COVID-19 is an unprecedented public health crisis. As the disease continues to spread through communities across the U.S. and abroad, information about the illness continues to evolve. To slow the spread, public health officials are turning to contact tracing as a means to track cases, identify sources of transmission, and inform people who may have been exposed to take precautions that can prevent further transmission.
Manual contact tracing is a scientifically established method that can help understand the spread of communicable diseases. For contact tracing to be most effective, people must share sensitive personal information regarding their whereabouts and the people with whom they have been in close proximity. This information allows contact tracing professionals to trace or map their locations and connect with those with whom they have been in close contact. One unique feature of the COVID-19 era is the way digital technology is facilitating these processes.
Digital contact tracing technology (DCTT) has the potential to significantly reduce the spread of COVID-19 and assist with reopening efforts. Technologies such as smartphones, mobile device applications (apps), and the network of data transfer protocols (e.g., APIs) have been pulled together to produce digital contact tracing technologies. Contact tracing apps track an individual’s exposure to COVID-19 and notify the individual if they encounter another app user who has tested positive for the virus, or who has self-reported as positive. These apps typically track users through either geolocation data or Bluetooth proximity data, or both.
Apps relying on geolocation data use GPS, WiFi, or cell phone towers to track users’ locations, while Bluetooth apps check for other nearby devices using the app and exchange a unique, often rotating, token with the other device.1 The app later searches a database of tokens registered to users who have self-reported testing positive for COVID-19 to determine if the user was exposed to the virus.2
Apps using geolocation data are considered more privacy invasive because they rely on tracking the user’s location to determine proximity to other users. Bluetooth proximity apps only collect proximity data but rely on constant broadcast from a Bluetooth device, and may be less accurate than apps relying on location data.3 This is a particular problem for centralized Bluetooth-based apps, which are not able to make use of the Google-Apple Exposure Notification API for decentralized exposure notification apps.
The design and use of these apps create privacy risks and raise ethical questions. MIT Technology Review assessed apps developed by 25 countries, while the Internet Digital Accountability Council reviewed 108 apps across 41 countries. Many of these apps failed to minimize their collection efforts and did not provide guarantees for destroying the data after a set period. Some countries’ apps also failed to place limits on the use of collected data and many of the apps reviewed did not provide transparency around their policies or design.4 By taking these concerns into account, organizations that develop or use contact tracing apps can protect both health and privacy, and increase trust in contact tracing apps and other digital tools.
While health behavior changes at the population level, such as social distancing, hand washing, and wearing face coverings, are the current best approach to containing the spread of COVID-19, both analog and digital contact tracing are important elements of a comprehensive approach to containing the spread of this viral disease. Nevertheless, DCTT raises significant ethical and privacy concerns that should be addressed through design and policy.
Public health authorities, application developers, and users of DCTT need better information on how to best preserve privacy and ensure ethical use of contact tracing data, so they can better scale contact tracing initiatives and reduce the spread of COVID-19.
BrightHive and the Future of Privacy Forum teamed up to kick off this privacy playbook to assist the coalitions of professionals invested in development and deployment of trusted DCTT. The playbook provides a series of actionable steps that purposefully address the privacy concerns of DCTT and support the development of ethical and responsible digital contact tracing protocols.
In particular, this playbook has been developed with the following types of scenarios, or use cases, in mind: 1) easing tension between application providers, public health officials, and government authorities; 2) supporting “opt-in” models for individuals to share health and location data; 3) supporting employers that are turning to internal contact tracing when their workplaces reopen.
This playbook is organized into two categories: Foundational and organizational plays, and technical and operational plays. Foundational and organizational plays create a strong, diverse coalition with a unified goal and set of values, aid in the administration of DCTT initiatives, and ensure that the coalition adheres to its shared values and gains the public’s trust. These plays are geared toward leadership, policy, and partnership roles in an initiative.
The technical and operational plays support implementing the DCTT initiative in a way that is consistent with other plays, the coalition’s values, and users’ privacy rights. These plays are geared toward technical, project management, and day-to-day operational roles in the initiative.
While plays are geared toward different roles, BrightHive and FPF advise collaborating across team and function through the lifecycle of the DCTT initiative.
