California has joined 18 other states, Washington DC, Guam, and Puerto Rico, by deploying a new digital exposure notification system to warn individuals if they’ve been exposed to someone with COVID-19. The app-based system uses technology co-designed by Google and Apple earlier this year that allows smartphone users to activate contact tracing functionality on their devices while maintaining some modicum of privacy and anonymity.
Privacy and Security Issues Abound
The efficacy of such exposure notification systems depends on how widespread their use becomes, with experts targeting a minimum 80% user adoption rate as ideal. California officials remain hopeful, but given the experience of other states, they expect usage rates to be lower than that mainly due to individual privacy concerns. (This spring, research by Pew found that 54% of American adults believe it is “unacceptable for the government to track the location of those who have tested positive for COVID-19.”)
Around the globe, numerous other countries, including the European Union, have deployed some form of digital contact tracing. They too have encountered varying levels of user acceptance.
While the effectiveness of such an approach for contact tracing remains questionable due to low adoption rates, two areas of concern for individuals and businesses persist: data security and user privacy.
- Just what data is being collected and by whom?
- Where is the data stored?
- How is it shared?
- Is the data connected to an individual’s health care and other personal information?
- Who has access to it?
- Is an individual’s other data on the device at risk?
- If the data gets compromised, who’s responsible?
Is It Really Private?
Contact tracing apps work by constantly tracking the location of individuals, storing that information, and allowing users to notify others if they test positive for COVID-19. Of course, all that information is supposed to be anonymous and private . . . but is it?
The joint project by Google and Apple attempted to appease various privacy and data security fears through the adoption of Bluetooth proximity protocols, explicit opt-in by users, local storage of data, data encryption, and the promise of complete anonymity. As a result, the contact tracing data is supposed to be private and it, as well as other information on an individual’s smartphone, is supposed to be secure.
Still, with some 40% of the contact tracing apps deployed worldwide not using the system created by Apple and Google plus a general level of distrust, privacy and security concerns continue.
“Let’s be frank, widespread distrust of the government and big tech, plus concerns over the possibility of data breaches, have the majority of individuals reacting with skepticism to any claims of anonymity and security,” explains Eric Ludwig, founder and lawyer for Ludwig APC, a US-based full-service business, technology, privacy, and intellectual property law firm. “Experience tells us that consumers often are told one thing by big tech only to discover, usually months after the fact, that their personal information has been compromised or that their data has been collected inappropriately. Thus, deploying a strong, pro-privacy and highly secure platform is critical for widespread adoption.”
Risks for Employers?
Under most conditions, so long as employers respect confidentiality laws, they can require employees to report whether they are experiencing coronavirus/COVID-19 Symptoms, subject them to temperature checks before they enter the workplace, force them to wear Personal Protective Equipment, and even require them to submit to COVID-19 viral tests.
What’s unclear is whether employers can require employees to use contact tracing apps. Questions remain regarding whether such a requirement violates employee privacy laws, especially related to employee activities outside of work.
“On the one hand, you have the National Law Review stating ‘there are no federal- or state-level laws specifically prohibiting an employer’s use of contact tracing apps,’” says Ludwig. “At the same time, here in California, for example, there are laws against the use of electronic tracking devices and requiring employees to provide access to their personal social media accounts. Meanwhile, you have employers with a desire to keep their doors open and protect the health of their employees. It’s complicated.”
As with any emerging areas of law, Ludwig’s recommendation is for interested parties to keep informed about state and federal changes and best practices by working with experienced legal counsel.
“When deciding whether or not to use contact tracing apps, employers must first answer whether they can or should require their usage?” Ludwig explains. “What are the associated risks around the security and privacy of employee health information and other personal data? If there are breaches, is the company at risk of fines and possible litigation? Might there be some other approach that protects employee health, but doesn’t come with such inherent privacy and security concerns?”