
Given the rapid spread of COVID-19, governments around the world are trying out an array of new tracking technologies in an effort to identify where a sick person might have been and who they may have crossed paths with. Certain countries are using facial and temperature detection tools to determine if an individual is ill so they can monitor them or bar them from traveling.
In the U.S., the FDA has announced it will relax rules around health care privacy to let patients use telemedicine. It’s also broadening the number of approved devices that can be used to remotely monitor patients. What’s less clear is how long such tracking might take place, where the data goes, and how long it will be stored.
That’s a problem. We cannot solve the pandemic at the expense of our privacy.
For anyone who wants to accuse me of whining about the loss of privacy while people are quite literally dying, or of putting my concerns around data protection over helpful solutions, I’ll remind you that these are choices companies and governments are making.
For example, when Alphabet company Verily published a COVID-19 screening test almost two weeks ago, reporters looked at the privacy policy and cried foul — and the backlash was immediate. People accused the media of focusing on privacy at the expense of creating a solution. But Google could very easily write an ironclad privacy policy that ensured no data was shared outside of the confines of the COVID-19 test; it didn’t want to. Instead, it viewed the gathering of this data as extremely valuable, possibly for research later on or maybe for marketing in a post-COVID-19 world. We don’t know.
And that is the challenge facing us today. The companies that want to help track, diagnose, or monitor the spread of COVID-19 aren’t doing it out of the goodness of their hearts; they are doing it because it will help them in their business later on. This isn’t necessarily a heinous thing, but it should be transparent to users, and we shouldn’t have to make a choice between privacy and health care.
On the government side, the story is a bit different, as is the solution. In Israel, the government passed an emergency law that grants police access to the entire country’s cellphone location data. In China, a system of QR codes for payments helps track citizens as they go about their day, and can later be used to notify others if they were on the same bus or in the same place as a person diagnosed with COVID-19.
In the U.S., where universities and employers are already tracking employees using apps that monitor their location, it seems far-fetched that people would willingly participate in a China-style monitoring of people’s comings and goings, even if it were used to contain a pandemic. And yet, other Western democracies, such as Belgium and Spain, are embarking on surveillance technology to track citizens so they can trace their contacts when those citizens fall ill.
In an emergency, such high-level surveillance feels purposeful, and could indeed help prevent COVID-19 from overwhelming the health care system, but we need to structure such a program very carefully. Most importantly, citizens must be told that their phones are now being tracked and information about their whereabouts is being documented and used to enforce quarantines or to track and trace contacts if they fall ill.
Any data collected for this purpose should be used only for this purpose, and the implementation of any tracking should be of limited and short duration, perhaps renewing every 30 days. If the federal or state government (personally, I think this should be federal legislation) wants to renew the 30-day tracking order, it needs to have specific and preset criteria for renewal. That means the language should set specific case numbers and/or geographic locations as a means of determining if the tracking is renewed. Epidemiologists, along with privacy experts, should help set these rules.
Laws are usually designed to be a bit vague so as to help them last for as long as possible. But in this case, we need something that’s narrowly tailored as the data gleaned from it is so sensitive it could be used to impinge on our basic freedoms.
Speaking of the data, it shouldn’t be used for any other purpose during the time it is collected. I further believe it should be made inaccessible for a year or longer after the order sunsets. Once it is accessible, it should only be so for research purposes, and the use of the data should be governed by an organization that acts like an Institutional Review Board (IRB).
IRBs are administrative bodies in universities and hospitals that govern how experiments on humans are run. Researchers have to present to them their plans for the data they want and follow the rules they’ve put in place. These rules could even govern how the data is secured and where the researcher could work on it. But at no point should the government or private corporations have access to it. I’m not the only one with ideas on this topic. Several privacy and human rights organizations sent a letter to Congress asking for protection and a narrow scope of use for any data collected as part of the pandemic management effort.
Consumers and organizations clearly understand that desperate times call for desperate measures, but such measures should disappear once the desperation has passed. We can’t trade our long-term privacy for short-term health — even to stop a pandemic.
Leave a Reply