Take the Next Step
This playbook was informed by the following resources: insights and recommendations from FPF workshops, publications & testimony; Georgetown Beeck Center Data Governance Handbook; Johns Hopkins Digital Contact Tracing book; Law.MIT principles and related efforts; STAT news articles and commentary; and other data protection COVID-19 guidance/resources.
BrightHive would like to thank Maithri Vangala, Natalie Ortiz, Samantha Levy, Hana Passen, Brian Lim, Autumn Felty, Joanna Tess, Kelly Dolan, Natalie Evans Harris, and Matt Gee for their expertise and contributions to the development of this playbook.
Future of Privacy Forum would like to thank Kelsey Finch, Sara Jordan, RacheleHendricks-Sturrup, Pollyanna Sanderson, Brenda Leong, and Katelyn Ringrose for theirexpertise and contributions to the development of this playbook.
Tokens are a unique identifier tied to a user’s phone. Apps that make use of rotating tokens change the token identified with a user’s phone on a regular basis. This helps protect user privacy by essentially dividing a user’s data across multiple identities. ↩
Andy Greenberg. “How Apple and Google Are Enabling Covid-19 Contact-Tracing.” Wired. April 10, 2020. https://www.wired.com/story/apple-google-bluetooth-contact-tracing-covid-19/. ↩
Sam Biddle. “The Inventors of Bluetooth Say There Could Be Problems Using Their Tech for Coronavirus Contact Tracing.” The Intercept. May 5, 2020. https://theintercept.com/2020/05/05/coronavirus-bluetooth-contact-tracing/ ↩
Patrick Howell O’Neill, Tate Ryan-Mosley, & Bobbie Johnson. “A flood of coronavirus apps are tracking us. Now it’s time to keep track of them.” MIT Technology Review. May 7, 2020. ↩
It is essential that members of a DCTT initiative coalition work with medical and public health partners to understand their data needs. Decisions about which data, analytic, and technological models to pursue should be based on medical and public health partners’ needs, their estimates of efficacy, and should be grounded in the best available evidence.
Measures taken in response to pandemics should be necessary and proportionate, to ensure that responses will be beneficial to solving the crisis without undue infringement on individual privacy and civil rights. Any personal information collected and used to control the harmful effects and spread of a pandemic should be strictly time-limited and confined to a specific, well-defined public health purpose. Historical evidence suggests that it is difficult to discontinue practices initiated during an emergency, and that proactive measures are required to avoid “mission creep.” Coalitions seeking to use personal information to control the harmful effects and spread of a pandemic should ask themselves whether or not a specific measure constitutes a necessary, appropriate, and proportionate action within a democratic society.
Trusted partners with the organizational and technical capacity to support DCTTs are essential. Some organizations, such as those with established ‘Data for Good’ programs, may already have experience sharing data in privacy-protecting ways with university, NGO, or government partners, including public health authorities. In addition, university-based programs and services, including research centers with experience in data ethics, might streamline the establishment of trusted data sharing arrangements between public agencies, companies developing and/or providing DCTT, and other institutions that will need to share data with one another to coordinate contact tracing.
At the outset of a DCT development project, establish a governance committee including partners, experts, data users, and DCTT users who will guide development of processes and procedures for collection, use, and destruction of data. This group should include a diverse array of individuals representing state and local public health agencies, privacy advocates, organizations that have the legitimacy to represent the individuals who are being asked to share their contact data, and other types of community advocacy organizations that want to support public health efforts while being responsive to ethical concerns. Do not wait until the technology solution is determined or implemented to establish and convene this committee.
While transparency on its own is insufficient to protect individual privacy, respect for individual autonomy requires that the public understand how personal data is used and protected from misuse during a health crisis. Certain public health measures, including DCTT, rely on individuals’ willingness to provide their information in service of a larger goal. In support of such measures, governments, public health authorities, and corporate leaders seeking to share data should take extra steps to engage the public and be transparent about how personal data is used, by whom, and for what specific purposes.
Meaningful and inclusive public engagement is essential to building health tools and analytics that reflect generally-held collective values, including privacy, equity, efficiency, community health, and more. If deployed un-critically, digital health technologies risk exacerbating existing societal inequalities, including racial, socioeconomic, and digital divides. Coalitions that seek to deploy a DCTT iniatitive should recognize and address such concerns, and ensure that these technologies do not subject communities to additional discrimination or unfairness.
