Digital contact tracing apps are all over the news at the moment. The anxious desire to deploy these new apps rapidly in an effort to quell the spread of COVID-19 while avoiding or forestalling potentially adverse consequences of intrusive overreach into personal privacy and the like means that will remain the case for a while.
Yet this fervent race to craft contact tracing apps has become a telling lesson in the inherent complexities that reach far beyond the merely technical and mechanical facets of putting together an app.
Many app advocates focused initially on the making of a mobile app, figuring it would be easy to program an app that would help those that either have COVID-19 or might have come in contact with someone who does.
This shallow perspective assumes that all it takes is a simple database and a means of collecting contacts, and voila, a contact tracing app is born.
The initial enthusiasm to produce such apps has given way, perhaps inevitably, to a realisation that there is a lot more to this than merely coding up a piece of software and posting it into an online app store for access.
So in this article, I review some of the latest activities and related problems emerging from the USA as it grapples with the digital contact tracing apps.
First though, I highly recommend that readers watch the recent SCL webinar co-chaired by SCL Trustee Patricia Shaw and SCL Chair Mark O’Conor with esteemed panelists Lord Tim Clement-Jones, Professor Lilian Edwards, and Adam Wagner and covering a myriad of the vexing complications that have arisen. Readers can be assured that the same difficulties and arduous hurdles are being experienced across the pond: the United States is also enmeshed in ongoing debates about how digital contract tracing apps should be deployed.
Readers would also find useful another recently aired webinar entitled “COVID + AI: The Road Ahead” which was undertaken by the globally distinguished Stanford Institute for Human-Centered AI (HAI) of Stanford University. The webinar covered socio-economic and ethics aspects about COVID-19, and included a session focused on contract tracing apps by Marietje Schaake, International Policy Director of the Cyber Policy Center at Stanford University and an HAI International Policy Fellow (she served too as a Member of the European Parliament). Her segment was entitled “Governmental Obligations for Protections During Contact Tracing” and discussed the difficulties underlying contact tracing apps.
Both these webinars show there are no easy answers.
You Need to See The Complexities In Order To Make Sound Decisions
Those discussing contact tracing apps are apt to fall into the mental trap of focusing on one particular parameter and then arguing passionately from that singular viewpoint alone, meaning that counter balancing factors are ignored.
In the USA, some states quickly rolled out a state-selected contact tracing app for widespread use. Two states, North Dakota and South Dakota decided in early April to use an app known as Care19 (made by a company called ProudCrowd).
By mid-May, an analysis by a privacy software firm revealed that the Care19 app was sharing citizen location and related personal and health-related data with Foursquare, a commercial company that provides various online search-and-discovery services and is generally well-known, claiming a base of fifty million users overall.
Such sharing of personal data was in direct contradiction of the stated privacy policy of the Care19 app and had originally been a core promise relied upon by the two states in their decision to proceed with this particular contact tracing app.
Dakotan citizens undoubtedly relied upon the stated privacy policies, and naturally assumed that their state government had fully vetted the contact tracing app prior to anointing it as the officially sanctioned means of contact tracing within their state.
Some defended the early decision made by those two states as being necessary to get a grip on the spread of COVID-19: the desire to quash the virus quickly was paramount. But does this perceived urgency override the need to ensure that any such contact tracing app properly protects privacy as promised by the app maker?
Furthermore, trust in government is becoming an ever more prominent issue. The US public has placed a sizable amount of trust in government actions that required sheltering in place and have impinged upon generally revered American principles of freedom of movement. Some would argue that the “trust reservoir” has been diminished, and will undoubtedly be sorely tested if a second wave of the pandemic emerges.
If digital contact tracing apps are rushed into use, while violating pledged privacy and transparency provisions, the public trust in government action will further dim, and likely make the handling of a second wave less amenable to public acceptance.
Wild West Of Contact Tracing Apps
Just about anybody can nowadays make a mobile app of nearly any kind.
Whereas app development used to require specialized programming skills, many of today’s apps are readily crafted via drag-and-drop capabilities and can be coded easily by almost anyone. Plus, it used to be that getting an app into the marketplace was costly and thus served as a kind of barrier to keep the riffraff from necessarily becoming widely available.
