Contact Tracing, Privacy and COVID-19

 |   |  Security
Contact Tracing

On a normal day, I’m excited when technology helps solve real-world problems – of course, these days are anything but normal. In response to the pandemic, technology companies are testing groundbreaking solutions with a more somber purpose – to save lives. Digital contact tracing is one of these emerging technologies, using mobile devices, data management, automation and analytics.

A little primer on this technology; imagine having your mobile phone notify you that you have come in contact with someone that tested positive for COVID-19. The technology that will be rolling out in the next release of Apple iOS and Android Operating systems will do just that. This is an automated way to perform what is being referred to as “Contact Tracing.”

What is Contact Tracing? 

Contact tracing, according to the CDC, is “a core disease control measure employed by local and state health department personnel for decades” and “a key strategy for preventing further spread of COVID-19.” Using a variety of techniques, contact tracing identifies people who are carrying infectious diseases as well as the people they may have exposed.

How does Digital Contact Tracing Work? 

Most mobile operating systems, including iOS and Android, support a protocol called Bluetooth Low Energy, otherwise known as Bluetooth LE or BLE. What does BLE do? I’m going to limit the tech speak in this blog, but mobile phones continually transmit information like a beacon. This technology is already being used by some stores and other places when you visit them physically. Our devices also use BLE to share information and connect to other BLE devices. At a fundamental level, this is how digital contact tracing, also known as exposure notification, works.

Let me repeat that: We – through our phones – are already sharing information with each other. You need to be aware of this.

As the world comes together to try to stop the spread of COVID-19, the idea to allow mobile phones to talk to each other and share relevant information with public health officials and the public itself is a natural evolution of existing technology. Here’s how the process will likely work in the United States:

  1. When phones with digital contact tracing systems are in close proximity, they exchange information (random contact IDs) with each other via Bluetooth.
  2. If a user self-reports a confirmed diagnosis of COVID-19, the system will ask for consent to transmit random IDs to the cloud. This is where the information can be accessed by public health officials.
  3. Users in recent close proximity to the infected user will be notified that they may have been exposed to COVID-19.

Who is Developing Exposure Notification Systems? 

On April 10, Apple and Google announced a joint venture to work on contact tracing and exposure notification technology. According to Apple, this is a two-pronged approach. 

“First, in May, both companies will release APIs that enable interoperability between Android and iOS devices using apps from public health authorities. These official apps will be available for users to download via their respective app stores.

Second, in the coming months, Apple and Google will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms.”

In the next release of iOS 13.5, the API that will enable interoperability between Apple and Android devices will become active. In fact, it looks as if iOS 13.5 will have an entire fleet of COVID-19 features and is being dubbed “The COVID version” by industry watchers. (Side Note: FaceID may work better with a mask on!) As of last week, the first version of the exposure notification API has been released to a select group of developers for testing and feedback. The public release is anticipated mid-May. 

Should We Be Concerned About Privacy? 

Understandably, this topic brings up concerns about security and privacy. As a potential user, an employer and CEO of an IT security firm, I share the concern. I also have a responsibility to our clients and employees to perform due diligence before enabling, recommending or even talking about a new technology. We don’t have all the answers yet, but here are my thoughts based on what we do know:

Contact Tracing Apps Are Not Designed to Share Individually Identifying Information 

First, the term “random contact IDs” can cause alarm if not clearly defined. Contrary to what it sounds like, the information shared via Bluetooth from a contact tracing app is not tied to specific information that can identify you as an individual. I want to keep an eye on this.

Apple’s Involvement Should Be Reassuring 

Second, I’m reassured by Apple’s leading role in the effort to develop this technology. Apple isn’t perfect – I’m not a complete Apple fanboy  but I do admire their commitment to privacy. Apple’s revenue stream is not dependent upon selling my personal data to advertisers, unlike Google and Facebook.

In addition, Apple is very careful about what information it allows apps to leak without your permissionGoogle’s Android OS, on the other hand, leaks data left and right and that’s bothersome to me. We’re seen far too many nefarious methods used by these firms in the past to collect and share information on users. There have been poor controls and limited transparency on what user data is shared, where it’s stored and who has access to it. Let’s not forget about Cambridge Analytica. For me, knowing that Apple is involved alleviates some, albeit not all of my concern. 

What are the legal ramifications?