Governments should not require individuals to share personal health information or mandate the use of digital contact training technologies. Any incentives provided to encourage the adoption of such technologies must not be coercive, but rather support their equitable and voluntary use.
In a public health crisis, the reliability and representativeness of DCTT information is vitally important. However, digital technologies and services are not always designed in ways that are accessible to individuals with disabilities and may fail to adequately record their experiences. The consequences of this sort of biased or inaccurate data can be lasting, leading to poor or inefficient decision-making, unethical or illegal data uses, or discriminatory outcomes. DCTT initiatives and features should be designed in ways that are accessible to all.
In order to maintain public trust and legitimacy, oversight and accountability mechanisms must be clear and functional at every stage in the process. Systems used to support a DCTT initiative must be continuously maintained and monitored to ensure that they are effective, that they are not causing harm, and that they are not imposing disparate impacts across communities. It is also essential that data protections be enforced, and that organizations create mechanisms for individuals and experts to raise concerns and ask questions.
Centralized repositories of data can elevate privacy and security risks and attract unauthorized attempts to access or use personal information. DCTT initiatives must keep data secure against both internal and external threats. Robust technical controls such as encryption and access limitations, along with regular security audits and vulnerability tests, are essential safeguards.
Because public health emergencies involving communicable diseases are quickly evolving, coalitions supporting DCTT initiatives must ensure that the data produced is equally dynamic. Initiatives and the data and systems they rely on must be able to adapt to changing medical, legal, social, and technical factors. Data collected in response to a crisis such as a pandemic disease is typically needed by multiple types of organizations in numerous jurisdictions, and interoperability between digital systems is essential to ensuring collected information is able to serve its intended purpose.
When responsible organizations identify new ways to collect or use personal data, they utilize privacy impact assessments (PIAs) to systematically identify and address potential privacy issues. Given the volume and sensitivity of personal information required for effective pandemic response, including information related to health status, location and mobility, and employment, DCTT initiatives must proactively identify, document, and mitigate potential privacy risks. Best practices, frameworks, and tools for conducting privacy and data protection impact assessments are well-established in both the public and private sectors.
Individuals who choose to adopt digital contact tracing technologies should have their privacy and data protected by design and by default. To the extent possible, individuals should be able to make meaningful choices about how, with whom, and for what purposes their personal information is shared, as well as an ability to change their mind. Users should be able to view, correct, or request the deletion of their personal data, to the extent possible.
Public health initiatives collecting and handling personal information should adopt advanced privacy-preserving and privacy-enhancing technologies from the outset. Sophisticated approaches such as differential privacy or secure multiparty computation should be considered where practical, and technical measures should be complemented with organizational and legal controls. DCTT initiatives should incorporate the most robust privacy-enhancing technologies appropriate given analytic and public health needs, and the techniques and methodologies applied should be published publicly to enable independent review.
Machine learning-based technologies can play a substantial role in this pandemic and future public health response measures. Experts can use machine learning to study the virus, test potential treatments, diagnose individuals, analyze the public health impacts, and more. Digital contact tracing data will provide valuable information from which such systems can draw insights into individual and group behavior. When coalitions support DCTT initiatives that expect data will be used in AI or ML research or development, additional data protection precautions must be taken.
DCTT data processed in response to the crisis should be kept only for the duration of the public health emergency. Once appropriate authorities have determined that the crisis has ended, personal information should be promptly deleted or permanently de-identified. In certain cases, it may be appropriate for non-identifiable information to be kept for limited, public-interest historical and research purposes, subject to appropriate ethical safeguards and controls.
Given both the significant benefits to society and the significant privacy risks to individuals of DCTT, it is essential that DCTT initiatives are held to the highest standards of ethical governance and digital design. Ethical reviews are also important for determining which secondary uses of DCTT data, such as public interest or historical research, are appropriate. Such review processes could consist of several components, such as review by an internal committee, an external committee, or a body of collaborative stakeholders. Ethical standards appropriate to DCTT initiatives should be defined by the groups producing or impacted by the technology.