WASHINGTON - U.S. lawmakers and rights groups are raising concerns about privacy protections and civil liberties as health authorities study China, South Korea and other nations for insights into deploying big data in the fight against the COVID-19 pandemic.
So far, the United States has made limited use of available data to fight the outbreak. Instead of using cell phone location data to track down individuals exposed to the virus, public health officials have relied on such data to monitor trends and hot spots.
But once the number of new COVID-19 cases levels off and the Trump administration and governors move to lift lockdowns and other social distancing measures, the contact tracing techniques used with varying degrees of success in other countries are likely to gain currency in the U.S.
Contact tracing is a public health procedure of identifying people who have come into contact with an infected person and follow-up gathering of additional information on these people.
Jennifer Granick, the surveillance and cybersecurity counsel at the American Civil Liberties Union, said contact tracing could be useful when testing for exposure to the virus becomes more widely available.
But she warned that any use of phone records must be transparent and voluntary, and the data must be destroyed once the crisis is over.
“When data collection is useful for an important public good, we have to make sure we can protect privacy as much as possible and get effective use of the tool or the data,” Granick said during a press call with reporters last week.
In the two years since the European Union implemented a landmark privacy regulation known as the General Data Protection Regulation (GDPR), Republican and Democratic U.S. lawmakers have been pressing for similar protections for American consumers.
Now, the heightened focus on the use of data in the fight against the COVID-19 virus has pushed concerns about privacy protections to the forefront.
On Thursday, the Senate Committee on Commerce, Science and Transportation convened the first congressional “paper hearing” via the internet on big data and the coronavirus. In his opening statement, Senator Roger Wicker of Mississippi, the committee chairman, said any use of personal data must come with privacy protections.
“Reducing privacy risks begins with understanding how consumers’ location data — and any other information — is being collected when tracking compliance with social distancing measures,” Wicker said. “Equally important is understanding how that data is anonymized to remove all personally identifiable information and prevent individuals from being re-identified.”
Senator Maria Cantwell of Washington State, the top Democrat on the panel, warned against "hasty decisions that will sweep up massive, unrelated datasets."
“And we must guard against vaguely defined and non-transparent government initiatives with our personal data,” Cantwell said. “Because rights and data surrendered temporarily during an emergency can become very difficult to get back.”
Last year, both Wicker and Cantwell introduced privacy bills that would give American consumers privacy protections similar to the EU’s GDPR.
The U.S. drive to make greater use of cell phone location data to contain the virus stems in part from similar efforts in China, South Korea, Singapore, Israel and elsewhere.
In China, the government collected cell phone location data on millions of residents with the goal of identifying individuals exposed to a person infected with the virus. Using the infected people’s location records, the government then identified, tested and, if necessary, quarantined people.
This was one of several methods China used to bring the virus outbreak under control.
“This kind of tracking is part of what China has been doing in its seemingly successful effort to suppress the virus, which has fed the appeal of such tracking,” the ACLU said in a white paper released last week.
In the paper, the ACLU highlighted several problems with this method.
For one, cell site location information and GPS data are not accurate enough to pinpoint whether two people were recently in "close contact" with each other.
As the Chinese discovered, cell site location data "generated too many false positives," said Jay Stanley, a senior policy analyst with the ACLU.
GPS data "is probably good enough to tell you that you were near a mosque or an abortion clinic ... but not good enough to figure out who you were close enough to potentially be exposed to COVID," Stanley said.
Other problems: computer algorithms are not always reliable and cell phone location data are scattered among "a whole ecosystem of privacy-invading companies," Stanley said.
In South Korea, officials took a different approach to deploying big data.
They used an infected person's cell phone location data to retrace his or her steps and then published their "anonymized" or anonymous location histories through phone apps and websites. Residents who learned through the apps they may have been exposed to the virus were quickly tested.
But while effective in containing the outbreak, South Korean authorities "are not doing a good job anonymizing the data," the ACLU said.
"One alert informed the public, for example, of a '43-year-old man, resident of Nowon district' who was at his work in Mapo district attending a sexual harassment class," the report said.
In the U.S., authorities have shunned such intrusive techniques. Instead, they have largely relied on aggregate cell phone location data to monitor trends and people's movements in and out of hot spots.
Experts say such aggregate location data usually don’t present privacy concerns as they involve information about large groups of people rather than individual location histories.
Yet contact tracing by both individuals and health authorities is likely to grow in use once the COVID-19 infection curve is flattened and the virus becomes more geographically localized.
Contact tracing apps use a combination of self-reported health status and location history and allow users to avoid exposure to the virus.
Apple and Google on Friday announced plans to develop a joint contact tracing app using Bluetooth technology. The app allows users to report their positive diagnosis and to receive alerts when they're in close contact with an infected person.
Ryan Calo, a law professor at the University of Washington, warned that digital contact tracing of the kind used in Singapore, South Korea and Israel has significant potential for “unintended consequences, misuse, and encroachment on privacy and civil liberties.”
To the extent that contact tracing efforts have been effective in these countries, “they have not been voluntary, self-reported, or involved self-help,” Calo said in written testimony to the Senate Commerce Committee. “Rather, public officials have forced compliance and dispatched investigators to interview and, if necessary, forcibly quarantine exposed individuals. I see it as an open question whether Americans would be comfortable with this level of state expenditure and intervention.”