What You Need to Know About Contact Tracing, Privacy, and COVID-19
Rachel del Guidice /
Contact tracing is seen as one way to fight COVID-19. But does the tracing, which would mean tracking a person who had been physically near in recent days, involve giving up too much privacy?
Klon Kitchen, a senior research fellow in technology at The Heritage Foundation, joins The Daily Signal Podcast to discuss how contact tracing works and whether it could be used to stem the spread of the coronavirus in the United States.
He also discusses who would have access to the resulting information, privacy concerns, and more. Read the lightly edited transcript, pasted below, or listen to the interview on the podcast:
We also cover these stories:
- The Little Sisters of the Poor were back at the Supreme Court.
- Vice President Mike Pence is pleased with the Justice Department’s decision to side with a Virginia church in a lawsuit against Gov. Ralph Northam.
- The Michigan Legislature has sued Gov. Gretchen Whitmer in an effort to put a stop to her coronavirus emergency orders.
The Daily Signal Podcast is available on Ricochet, Apple Podcasts, Pippa, Google Play, or Stitcher. All of our podcasts can be found at DailySignal.com/podcasts. If you like what you hear, please leave a review. You can also leave us a message at 202-608-6205 or write us at [email protected]. Enjoy the show!
Rachel del Guidice: We are joined today on The Daily Signal Podcast by Klon Kitchen. He’s a senior research fellow in technology at The Heritage Foundation. Klon, it’s great to have you on The Daily Signal Podcast.
Klon Kitchen: Yeah, it’s my pleasure.
Del Guidice: Well, thank you for being with us. You recently had a piece come out on heritage.org on the Apple-Google partnership to fight COVID-19. You’re writing about the promises and perils of contact tracing. So, to start off, before we get into the nitty-gritty here, can you tell us what contact tracing is?
Kitchen: Sure. Contact tracing is a standard tool for responding to pandemics. It’s been kind of a key part of every response, successful response, for the last several decades.
What it is is when an individual is sick with some type of contagion, a virus or disease that is being tracked by public health officials, they go and they interview that person to determine who all they’ve been in contact with during the period in which they are able to transmit that sickness. Then they follow-up with those people to see who they’ve been in contact with.
What that ultimately allows is it allows researchers to understand where the virus has been, and more importantly, where it’s going, and then begin to take proactive measures in mitigating the transmission of that virus further.
Del Guidice: When it comes to contact tracing, Klon, how could it be used for COVID-19 in the United States?
Kitchen: It’s already being done. Contact tracing in the context of COVID-19 has been a standard mechanism that’s been employed essentially since Day One precisely because COVID-19 is so easily transmitted and spreads so quickly. So, public health officials and local state and federal policymakers have needed the information that comes from contact tracing.
The big difference is, because COVID-19 spreads so quickly, it’s outstripped traditional manual contact tracing.
The way it’s typically been done in the past is an individual researcher, investigator goes out and does these interviews and then follows on with the 20 or 30 or 40 or 50 people that you’ve been in contact with over the last two weeks. COVID-19 has outstripped our ability to keep up with the speed of transmission.
So, what’s now being considered are, is it possible to use technology in a way that would allow us to do contact tracing in a way that is not only fast enough to keep up with the real-time reality of the virus but also in a way that maintains or even improves individual privacy as we do that tracing?
Del Guidice: Let’s say that there is a user who opts into contact tracing for COVID-19 and then later finds out she has COVID-19. How did the contact tracing work then?
Kitchen: The first thing to know is that the only people who are going to be allowed to build these apps are public health agencies. So, it’s not going to be individuals. It’s not going to be individual companies. It’s not even going to be kind of the federal government, per say. It could be someone like the [Centers for Disease Control and Prevention]. …
Both Apple and Google have said that they’re going to prioritize, essentially, one app per country to maintain a unified approach to it.
What happens is, you have to voluntarily download the app. So, you only participate if you want to. There’s no mandate.
Then if you, as an individual, get tested positive for COVID-19, you then have to choose, you have to volunteer to, one, enter that diagnosis into the app. You don’t have to. There’s no law that’s going to require you to do that, but you may choose to.
If you choose to, you will then have to subsequently approve again that that positive diagnosis be shared with other people.
So, there’s kind of these three layers of a willful act an individual must take for this information to be collected and shared.
