As the pandemic threatens the health and economic security of communities around the globe, the issue of equity—whether gender equity, equity in access, racial equity, equity for linguistic and cultural groups, and age-group equity—has come to the forefront of debates among policymakers, civil society, educators, industry leaders, and other stakeholders. For groups invested in addressing the pandemic through uses of digital contact tracing technologies (DCTT), the threat that DCTT could exacerbate the social inequities should be acknowledged and taken seriously. Likewise, moving privacy and equity to the center of the conversation about DCTT can improve trust in the institutions administering DCTT and contribute to better local adoption.
In this brief discussion, we outline considerations in equity and fairness to encourage those using this playbook to think about how DCTT can be used in a trusted, service-integrated, and nondiscriminatory way and, subsequently, improve adoption. We also highlight emerging legislative trends shaping DCTT initiatives across the US, which are increasingly codifying the equitable and ethical considerations raised in this Playbook.
While privacy and equity may not be the first thing people think about when discussing how to combat COVID-19, each is foundational in effectively addressing the challenges caused by the virus. Addressing COVID-19 requires all members of a community to work together and trust in the institutions implementing digital solutions for COVID-19.
The COVID-19 pandemic has drawn greater attention toward numerous societal disparities, including access to technology, health information, and healthcare. Management and tracking of COVID-19 infections can undoubtedly amplify existing inequities, whether this is through manual contact tracing or DCTT that relies on diagnostic testing for results. Moreover, digital management of COVID-19 depends on distribution of associated infrastructure, such as broadband access, ownership and use of smartphones, and even electricity. Public health research has shown that COVID-19 infections have disproportionately impacted different groups of people throughout America. Senior citizens succumb to infections at a higher rate, and senior citizens of color are at an even higher risk of premature death. Among younger persons, infection rates, morbidity, and mortality affect low income essential workers tasked with maintaining our functioning economy at higher rates than others of the same age or socioeconomic status. Without a critical amount of support within a community, the ability to effectively conduct contact tracing goes down.
Additionally, there are communities throughout the United States that are over-policed and over-surveilled. This is important because without institutional trust in the entities administering DCTT, many will see the risk posed by over-policing and over-surveilling as not being worth the benefit of effective contact tracing. This is particularly true in communities with large immigrant populations who may be without documentation or with language barriers. As a fundamental principle for use and design, no contact tracing technology should be developed or deployed if it will exacerbate existing inequalities or create new pathways for the inequitable treatment of persons or communities. In particular, DCTT should not elicit fear of being tracked, deported, disenfranchised, displaced, or stigmatized.
What steps can be taken to address and mitigate those inequities and leverage opportunities to foster trust among our most socially vulnerable communities? In short, a maximin principle of distribution should be embraced to maximize the minimum payoff for participation in DCTT for those most severely affected by the COVID-19 pandemic. In providing access to contact tracing technologies to the greatest number of individuals, and making purposeful steps to include those who are most negatively affected by the digital divide, the positive health effects of DCTT won’t remain with those individuals who are already at low risk of contracting COVID. Also, and importantly, no DCTT user should be penalized or stigmatized in any way for any behavioral data collected and/or reported through a DCTT initiative. While these steps are larger than any one stakeholder can take alone, DCTT developers and promoters should band together to move forward on these steps in earnest.
The risk that structural inequities and regulatory gaps will undermine public trust and adoption of DCTT has also spurred a new spate of state and federal legislative activity. Currently, the United States does not have a comprehensive federal privacy law, instead relying on a patchwork of state privacy laws. The absence of a comprehensive regulatory framework has left open questions about how public and private sector organizations should protect and use personal data during the COVID-19 pandemic. In an attempt to set ethical guardrails and create more clarity, legislators have introduced numerous bills to regulate contact tracing apps and COVID-19-related data.
At the federal level, there have been multiple calls for a comprehensive federal contact tracing strategy, and three key privacy bills have emerged. The Exposure Notification Privacy Act, a bipartisan bill, would apply to the operators of contact tracing apps. Many of its provisions align with Terms of Service for the Google-Apple Exposure Notification (GAEN) API. For instance, data could only be collected and processed for the purpose of responding to COVID-19, could only be retained for a certain period of time, and only confirmed diagnoses could be processed to trigger an exposure notification. Two other bills, one introduced by Senator Wicker and one by Senator Blumenthal, would regulate COVID-19-related data more broadly. However, these bills diverge along partisan lines around key issues, including their scope, preemptive capacity, enforcement mechanisms, and anti-discrimination and research protections. Nevertheless, there is agreement between all three of these bills on the need for contact tracing apps to be fully voluntary.