Today, there are plenty of online app stores and scrutiny of uploaded apps is often thin or at times non-existent.
How does this relate to contact tracing apps?
Some estimates suggest that there are already around 150 or more so-called contact tracing apps available in numerous online app stores, with many more likely to follow.
The University of Kansas app can serve as a good example of how such apps are proliferating. The University has announced they are going to use a contact tracing app called CVKey as they begin to reopen the campus to students and faculty. This app was developed by a newly formed non-profit that only got started in the last month or two.
Entrepreneurs like this have been jumping on the bandwagon of contact tracing apps. While they can be perceived as an auspicious embrace of altruistic or humanitarian goals to help solve a widespread health crisis, such enterprising efforts can go off the rails.
It is the wild west of contact tracing apps.
While many developers have the best of intentions, they may not be fully versed in the legal complications and, of course, some of those app makers may have more questionable motives or aspirations. There are contact tracing apps that are free to use, some that require a fee for use, and some that are free but require that you watch ads as a money-making venture for the app maker.
An example of an ad-based version has been released by a teacher in Foster City, California, who put together a contact tracing app “in his free time,” making it available in app stores, and the app conspicuously displays ads for house roofers, crossword games, etc., while acting as a digital contact tracer.
Regrettably, there are also some “contact tracing apps” that appear to be part of a computer virus infection scheme, perpetrated by scammers that are leveraging the COVID-19 pandemic (despicably) to systematically infect people’s mobile devices and home computers. Even benign apps can nonetheless contain cyber-security holes that would allow some bad actor to take over the app or use the app as a portal into the personal data on someone’s mobile device.
In short, the contact tracing app as an innocent soldier in the war against COVID-19 has the sad and real possibility of becoming a tool of malicious actors.
States And Federal Efforts, Along With Congressional Bills Proposed
Each US state is considering adoption of contact tracing apps at their own discretion and pace.
So recently, a (somewhat bi-partisan) bill in the U.S. Congress – the Exposure Notification Privacy Act – has been released in an initial draft for review (posted on June 1, 2020), aiming to provide an overarching federal perspective on the contact tracing app topic.
Getting such a bill approved is surely going to be an arduous process.
The officially stated precepts underlying the draft bill are reproduced below:
The Primary Role Of Public Health Authorities
• The Act prohibits any automated exposure notification service not operated by or in collaboration with a public health authority.
• The Act requires that automated exposure notification services only allow submission of medically authorized diagnoses of infectious diseases.
Ensuring Individuals’ Rights
• The Act empowers individuals to control their participation in an automated exposure notification service; individuals’ consent must be freely given and anyone can withdraw at any time.
The Act allows participants in an automated exposure notification service to have their data deleted at any time.
• The Act makes it unlawful to discriminate against, or otherwise make unavailable to an individual, any place of public accommodation based on data collected or processed through an automated exposure notification service.
Data Restrictions To Preserve Privacy
• The Act prohibits operators of automated exposure notification services from collecting or using data beyond what is necessary to implement such services for public health purposes. Operators are prohibited from collecting or processing data for any commercial purpose.
• The Act creates strong cybersecurity and breach notification safeguards.
• The Act requires recurring and ongoing data deletion obligations.
• The Act makes allowances for public health research.
Strong Enforcement
• The Act empowers the Federal Trade Commission and State Attorneys General to pursue violators.
• The Act allows the FTC to pursue civil penalties for first-time violations.
• The Act protects state privacy rights, ensuring that consumer privacy and health laws remain in place.
Keep in mind that the above verbatim indication is what the bill authors assert that the proposal contains and as ever it will be subject to protracted wrangling, scrutinized for loopholes and inevitably end-up embodying numerous adjustments and revisions. Earlier such bills – the Public Health Privacy Act and the COVID-19 Consumer Data Protection Act of 2020 – were proffered by contrasting congressional parties, leading to spirited debates.
One criticism of the latest bill, already voiced by some, is that it could be interpreted as swaying toward the use of the Google/Apple protocol which only goes to show how difficult it will be to resolve differences of opinion about what such a bill ought to do or ought to contain.
