In response to the CDC’s approach to fighting COVID-19 through contact tracing, governments and tech companies across the globe are working together to use geo-tracking data to gain insight into the spread of the disease and develop apps to enforce quarantines or identify people who may have been exposed to the virus.
On the one hand, using location information to help stop or slow epidemics has been done since 1854, when Dr. John Snow traced the source of the Broad Street cholera outbreak to a cluster of contaminated wells. But with today’s tracking methods and the vast amounts of geodata currently collected, the potential to pinpoint a specific person’s exact movements poses some serious questions about data privacy.
Any business that relies on collecting and selling geo-tracking information—with the consent of the data subjects—may learn some useful lessons from examining the proposed solutions to see how well they protect privacy and how willing citizens are to cooperate.
The Objective of Contact Tracing
Geotracking information collected from cell phones or other GPS-enabled or connected devices can help slow the spread of contagious disease in at least four ways:
- Quarantine Enforcement – using a cell phone or other electronic tracking device to detect individuals violating quarantine restrictions.
- Contact Tracing – identifying locations visited or people in close contact with contagious individuals.
- Predicting Spread - analyzing aggregated geotracking data to determine where the disease is likely to spread.
- Evaluating Social Distancing Measures – analyzing aggregated geo-tracking data to determine if people are reducing the frequency and distance they travel or to identify areas where people are still congregating.
The Privacy Risk of Leveraging Geo-tracking Data
Simply put, geotracking data is sensitive. Some people don’t want their government, employer, neighbors, or even their family to be able to track their every move. Privacy regulations, including the GDPR and the CCPA, also consider location data to be sensitive unless it is stripped of personal information such as names, phone numbers, or account numbers. In order to track movement, however, the collector assigns anonymous id codes to each device, which typically lumps location data in with everything else.
One potential option is using a person’s public Facebook, Instagram, or Twitter posts to pull their movements from anonymized geotracking data. Analysis of anonymized data collected from 1.5 million cellphone users over a span of 15 months revealed that if you know four locations a person visited and the dates and times of those visits, you can probably reconstruct his movements from the anonymized data. But this won’t account for people who aren’t active on social media or who turn off tracking when they close their apps.
So what solutions are on the table and what do they mean for our data privacy?
1. Electronic Quarantine Fence
One of the most well-known solutions has already been implemented in some places, including Taiwan, Hong Kong and Singapore. They’ve set up electronic fences using either cell phones or location-tracking bands to monitor the movements of quarantined individuals. If a person ventures outside their home or turns off their phone, local police or officials get notified.
Cell phone-based electronic fences may be easier to set up, because so many people already own cell phones, but they are not a perfect solution. To really work, officials have to include random phone calls or in-person visits to make sure the cell phone owner has not strayed away from their phone. Plus, they are really only realistic for narrowly targeting individuals at high risk of spreading infection, such as patients diagnosed with the disease or travelers arriving from places where the disease is prevalent. And even then, it’s effective only if these behaviors are enforceable by law.
2. Analysis of Aggregated, Anonymized Data
Instead of tracking an individual cell phone, for example, you can analyze all the cell phone location data for a metropolitan area to identify trends. Geo-tracking data can identify where people tend to gather in larger numbers, like the harbor in NYC on the day the USNS Comfort docked. Google’s Community Mobility Reports show how movement patterns change as governments issue stay-at-home or lockdown orders. Facebook’s co-location maps even show the probability that people in one area will come into contact with people from another, which may help predict where COVID-19 cases will appear next.
We don’t know yet how useful this analysis will be, or how much of a privacy risk they present. Summary results of data analysis, such as movement trends, are less likely to reveal personal information than the underlying geo-tracking data. If the data is carefully aggregated, anonymized, and protected from disclosure, the privacy risk may be minimal.
3. Contact Tracing: Comprehensive Post-Diagnosis Data Collection
Contact tracing is a well-established tool for controlling the spread of disease, but it can be very invasive. Some countries, including Singapore and South Korea, are pulling geo-tracking information from cell phone providers, payment card transactions, visits to medical service providers, and surveillance cameras to verify the reported movements of contagious individuals.