In the absence of a federal law, states are leading the way when it comes to the regulation of DCTT. California (AB89) and South Carolina (HJR5202), have already passed legislation preventing budget funds from being allocated for contact tracing apps. In South Carolina, any technologies deployed for contact tracing must also be “maintained in a decentralized manner” (e.g., case management tools, or medical monitoring tools). Kansas signed HB2016 into law in June, prohibiting state and local government entities engaged in contact tracing from using smartphone location data to “identify or track…the movement of persons” for contact tracing. Notably, depending on how this is interpreted, this law might nevertheless permit the utilization of Bluetooth signals to measure relative proximity between two individuals. Digital contact tracing bills have also arisen in New Jersey, Minnesota, Utah, and in other states.
States have also been proactive in addressing barriers to trust and equity beyond contact tracing, and in particular in acting to prevent data from being repurposed in ways that may harm individuals and marginalized communities which have frequently been the target of over-policing and surveillance. For example, the New York legislature passed a bill (A10500) with wide support from civil rights and advocacy groups to protect the confidentiality of contact tracing information and prohibit access by law enforcement and immigration authorities. A similar bill has gained traction in California (AB660). Other recent New York bills would ban all persons and state entities from collecting or using facial recognition technology to track COVID-19 (S8311) or impose obligations around transparency, data minimization, purpose limitations, data retention, and data security on government entities that collect, use, or disclose “emergency health data” (e.g., location, proximity, and health-related data), entities that develop or operate COVID-related apps, and downstream third party recipients (S8448). Similar to a bill in California (AB1782), New York’s S8448 would also aim to empower individuals to revoke their consent to the collection, use, and sharing of their personal information.
While the relationship between DCTT, privacy, and equity during the COVID-19 pandemic is a complex one, it is more important than ever to ensure individuals and communities are protected and their personal information is used in an ethical and responsible manner.
[The above section was developed and featured as part of a submission to the MIT Computational Law Report as part of the Special Release on COVID-19.]
COVID-19 is an unprecedented public health crisis. As the disease continues to spread through communities across the U.S. and abroad, information about the illness continues to evolve. To slow the spread, public health officials are turning to contact tracing as a means to track cases, identify sources of transmission, and inform people who may have been exposed to take precautions that can prevent further transmission.
Manual contact tracing is a scientifically established method that can help understand the spread of communicable diseases. For contact tracing to be most effective, people must share sensitive personal information regarding their whereabouts and the people with whom they have been in close proximity. This information allows contact tracing professionals to trace or map their locations and connect with those with whom they have been in close contact. One unique feature of the COVID-19 era is the way digital technology is facilitating these processes.
Digital contact tracing technology (DCTT) has the potential to significantly reduce the spread of COVID-19 and assist with reopening efforts. Technologies such as smartphones, mobile device applications (apps), and the network of data transfer protocols (e.g., APIs) have been pulled together to produce digital contact tracing technologies. Contact tracing apps track an individual’s exposure to COVID-19 and notify the individual if they encounter another app user who has tested positive for the virus, or who has self-reported as positive. These apps typically track users through either geolocation data or Bluetooth proximity data, or both.
Apps relying on geolocation data use GPS, WiFi, or cell phone towers to track users’ locations, while Bluetooth apps check for other nearby devices using the app and exchange a unique, often rotating, token with the other device.1 The app later searches a database of tokens registered to users who have self-reported testing positive for COVID-19 to determine if the user was exposed to the virus.2
Apps using geolocation data are considered more privacy invasive because they rely on tracking the user’s location to determine proximity to other users. Bluetooth proximity apps only collect proximity data but rely on constant broadcast from a Bluetooth device, and may be less accurate than apps relying on location data.3 This is a particular problem for centralized Bluetooth-based apps, which are not able to make use of the Google-Apple Exposure Notification API for decentralized exposure notification apps.
The design and use of these apps create privacy risks and raise ethical questions. MIT Technology Review assessed apps developed by 25 countries, while the Internet Digital Accountability Council reviewed 108 apps across 41 countries. Many of these apps failed to minimize their collection efforts and did not provide guarantees for destroying the data after a set period. Some countries’ apps also failed to place limits on the use of collected data and many of the apps reviewed did not provide transparency around their policies or design.4 By taking these concerns into account, organizations that develop or use contact tracing apps can protect both health and privacy, and increase trust in contact tracing apps and other digital tools.
While health behavior changes at the population level, such as social distancing, hand washing, and wearing face coverings, are the current best approach to containing the spread of COVID-19, both analog and digital contact tracing are important elements of a comprehensive approach to containing the spread of this viral disease. Nevertheless, DCTT raises significant ethical and privacy concerns that should be addressed through design and policy.
Public health authorities, application developers, and users of DCTT need better information on how to best preserve privacy and ensure ethical use of contact tracing data, so they can better scale contact tracing initiatives and reduce the spread of COVID-19.
