Dena M. Castricone: I am thrilled to have Dayle as a guest author on my blog for this series. Dayle is a talented privacy lawyer with a keen ability to boil down complex concepts like contact tracing . Hopefully, Dayle will be a frequent contributor to the DMC Law blog!
This is part one of a two-part series focused on COVID-19 contact tracing technology and its implications for US privacy law. The next installment of this series will examine legislative solutions to protect data subjects from misuse of information collected through contact tracing apps and related technologies.
What is Contact Tracing?
Contact tracing is a manual method that state and local public health agencies (PHAs) use to track suspected or confirmed infections and notify individuals who may have had exposure to an infected person. PHAs are tasked with optimizing public health and safety and contact tracing is an important tool to achieve that end. While there are privacy concerns surrounding the general concept of contact tracing, legislatures and PHAs tend prioritize the public good of infectious disease management over the attendant privacy risks.
Contact tracing is not new. Epidemiologists have used contact tracing to battle the spread of infectious disease for at least a hundred years. During WWI, the US Military screened American troops to track and halt the spread of syphilis and gonorrhea. In the latter half of the 20th century, the World Health Organization led a global effort to eradicate smallpox and tuberculosis, relying heavily on contact tracing and vaccination. More recently, the World Health Organization helped countries suppress the 2014-2015 Ebola outbreak through systematic contact tracing.
PHAs conduct contact tracing by drawing on the infected person’s memory of places they went and people they saw while they were infectious but undiagnosed. Manual contact tracing relies on the accuracy of an infected person’s memory and the ability of PHAs to deploy a large enough workforce to quickly interview infected people and notify exposed contacts. To be effective for COVID-19 mitigation purposes, manual contact tracing relies on the infected person’s accurate recollection of the prior two weeks and knowledge about all of those with whom they had close contact.
What are Apple and Google building?
With the spread of COVID-19, contact tracing technology is making headlines as nations seek new ways to manage the pandemic. Across the globe, countries are investigating and leveraging technology to track and halt the spread of COVID-19. In response, Apple and Google developed a new technology to address the limited efficiency and accuracy of manual contact tracing. Their application programming interface (API) is essentially a courier that software developers can use as a foundation for contact tracing apps.
Mechanically, APIs function like the server at a restaurant. The server takes, executes, and delivers the customer’s food order. An app is the restaurant itself: the knives, forks, tables, walls, menu, décor, dining style—the experience. Suffice it to say, a restaurant needs the server to take, relay, and deliver the dine-in order to the restaurant customer. Much the same, apps leverage APIs to deliver an experience to the end-user.
Because APIs require an app to conduct contact tracing, many PHAs are commissioning compatible apps. For example, MIT is in the midst of developing an app called PACT: Private Automated Contact Tracing to aid in US-based contact tracing efforts. Meanwhile, Austria, Germany, Ireland, and Switzerland are also developing compatible contact tracing apps.
Can this technology boost the efficacy of contact tracing without getting creepy?
Apple and Google’s API functions using Bluetooth beacons. Bluetooth beacons are a string of random numbers, or “chirps,” broadcasted and received by a Bluetooth-enabled device. The strength and duration of the chirp tells the receiving device the proximity and duration of exposure to the chirp’s source. Chirps do not carry any personally identifiable information (PII) and they operate without any connection to the internet. Most importantly, the user must affirmatively turn on the chirp functionality and voluntarily download an API-compatible contact tracing app. Simply downloading a software update like iOS 13.5 will not automatically activate contact tracing. Only after the app is downloaded and the chirp is enabled, will the device broadcast chirps and capture the ones it encounters. As a result, the device owner must consent to sending and receiving the chirps. Privacy professionals call this “opt-in” consent.
The API adds a layer of complexity to the resulting data sets by changing the emitting device’s chirp every ten to twenty minutes. This variance makes it difficult to identify and track the chirper because no name, location data, or other PII is associated with the chirp. Next, the system stores the list of chirps the device has sent and received on each individual device. The device does not share that list at all unless its owner opts-in to sharing their COVID-19 diagnosis with the relevant PHA via the app.
Once the list is shared with the PHA, the agency will make those anonymous lists accessible through the app. Users can then direct the system to periodically cross reference the updated PHA list. This allows the system to determine whether the user came into contact with an infected person. If the system detects a matching chirp it will prompt the user to take additional steps, like consulting with the PHA, self-quarantining, or seeking medical attention.
Randomized chirps, siloed data, and decentralized databases add an important layer of complexity that makes de-anonymization more difficult, especially because the resulting datasets are only accessible to the PHA behind each app—not Apple and not Google.