Note that neither Google and nor Apple is aiming to produce contact tracing apps but are instead providing an underlying protocol and operating system mechanisms on others can build on. It remains to be seen whether app developers will choose to use those protocols, and also whether the government will mandate their use or allow developers to make their own choices.
All of which, highlights the seemingly intractable tensions that infuse the governance of contact tracing apps, with still unanswered questions such as:
- How far should a potential federal mandate go toward shaping what the states can otherwise individually opt to do?
- If states are later covered by a federal mandate, will those states be grandfathered, or will they need to alter their practices to conform with a new law?
- Should there be an overarching mandate of a governmentally chosen contact tracing app as a “gold standard” upon which all adoption shall be prescribed to take place?
- Should the government itself craft and field contact tracing app(s), in lieu of private enterprises or potentially in addition to commercial efforts?
- Will the public be mandated to utilize contact tracing apps, or will it be an entirely voluntary choice to use or not use them?
- Will a market of disparate and wholly unrelated contact tracing apps dilute their potency in helping to combat the virus? If so should an overarching national repository or federally maintained database be crafted to collect together the otherwise scattered data?
- To what degree should the contact tracing apps be centralized?
- Which federal or state or local entities will police “rogue” contact tracing apps and how will such illicit efforts be lawfully halted or penalized for transgressions?
- How long will the collected data be in existence (sunset clause) and what are the access provisions and restrictions, plus how will those be enforced and ascertained to be of proper capability?
- Will contact tracing apps generate spates of false negatives and false positives, undermining faith in their use and the overall adoption?
- How will we measure whether the use of apps has been beneficial, outweighing the anticipated downsides? And what will indicate that the use of contact tracing apps has reached a point of when their use can be reduced or they can be put into hibernation until future such need arises?
Use Of Human Contact Tracers
While much attention has been on the use of apps, there are concerns that the use of human contact tracers is being ignored.
It is estimated there could some 100,000 to possibly 300,000 human contact tracers employed in the US (this forecast is based on a Johns Hopkins University study).
This is a patently staggering number yet it is not receiving notable media focus.
Human contact tracers can earn around USD $60,000 per year, according to various estimates, an attractive amount of pay given that unemployment in the US has hit high levels; plus, tracers can work from home and little experience or education is required. These contact tracers will be involved in calling, texting, emailing, and otherwise making contact with the public, doing so to presumably and exclusively deal with contact tracing related to COVID-19.
Some are concerned that this alternative method of collecting data will be vulnerable to potential issues of personal privacy intrusion:
- Can the contact tracers be trusted to abide by privacy provisions?
- Will some contact tracers opt to go outside their assigned purview for other purposes?
- Will some contact tracers intentionally break the law for nefarious purposes?
- Will the databases and systems used by contact tracers have sufficient privacy protections?
- And so on.
In addition, there are worries that scammers will pretend to be official contact tracers and convince unsuspecting members of the public to share private info or even pay monies as though believing that a governmental agency is requiring them to do so.
Once again trust becomes of critical importance.
Guidelines By The CDC
The US federal health protection agency known as the CDC (Centres for Disease Control) provides information about contact tracing and the role of contact tracing apps.
Here are a few helpful links:
- CDC’s official website about COVID-19 contact tracing
- CDC provides an explanation about what digital contact tracing tools for COVID-19 are intended to do,
- CDC’s Preliminary Criteria for the Evaluation of Digital Contact Tracing Tools for COVID-19 with minimum and preferred requirements set out under 14 headings such as availability, contact notification and trustworthiness.
Conclusion
Many of the technical, legal and social complexities of contact tracing apps discussed here apply worldwide.
What seems like a relatively simple task of coding a mobile app actually encompasses substantial and deeply ingrained legal and social ramifications whatever contact tracing app is devised.
Dr Lance Eliot is our new Associate Editor for Computers & Law covering the USA and he is a globally recognized expert on AI & Law, including columns that have amassed over 3 million views in Forbes and AI Trends, he serves too as the Chief AI Scientist for Techbrium and is a Stanford Fellow at the Stanford Center for Legal Informatics in Stanford, California, USA. He has also been an adviser to the Vice Chair of the US Congressional Committee on Science and Technology.