BrightHive and the Future of Privacy Forum teamed up to kick off this privacy playbook to assist the coalitions of professionals invested in development and deployment of trusted DCTT. The playbook provides a series of actionable steps that purposefully address the privacy concerns of DCTT and support the development of ethical and responsible digital contact tracing protocols.
In particular, this playbook has been developed with the following types of scenarios, or use cases, in mind: 1) easing tension between application providers, public health officials, and government authorities; 2) supporting “opt-in” models for individuals to share health and location data; 3) supporting employers that are turning to internal contact tracing when their workplaces reopen.
This playbook is organized into two categories: Foundational and organizational plays, and technical and operational plays. Foundational and organizational plays create a strong, diverse coalition with a unified goal and set of values, aid in the administration of DCTT initiatives, and ensure that the coalition adheres to its shared values and gains the public’s trust. These plays are geared toward leadership, policy, and partnership roles in an initiative.
The technical and operational plays support implementing the DCTT initiative in a way that is consistent with other plays, the coalition’s values, and users’ privacy rights. These plays are geared toward technical, project management, and day-to-day operational roles in the initiative.
While plays are geared toward different roles, BrightHive and FPF advise collaborating across team and function through the lifecycle of the DCTT initiative.
Take the Next Step
This playbook was informed by the following resources: insights and recommendations from FPF workshops, publications & testimony; Georgetown Beeck Center Data Governance Handbook; Johns Hopkins Digital Contact Tracing book; Law.MIT principles and related efforts; STAT news articles and commentary; and other data protection COVID-19 guidance/resources.
BrightHive would like to thank Maithri Vangala, Natalie Ortiz, Samantha Levy, Hana Passen, Brian Lim, Autumn Felty, Joanna Tess, Kelly Dolan, Natalie Evans Harris, and Matt Gee for their expertise and contributions to the development of this playbook.
Future of Privacy Forum would like to thank Kelsey Finch, Sara Jordan, RacheleHendricks-Sturrup, Pollyanna Sanderson, Brenda Leong, and Katelyn Ringrose for theirexpertise and contributions to the development of this playbook.
Tokens are a unique identifier tied to a user’s phone. Apps that make use of rotating tokens change the token identified with a user’s phone on a regular basis. This helps protect user privacy by essentially dividing a user’s data across multiple identities. ↩
Andy Greenberg. “How Apple and Google Are Enabling Covid-19 Contact-Tracing.” Wired. April 10, 2020. https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/. ↩
Sam Biddle. “The Inventors of Bluetooth Say There Could Be Problems Using Their Tech for Coronavirus Contact Tracing.” The Intercept. May 5, 2020. https://theintercept.com/2020/05/05/coronavirus-bluetooth-contact-tracing/ ↩
Patrick Howell O’Neill, Tate Ryan-Mosley, & Bobbie Johnson. “A flood of coronavirus apps are tracking us. Now it’s time to keep track of them.” MIT Technology Review. May 7, 2020. ↩
It is essential that members of a DCTT initiative coalition work with medical and public health partners to understand their data needs. Decisions about which data, analytic, and technological models to pursue should be based on medical and public health partners’ needs, their estimates of efficacy, and should be grounded in the best available evidence.
Measures taken in response to pandemics should be necessary and proportionate, to ensure that responses will be beneficial to solving the crisis without undue infringement on individual privacy and civil rights. Any personal information collected and used to control the harmful effects and spread of a pandemic should be strictly time-limited and confined to a specific, well-defined public health purpose. Historical evidence suggests that it is difficult to discontinue practices initiated during an emergency, and that proactive measures are required to avoid “mission creep.” Coalitions seeking to use personal information to control the harmful effects and spread of a pandemic should ask themselves whether or not a specific measure constitutes a necessary, appropriate, and proportionate action within a democratic society.
Trusted partners with the organizational and technical capacity to support DCTTs are essential. Some organizations, such as those with established ‘Data for Good’ programs, may already have experience sharing data in privacy-protecting ways with university, NGO, or government partners, including public health authorities. In addition, university-based programs and services, including research centers with experience in data ethics, might streamline the establishment of trusted data sharing arrangements between public agencies, companies developing and/or providing DCTT, and other institutions that will need to share data with one another to coordinate contact tracing.
At the outset of a DCT development project, establish a governance committee including partners, experts, data users, and DCTT users who will guide development of processes and procedures for collection, use, and destruction of data. This group should include a diverse array of individuals representing state and local public health agencies, privacy advocates, organizations that have the legitimacy to represent the individuals who are being asked to share their contact data, and other types of community advocacy organizations that want to support public health efforts while being responsive to ethical concerns. Do not wait until the technology solution is determined or implemented to establish and convene this committee.
