that are not actually free: Americans, knowingly or unknowingly, pay for their products by giving them troves of personal information, which the companies then use to make staggering profits.

The good news is that Americans and their governments should not — and do not have to — feel trapped into choosing between students’ education and privacy rights. There is a simple, four-part approach governments and school districts can and should take when accepting (or continuing to use) the “free” remote learning platforms EdTech companies like Google and GoGuardian have offered.  If these EdTech companies are truly acting in the best interests of students and teachers here, they shouldn’t object at all.

It’s as simple as this:

Step One: To the extent these remote learning platforms are being provided for free specifically to help students learn remotely, that is a wonderful act and should be appreciated. Let’s start by thanking these EdTech companies for their generosity.

Step Two: Use of these “free” remote learning platforms, which will likely feel mandatory for students and families during this crisis, should not be conditioned on students allowing EdTech companies to gather up and retain their private and personal information. Governments, including school districts, should insist EdTech companies limit their personal information gathering to only what is directly necessary for their platforms’ remote learning functionality. Moreover, these EdTech companies should be required to expunge all the personal information they gather during this crisis when it resolves, unless a student specifically opts-in to it being retained (via a clear, post-crisis request, and not as part of a broad user agreement they sign now under pressure).

Step Three: Governments and school districts should insist EdTech companies disable any surveillance functions that may accompany their remote learning platforms, including communications and social media monitoring, keyword alerts, and web filtering functions.  Students and their families need these platforms to learn at home, not to allow companies and school districts to spy on them; receiving the former should not be conditioned on exposing oneself to the latter.

Step Four:  To ensure the EdTech companies keep their promises, they should consent to government auditing of their compliance after the pandemic subsides.
If the EdTech companies are truly providing their remote learning platforms for free to help students and their families during this terrible and challenging time, they should have no problem instantly agreeing to these conditions.  If they balk, we will know they are once again the devil in disguise.

Chad Marlow, Senior Advocacy and Policy Counsel, ACLU