Del Guidice: If you do get the contact tracing app, does that change how much information your phone company has about you and who will have access to that information?
Kitchen: No. As we’ve looked at the details of the contact tracing, it doesn’t meaningfully change anything about what kind of big tech or big government has knowledge about in terms of your activities.
Now, I want to be clear, all of the concerns about privacy and about data acquisition, those are all legitimate. The ones that we’ve had before COVID-19 are still going to be there and present after COVID-19.
What we’re talking about here is a specific application that Apple and Google are allowing to be used on their mobile devices that … anonymizes the data that’s collected, and only information that is collected via the app and the API, your general proximity to someone else who may have been COVID-19 diagnosed. …
It doesn’t collect you geolocational information. It doesn’t collect who your contacts are. It doesn’t identify you by name. It doesn’t collect all kinds of other personal-identifying information. Any information that has to be provided along those lines would be something that an individual would have to willfully provide to an app.
Even on top of that, Apple and Google are explaining to the app developers that they will not allow them to request certain types of personally-identifying information and that none of this information will be shared with anyone beyond public health officials.
So, no commercial interests, so no one’s going to be serving you ads. No one’s going to be selling this for marketing data and the government. The law enforcement and intelligence agencies do not get access to this information either.
Del Guidice: When it comes to what is being shared, what information will technology companies get? What kind of information will be shared with the government?
Kitchen: The big innovation, what’s actually happening here is that they have developed a way to know if an individual has been in close proximity—meaning within … 6 to 12 feet—of someone who has been identified as being COVID-19 positive. They do that without gathering or sharing any of your personal information.
What happens is, if you download the app, in the background it is generating every 15 minutes a unique anonymized key code. Then as you come within 6 feet, something called Bluetooth on your phone registers all the people that you’ve been in close proximity to using those same keys.
So, you’re never told about the individual. You’re not even identified by location. It’s just that this exchange of keys happens automatically.
Then what happens is, if one of the people that you’ve been in close proximity to is positively identified as having COVID-19 and they choose to share that diagnosis and they choose to share that diagnosis more publicly, then you would just get a notification saying, “Hey, some time in the last 14 days, you’ve been in proximity to someone who was COVID-19 positive.”
They don’t tell you who it was. They don’t tell you when it was. They don’t tell you where it was. It then makes a recommendation that you may or may not want to go get tested. So, that’s the real innovation.
There’s no additional information that’s being collected by what’s called the application programming interface, the API, the thing that Apple and Google built.
Now, again, … the public health agencies who build the app may ask you to put your name and your address and things like that into it when you choose to report your COVID-19 diagnosis.
That’s much the same way it would be if you went to the hospital and got diagnosed with COVID-19 as well. They often will collect that information and they’ll feed that to public health agencies so that they can then enter it into their models and things like that.
One of the cool things about this digital format is that it actually enables a great deal more security because all of this information’s being automated, which means pure people’s eyes are looking at it, and it’s being encrypted both at rest and in transit.
Del Guidice: What about hacking? Isn’t it possible, or is it possible, that hackers could come across the data that’s put into these apps and obtain it through contact tracing?
Kitchen: Hacking is always possible and it’s always a threat. In this case, the way it’s being designed, it’s actually more secure if that happens. So, as I mentioned just now, this information is going to be encrypted both at rest and in transit. So, we’re now going to be adding new layers of security that didn’t typically exist in traditional manual contact tracing.
It’s important to understand that in the past when we would do manual contact tracing, individuals would still go out. They would investigate. They would take all that information. They would take your name, they would take your address, and they would fill that in to databases that public health agencies use for understanding the pandemic and tracking the pandemic.
So, those databases, even if the mobile contact tracing never occurs, those databases are still something that need to be secured and need to be defended against hacking.
The hacking threat is always there. The key in this distinction here is that we’re now going to be using Apple and Google, two companies who pay more on cybersecurity and spend more on cybersecurity than anyone else on the planet to help defend against those risks.
Del Guidice: Looking at that international perspective, have other countries tried contact tracing in order to deal with COVID-19 or even other matters? Has it worked with these other nations?
Kitchen: Yes. Virtually every country who is dealing with the COVID-19 challenge has had to do contact tracing. Again, that’s been kind of the standard operating procedure for decades.