Is this technology anonymous?
For all practical purposes, yes—or at least it is more private than traditional contact tracing. Many state laws mandate that health care providers report certain disease diagnoses to state and local officials anyway. Public health agencies use this information to track and mitigate the spread of diseases that significantly impact community health. Contact tracing is a key part of those efforts. Whether officials undertake that process manually or with the use of technology, PHAs will receive data on designated communicable diseases, such as COVID-19, and contact tracing will continue. And all contact tracing methods, whether manual or technology-assisted, are imperfect and raise privacy concerns…
If used as intended, the technology described above increases the accuracy and efficiency of contact tracing without sacrificing an impactful amount of privacy. The API demonstrates the real-life application of several core privacy principles like privacy by design and privacy by default. As a result, connecting the Bluetooth beacons back to the originating device and then to a specific individual would require a chain of convoluted events. Because of the API’s design, the resulting data sets will likely be of limited utility even if they are used in ways that deviate from the original intent of collection.
However, no aggregated data set can be irreversibly private since advertisers, nosey people, and ne’er-do-wells will always exploit cracks in any system. Even governments operating in the name of the public good are cause for concern. As noted in a recent IAPP article, in 2017 private aggregators like 23andMe and AncestryDNA made a database of genetic information available to California law enforcement. While the data sharing resulted in capture of a serial killer, it also drew ire for what may well have been a massive warrantless search in violation of the Fourth Amendment.
We need more than strong privacy design to protect against nefarious data use and functionality creep. American law makers must pass legislation addressing the use of COVID-19 contact tracing data to ensure the information cannot be exploited for uses outside of the intended purpose. Part two of this series will explore proposed legislation and the possibility of leveraging existing laws like HIPAA to lend some guard rails to the use of COVID-19 contact tracing data.
Dayle Duran is a privacy lawyer in Massachusetts and holds a CIPP/US certification through the International Association of Privacy Professionals.
 Principles of Contact Tracing, CDC, https://www.cdc.gov/coronavirus/2019-ncov/php/principles-contact-tracing.html.
 Frederick Holmes, MD, Medicine in the First World War, University of Kansas Medical Center, http://www.kumc.edu/wwi/index-of-essays/venereal-disease.html.
 Frequently asked questions and answers on smallpox, World Health Organization, https://www.who.int/csr/disease/smallpox/faq/en/; Matt Begun, et al., Contact Tracing of Tuberculosis: A Systematic Review of Transmission Modeling Studies, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3762785/.
 Ebola publications: surveillance contact tracing, laboratory, WHO, https://www.who.int/csr/resources/publications/ebola/surveillance/en/.
 TraceTogether, safer together (Singapore), https://www.tracetogether.gov.sg/; COVIDSafe (Australia), https://www.health.gov.au/resources/apps-and-tools/covidsafe-app#get-the-app; ; NHS COVID-19 App (United Kingdom), https://www.nhsx.nhs.uk/covid-19-response/nhs-covid-19-app/Stopp Corona (Austria), https://participate.roteskreuz.at/stopp-corona/; TraceCovid (United Arab Emirates), https://tracecovid.ae/; ProteGO (Poland), https://www.gov.pl/web/cyfryzacja/zycie-po-kwarantannie–przetestuj-protego.
 Privacy-Preserving Contact Tracing, https://www.apple.com/covid19/contacttracing.
 PACT: Private Automated Contact Tracing, https://pact.mit.edu/.
 Patrick Howell O’Neill, et al., A flood of coronavirus apps are tracking us. Now it’s time to keep track of them., MIT Technology Review, https://www.technologyreview.com/2020/05/07/1000961/launching-mittr-covid-tracing-tracker/.
 Fact check: Apple’s iOS 13.5 update does not automatically activate contact tracing or allow the government to “track” users, Reuters (May 26, 2020), https://www.reuters.com/article/uk-factcheck-apple-update/fact-check-apples-ios-135-update-does-not-automatically-activate-contact-tracing-or-allow-the-government-to-track-users-idUSKBN2322TF.
 Exposure Notification Frequently Asked Questions (May 2020 v1.1), Apple|Google, https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-BluetoothSpecificationv1.2.pdf.
 Ann Cavoukian, Ph.D., Privacy by Design The 7 Foundational Principles, https://iapp.org/media/pdf/resource_center/pbd_implement_7found_principles.pdf.
 Evelina Manukyan, Joseph Guzzetta, How function creep my cripple app-based contact tracing, IAPP Privacy Advisor, https://tinyurl.com/y9k4kjg8.