ACLU sees stronger privacy safeguards in COVID-19 tracking apps

Privacy group says tracking apps OK with certain strong privacy protections

A man walks a dog along New Jersey Avenue, NW, during the coronavirus outbreak on Thursday, April 2, 2020. (Photo by Tom Williams/CQ Roll Call)
A man walks a dog along New Jersey Avenue, NW, during the coronavirus outbreak on Thursday, April 2, 2020. (Photo by Tom Williams/CQ Roll Call)
Posted April 17, 2020 at 12:13pm

The American Civil Liberties Union on Thursday said several mobile phone apps that are being developed to track and trace those who test positive for COVID-19 are incorporating stronger privacy features and those efforts are likely to encourage broader use.

The group also released a set of principles that should be considered in developing any technology-assisted contact tracing relating to COVID-19. Those principles include voluntary adoption without punishment for not using them, that apps and programs should be developed in collaboration with public health officials, and they should include strong privacy preserving features.

The ACLU's moves come as Pew Research found that a majority of Americans are skeptical that tracking people through their cell phones would help curb the spread of the disease. Still, 52 percent of those surveyed said it would be somewhat acceptable for the government to track people who have tested positive for the disease in order to understand how the virus is spreading. 

[Technology to track COVID-19 raises fears of mass surveillance]

Contact tracing has been historically used as a tool to contain the spread of pandemics. Typically, public health workers go door-to-door to identify those who may have come into contact with a sick person and help isolate them in order to prevent the spread of the disease.

But researchers and technology companies are turning to apps because of the fast spreading nature of COVID-19 and the need to reopen large portions of the global economy that have been shut to prevent the spread of the virus. Widespread use of such apps could ease concerns for healthy people returning to work and coming into contact with infected individuals. The total number of cases in the United States is about 658,000 and nearly 30,000 have died.

Apple and Google have joined hands to develop a contact-tracing app.

Researchers at MIT have formed a coalition of experts drawn from the university as well as others from Brown University, Boston University, the Massachusetts General Hospital, and Carnegie Mellon University to design an app. The lead scientist on the MIT effort is Ron Rivest, a professor at the institute, who's also one of the world's leading cryptographers. The group said its approach would be "strongly privacy preserving." 

In addition, a European effort is being carried out by a coalition of 16 companies and researchers including some from the United States. 

While initial ideas on tracing individuals were based on using GPS location data from phones, the latest effort focuses on using Bluetooth signals sent out by most smartphones. The apps could be ready for use by early May. 

Bluetooth is key

"The Apple/Google proposal, for instance, offers a strong start when measured against the technology principles," Jennifer Stisa Granick, ACLU's surveillance and cybersecurity counsel said in a blog post. "Rather than track sensitive location histories, the Apple/Google protocol aims to use Bluetooth technology to record one phone's proximity to another. Like similar proposals, it relies on Bluetooth because the location data our cell phones generate is not accurate enough for contact tracing."

Anyone who voluntarily downloads a contact tracing app would enable their phone to send out a Bluetooth signal in the form of a random number every few minutes that is then recorded both by the user’s phone as well as nearby phones that have similar apps. A record of what has been transmitted and received is stored on phones for a few weeks.

When a person using the app tests positive for COVID-19 the user can then voluntarily upload a log of their Bluetooth signals to a so-called exposure database where only the random numbers are stored with no other identifying information. Non-infected individuals can check the database to if any of the random numbers stored on their devices match any of the numbers identified as those of an infected person. If they match, then the healthy person can decide to get tested, or isolate themselves to stop the spread.

The Bluetooth-based tracking apps are "not perfect but are substantially better than location specific data," Daniel Kahn Gillmor, senior staff technologist at the ACLU told reporters on a call.

To be really effective such contact apps must be widely and voluntarily adopted by users, and that can only happen if there are strong privacy safeguards and assurances from developers that no identifiable information would be collected and misused, Gillmor said.

Even if federal and state governments don't impose mandates, if a grocery chain, for example, requires that customers have an app on their phone in order to shop in the store, then it would not be voluntary, Gillmor said.

The use of such apps alone would not guarantee that the disease would be contained and they would be effective only when combined with widespread availability of testing for anyone who needs one. As of April 15, only 3.2 million tests had been administered in the United States. That works out to about 9.8 tests for every 1,000 Americans.

Apple and Google have said they would terminate their contact tracing app when it's no longer needed. But ACLU researchers said there must be a transparent way to audit how companies handle the information and how well they shut down the apps when the pandemic has passed.