Privacy and Security

Considerations for Policymakers as States Launch Contact Tracing Apps

States are releasing contact tracing apps for smart phones. Policymakers, citizens, and others need to understand how the apps work, who has access to the data, and keep in mind the government’s tendency to move goalposts relating to “temporary” programs.

Contact tracing apps are programs for smartphones that allow the users and anyone with access to the data, to keep track of people with whom they come into prolonged contact. The idea is that if a user tests positive for COVID-19, the user can enter a special code into the app and alert others with whom the individual had that prolonged contact.

Google and Apple worked together to create application programming interfaces (APIs) for contact tracing app developers (API is the technical term saying a way for two different programs to talk with each other). In this case, it means a way for developers to create a contact tracing app that works with Apple’s iOS and Google’s Android operating systems. The states that have launched the apps thus far seem to rely on those APIs. Google and Apple designed the APIs with some modicum of privacy in mind. The apps built on the APIs rely on Bluetooth connections rather than GPS tracking and exchange pseudo-anonymous tokens when the phones spend a predetermined amount of time in close proximity, often around 15 minutes. The phones store the tokens for around two weeks. According to health officials involved in the development of the app, they can access very little data because of the tokens, but the data can be used to determine if a specific area or region experiences a higher number of cases.

Other apps not built on the APIs may use a variety of methods, including tracking users’ locations through GPS. These apps often record, for periods of about two weeks, all locations where the phone has been. They also allow the app’s users to supplement the data collected. Thus far, only two states attempted to use GPS location, and both have either failed or the populous has not widely adopted them.

Between five and six states have launched contact tracing apps, depending on how the total number is counted. Virginia was the first state to launch, followed closely by Pennsylvania. Other states include Nevada, Wyoming, Alabama, and North Dakota. Other than North Dakota, the other states primarily run on Apple and Google APIs. North Dakota’s current app, which is not widely adopted, relies on location information tracking the users’ location for the past two weeks  rather than keeping track of people with whom the user comes in contact.

With either type of app, there are significant concerns regarding how governments plan on using the data collected from the apps, how much privacy users can expect, and the governments’ plans for future development and implementation.

The private sector is more worried than the government about privacy and the long-term implications for contact tracing apps. People may find alternative products or services if a private sector company fails adequately to protect privacy. The government, though, has no competitors, and unelected bureaucrats are protected from any public outcry if the government misuses the data collected from contact tracing apps. For example, as one government official noted in recent testimony before the Pennsylvania Senate’s Communications and Technology Committee, the Commonwealth may keep the data for two years, or it may keep the data potentially up to seven years. The government will discontinue the app when there is a vaccine, or the government may discontinued it when the public health threat subsides.

Many states have partnered with third parties for app development. Some states have contracted out the development. Overall, the relationship between states and the developers is something not well understood, including any agreements to share the data collected.

Many experts also believe that a certain percentage of a state’s population must use the app for it to be effective. Some experts believe this percentage is around 60% of the population, while others believe the number is much smaller, around 15%.

Contact tracing apps may serve as useful tools to monitor and arrest the spread of COVID-19. But policymakers who adhere to the ALEC principles of limited government and individual liberty should be vigilant to ensure state health departments and other agencies protect the privacy of citizens who choose to use the app. Little is known about how state governments intend on using the apps and the data collected from them.

Because of the need to remain vigilant, some questions that policymaker may want to ask state health officials and representatives of governors’ offices include:

  • Is the app built upon Google and Apple’s APIs, or is the state developing its own system independently? If the state is developing the app independently, does it rely on Bluetooth technology, GPS location, or a combination of both?
  • Who is the state partnering with to develop the app? How much is it paying these partners and where does the money come from?
  • What type of information can state health officials access from the app? Has the state drafted best practices for data collection, anonymization, retention, security, and sharing? Is the data anonymized? How is the data anonymized? Can the data ever be linked to specific users? Will the third parties who helped develop the app have access to the data? Will any other third-party have access to the data?
  • How does the state plan on using the data collected from the app?
  • What steps have the state and developers taken to secure the app from bad actors? What cybersecurity measures are in place? How has the security of the app been audited? Has the state contracted with third parties to test the security of the app and data collected?
  • How long does the state plan on using the app? What standards or tests does the state have in place to determine when the app is no longer necessary?
  • How long will the state retain the data collected?
  • What are the state’s policies for deleting the data? How is the data deleted? If third parties have access to the data, how will the state ensure that they delete the data?
  • Has the state contracted with any third parties to audit data collection, retention, and deletion practices?
  • Is use of the app is completely voluntary? Many reports indicate that a certain percentage of the population must download and use the app for it to be effective. Has the state determined how many people must use the app for it to be effective? If so, what is that number? If people of the state decide not to use the app, does the state plan on mandating its use?
  • Does the state have an agreement with neighboring states to use the same app and to share the data? What is the state using as its legal authority to share data collected from residents of this state with other states? What type of data collection, sharing, retention, and deletion practices do those states have?
  • Will the data collected ever be used to enforce quarantine orders, ensure that businesses are adhering to occupancy limitations, or otherwise enforce any executive order or health directive related to COVID-19?

In Depth: Privacy and Security

A market environment is essential for future success of the Internet. A consumer and private-sector-driven approach to privacy via self-regulation avoids undue regulatory burden that would threaten a thriving electronic marketplace. The Internet has flourished due in large part to the unregulated environment in which it has developed and grown.

+ Privacy and Security In Depth