There have been several nations that have attempted to do the digital contact tracing that we’re talking about. That represents a pretty broad spectrum of government in terms of their concerns about privacy and even their population’s expectations of privacy.
So, it’s going to include everything from Australia, which would largely line up with American perspectives and expectations; to the United Kingdom, France, and Germany, which are going to be maybe not quite as robust on individual privacy and communications privacy as the U.S. and Australia would be; all the way down to Taiwan and China, which are going to have very different cultural government expectations for privacy.
Where it’s been rolled out, it has shown to be an effective mechanism for having a better understanding of what is going on with the COVID-19 crisis.
Del Guidice: Since, as you mentioned, Apple and Google are going to be kind of leading the way with contact tracing and the apps that they’ll be installing for users, should there be any oversight of Apple and Google? If so, what would that look like?
Kitchen: Yeah. So, when we wrote our paper, we made eight recommendations that both industry and government should adopt in rolling this out, because there are very real legitimate and important concerns that people will have as it regards individual privacy and big tech and big government.
Now, the good news is that since we’ve issued our report, Apple and Google have updated their requirements for app developers who are going to use this to include six of those eight recommendations.
For example, the responses that are provided to the app cannot be shared with law enforcement or intelligence purposes.
Apps can only collect the minimum data that is needed for contact tracing and notification. No collected data can be used for commercial efforts. No selling ads, licensing the information, or anything like that. The apps won’t be chalked full of advertisements or product promotions or other marketing.
The app cannot request the use of location data or what’s called Bluetooth administrative privileges or special access or anything else on a user’s phone.
So, a lot of the concerns that we had are actually being addressed.
Two, oversight right now is largely in place. So, a lot of these things are already bound by law and are going to fall within congressional oversight. Any notion of deviation from these requirements will be something that Congress could quickly act on and gage if it was necessary.
Del Guidice: How would you say privacy risks could be minimized given the fact that people are concerned about their privacy being protected?
Kitchen: In addition to what I’ve already kind of laid out in terms of some of the rules that are being put in place, it needs to be clear that these companies—phone companies, tech companies, app development companies—they collect a lot of information. They collect the information that consumers agree to give them.
They do that when they agree to what’s called terms of service agreements. That has been in place before COVID-19 and will be in place after COVID-19.
What I’m not saying is that Apple and Google and these app developers don’t have additional information. They do. But they will not be getting more information or even most of the information they already have through this digital contact tracing initiative. It’s something wholly separate and distinct. They are only collecting the minimal amount of data that is necessary to do this one mission.
So, I’m not saying there’s no concern for privacy. I’m just saying that this digital contact privacy effort doesn’t material affect those concerns for good or for ill.
Del Guidice: Well, this is a poll released in late April from The Washington Post and University of Maryland, which said that half of Americans who responded to the poll with a smartphone wouldn’t use the app that traced them during COVID-19. What would you say to an American who’s concerned about this app?
Kitchen: The first thing I would say is that the concerns are understandable. They’re legitimate and deserve a careful consideration and response.
The second thing I would say is that The Heritage Foundation pays me to do that type of considered careful investigation and response.
My assessment is that digital contact tracing does not materially affect someone’s exposure to either government or industry data collection. There is a minimal amount of data that’s being collected.
Much of this information on the industry side is collected via other mechanisms. So, they don’t frankly need to use the digital contact tracing to get that stuff.
Then two, it’s equally true that the federal government subpoena and warrant authorities are in place. They can serve warrants and subpoenas on these companies if they have a justification. Then those companies can go through the normal process of either complying or resisting.
So, all of that is happening above and beyond the digital contact tracing effort.
What I will say is that the good news about all of this is that it’s completely voluntary, and you will not be compelled to do this. So, if you just do not want to do it, you don’t have to, and that’s great.
One of the reasons why it may be something that people want to consider, however, is that it is now kind of an undeniable truth, and this is something that even the Trump administration has made clear, that contact tracing is an essential element of getting our nation back up and running.
So, we have to have an awareness of where this virus is and where it’s going if we want to come out of our homes, open up the economy, and be productive going forward. If there is a way where digital contact tracing not only enables that but enables us to do that in a more secure way, it’s something worth considering.
Del Guidice: Well, Klon, thank you so much for unpacking this for us and joining us on The Daily Signal Podcast. It’s been great to have you.
Kitchen: My pleasure.