The geo-tracking data used in these systems may help patients recall the friends, family members and coworkers they’ve been in contact with, but it does not identify strangers who happened to be near the patient. The contact tracing data has to be published, so that people can check whether or not they have been exposed. The South Korean government currently publishes personal details about every diagnosed Coronavirus patient, including the person’s age, gender, date of diagnosis, and locations visited while potentially contagious. Cellphone users also receive alerts notifying them of nearby areas recently visited by a contagious person. Individuals can check the case records and cell phone alerts to see if they may have been exposed, which is useful. Unfortunately, however, armchair sleuths can also use the published information to figure out which 47-year-old male neighbor visited the local love hotel last Friday.
Whether people will be willing to tolerate such invasive data collection will likely be affected by the amount of trust they have in the officials collecting the data, whether the data is collected with or without consent, whether or not the data is protected from disclosure, and their past experience with epidemics.
South Korea, for example, recently went through an outbreak of MERS-CoV, a virus closely-related to COVID-19. During that outbreak, the disease spread quickly in hospitals and medical centers, and the government was harshly criticized for not disclosing which facilities posed a high risk of infection. This recent experience may explain why South Koreans are willing to sacrifice their privacy rights.
4. Contact Tracing: Proximity Beacons
Google, Apple and other groups are working on proximity beacons, which are intended to provide privacy-centric contact tracing. Proximity beacons are basically a way for two bluetooth devices to exchange id codes if they are close together long enough for one user to infect another. If a user is later diagnosed with an infection, the id codes his device collected over the last couple of weeks are added an exposure list.
If a proximity beacon scheme were widely used by most of the population, it would provide more useful contact tracing than the comprehensive data collection schemes in one key respect: it identifies people who may have been infected, rather than places where a contagious person was.
There are a few variations of this option, each providing differing degrees of privacy protection. At the more invasive end of the spectrum, each device would have a unique, permanent id code; use of the system would be mandatory; and all the proximity beacon information would be automatically added to a centralized database accessible to public health officials. This version is likely to be the most accurate and efficient solution for electronic contact tracing because everyone with a cell phone gets tracked and public health officials can identify and notify people at risk of infection.
Google and Apple, however, are supporting a more privacy-centric version, and have stated they will only support applications that are voluntary. Users must opt-in. The proximity beacons ids are anonymous and temporary, rotating every 15 minutes. Each device stores its own log of the id codes it has detected. A user diagnosed with the disease may choose whether or not to upload the log to a contact list and every device using the beacon system would periodically check the exposure list. If a device finds that one of its own temporary id codes is on the exposure list, it can notify its user of the possible exposure. Public health officials are unable to track an individual device or identify the person using a device from the temporary id codes the device broadcasts.
The sort of voluntary proximity beacons Google and Apple are advocating appear to provide a lower privacy risk than mandatory, centralized proximity beacon proposals or the South Korean-style contact tracing.
Experts estimate that up to 60% of the population must participate in a proximity beacon solution for it to work well. The voluntary proximity beacon schemes already in use have initially reported low adoption rates, ranging from 6% in India to about 20% in Singapore.
Additionally, as the University of Cambridge’s Professor Ross Anderson noted:
“… a voluntary app operated by anonymous actors is wide open to trolling. The performance art people will tie a phone to a dog and let it run around the park; the Russians will use the app to run service-denial attacks and spread panic; and little Johnny will self-report symptoms to get the whole school sent home."
If you rely on collecting personal information, you are most likely to get useful, accurate information if users consent to the collection and benefit from providing accurate information.
What will this mean for the future of data privacy?
Given the string of privacy scandals making headlines over the last few years, many companies are eager to remind consumers of the beneficial ways their data may be used. Certainly stopping the spread of disease is a good thing. But one privacy advocate calls this “COVIDwashing,” privacy-invading practices in an attempt to legitimize the use of data even if it “is being gathered secretly or illegally by companies.”
While it’s impossible to know whether leveraging any location data in possession would open the door to nefarious uses in the future, one outcome is likely: After the pandemic passes, consumers will either take more care to opt-out of geo-tracking data or push for stricter controls on how their data is collected, analyzed, bought and sold.
For companies who collect geotracking data, it’s important to note: Consent can be revoked. If geotracking data is important to your business, you must earn and keep the trust of the people providing the data to maintain access to it.
That means you must provide value in return for the data; disclose what data you collect, how it is used, and who it is shared with; and take care that third parties—whose data you can’t control—don’t get access to sensitive information.
And if you collect location data in compliance with GDPR or CCPA and keep it within your control, you’ll have the opportunity to use it for a purpose far more impactful than product and marketing analytics.