While transparency on its own is insufficient to protect individual privacy, respect for individual autonomy requires that the public understand how personal data is used and protected from misuse during a health crisis. Certain public health measures, including DCTT, rely on individuals’ willingness to provide their information in service of a larger goal. In support of such measures, governments, public health authorities, and corporate leaders seeking to share data should take extra steps to engage the public and be transparent about how personal data is used, by whom, and for what specific purposes.
Meaningful and inclusive public engagement is essential to building health tools and analytics that reflect generally-held collective values, including privacy, equity, efficiency, community health, and more. If deployed un-critically, digital health technologies risk exacerbating existing societal inequalities, including racial, socioeconomic, and digital divides. Coalitions that seek to deploy a DCTT iniatitive should recognize and address such concerns, and ensure that these technologies do not subject communities to additional discrimination or unfairness.
Governments should not require individuals to share personal health information or mandate the use of digital contact training technologies. Any incentives provided to encourage the adoption of such technologies must not be coercive, but rather support their equitable and voluntary use.
In a public health crisis, the reliability and representativeness of DCTT information is vitally important. However, digital technologies and services are not always designed in ways that are accessible to individuals with disabilities and may fail to adequately record their experiences. The consequences of this sort of biased or inaccurate data can be lasting, leading to poor or inefficient decision-making, unethical or illegal data uses, or discriminatory outcomes. DCTT initiatives and features should be designed in ways that are accessible to all.
In order to maintain public trust and legitimacy, oversight and accountability mechanisms must be clear and functional at every stage in the process. Systems used to support a DCTT initiative must be continuously maintained and monitored to ensure that they are effective, that they are not causing harm, and that they are not imposing disparate impacts across communities. It is also essential that data protections be enforced, and that organizations create mechanisms for individuals and experts to raise concerns and ask questions.
Centralized repositories of data can elevate privacy and security risks and attract unauthorized attempts to access or use personal information. DCTT initiatives must keep data secure against both internal and external threats. Robust technical controls such as encryption and access limitations, along with regular security audits and vulnerability tests, are essential safeguards.
Because public health emergencies involving communicable diseases are quickly evolving, coalitions supporting DCTT initiatives must ensure that the data produced is equally dynamic. Initiatives and the data and systems they rely on must be able to adapt to changing medical, legal, social, and technical factors. Data collected in response to a crisis such as a pandemic disease is typically needed by multiple types of organizations in numerous jurisdictions, and interoperability between digital systems is essential to ensuring collected information is able to serve its intended purpose.
When responsible organizations identify new ways to collect or use personal data, they utilize privacy impact assessments (PIAs) to systematically identify and address potential privacy issues. Given the volume and sensitivity of personal information required for effective pandemic response, including information related to health status, location and mobility, and employment, DCTT initiatives must proactively identify, document, and mitigate potential privacy risks. Best practices, frameworks, and tools for conducting privacy and data protection impact assessments are well-established in both the public and private sectors.
Individuals who choose to adopt digital contact tracing technologies should have their privacy and data protected by design and by default. To the extent possible, individuals should be able to make meaningful choices about how, with whom, and for what purposes their personal information is shared, as well as an ability to change their mind. Users should be able to view, correct, or request the deletion of their personal data, to the extent possible.
Public health initiatives collecting and handling personal information should adopt advanced privacy-preserving and privacy-enhancing technologies from the outset. Sophisticated approaches such as differential privacy or secure multiparty computation should be considered where practical, and technical measures should be complemented with organizational and legal controls. DCTT initiatives should incorporate the most robust privacy-enhancing technologies appropriate given analytic and public health needs, and the techniques and methodologies applied should be published publicly to enable independent review.
Machine learning-based technologies can play a substantial role in this pandemic and future public health response measures. Experts can use machine learning to study the virus, test potential treatments, diagnose individuals, analyze the public health impacts, and more. Digital contact tracing data will provide valuable information from which such systems can draw insights into individual and group behavior. When coalitions support DCTT initiatives that expect data will be used in AI or ML research or development, additional data protection precautions must be taken.
DCTT data processed in response to the crisis should be kept only for the duration of the public health emergency. Once appropriate authorities have determined that the crisis has ended, personal information should be promptly deleted or permanently de-identified. In certain cases, it may be appropriate for non-identifiable information to be kept for limited, public-interest historical and research purposes, subject to appropriate ethical safeguards and controls.
Given both the significant benefits to society and the significant privacy risks to individuals of DCTT, it is essential that DCTT initiatives are held to the highest standards of ethical governance and digital design. Ethical reviews are also important for determining which secondary uses of DCTT data, such as public interest or historical research, are appropriate. Such review processes could consist of several components, such as review by an internal committee, an external committee, or a body of collaborative stakeholders. Ethical standards appropriate to DCTT initiatives should be defined by the groups producing or impacted by the technology.