As an employer, I recognize the potential for concern over liability and employment practices. Emerging technology often challenges legal precedent. Since this isn’t my area of expertise, I’m now happy to turn this blog over to my far more qualified friend and co-author, Dan. By way of introduction, Daniel A. Schwartz is a Labor & Employment Law Partner at Shipman & Goodwin LLP and a preeminent employment law blogger. He has maintained the award-winning Connecticut Employment Law Blog since 2007 and is now on the forefront of navigating these legal waters.

A Legal Perspective from Daniel Schwartz

The use of the term “legal waters” has been more like a tsunami of late. I share Chris’s view of both excitement and natural skepticism with this technology. Employers may jump at the chance to turn this technology “on” in the workplace. Imagine that employers can quickly and easily find out who Employee X has been near during the last several days. Employers could then isolate those individuals more easily than having to shut down a department for fear of exposure. 

But such technology raises important privacy and employment concerns covered – in direct and indirect ways – by existing laws. For example, Connecticut has an electronic monitoring law that requires that employers provide notice to employees on the methods it is using to track employees. California is in the midst of rolling out a fairly broad data privacy law that requires that employers take great care with the information it collects and obtain consent where possible.   

And then think of the scenario where the employer uses the contact tracing data to find out that Employee X has been talking to other employees about safety concerns in the workplace and the need to unionize. The employer might then be in violation of labor laws by retaliating against the employees.

Keeping the Data Decentralized is Important

In the workplace, employees often waive much of their privacy interests. For example, employers can often peruse through an employee’s desk. But outside of the workplace, consumers still have substantial privacy interests. There is a strong concern among lawyers that this creates a slippery slope that will increase the use of surveillance by the government and others. Imagine, for example, that this digital contact tracing data isn’t just used to alert people that they might be exposed, but is sought after by stores to figure out who to let in and who may be “unsafe.” Keeping the data decentralized is important to make sure that the “good” that comes of this digital contact tracing doesn’t come at the expense of our legal rights.

Numerous countries, such as Australia and Singapore are already rolling out tracing apps without fully understanding all the implications. To that end, several Republican Senators announced plans last week to introduce the COVID-19 Consumer Data Protection Act. This was ostensibly to put limits on the collection and use of personal health, geolocation and proximity data. Whether we need new legislation or not, the fact remains that employers – and all of us – need to think further about all the consequences (both real and unintended) that such technology poses. If we do allow such a technology, when should this surveillance end? And more worrisome, what will happen next?

Thanks Chris and ADNET for tackling this issue.

What’s Next? 

If I had to summarize my thoughts on digital contact tracing and exposure notification, the short answer is – it’s complicated. This is innovative, intriguing and I will personally argue, necessary technology, but it does have me concerned.

As I write this, the ADNET Security team is actively researching the data specifications, focusing on privacy controls. Our next blog on this topic is forthcoming from Tim Weber, Director of Security Services. I leave our thoughts from a security and privacy perspective in his capable hands. Thank you to my co-author Dan Schwartz for sharing his perspective on this evolving issue. I encourage you to follow his blog for additional guidance on employment law. As we continue our research and wait to learn more, I welcome your thoughts and questions.

Daniel A. Schwartz – Guest Co-Author

Daniel A. SchwartzDaniel A. Schwartz is Labor & Employment Law Partner at Shipman & Goodwin LLP and has offices in both Hartford and Stamford, Connecticut. He created the Connecticut Employment Law Blog in 2007 with the goal of sharing new and noteworthy items relating to employment law with employers, human resources personnel, and executives. Since then, the blog has been consistently recognized by the ABA Journal as one of the best legal blogs. It was eventually placed into the “Blog Hall of Fame” in recognition of its contributions and consistency over the years.

Christopher J. Luise

Christopher J. Luise

Christopher Luise is Co-CEO at ADNET Technologies, LLC. Early in his career, Christopher co-founded ADNET with Co-CEO Edward Laprade, and worked for several years as vice president responsible for new business development. In 1995, he left ADNET and spent the next 13 years driving innovative, technology-based solutions in the U.S., Europe, Latin America, and Asia as group CIO and later CEO for a Global Financial Services organization. Christopher returned to ADNET in 2008 to lead the Infrastructure and Advisory Services consulting practices with a full-time focus on strategy, operations, and branding.

Read full bio >