Lawmakers warn coronavirus contact-tracing is ripe for abusive surveillance

Smartphones could discreetly detect those who may have COVID-19 and nudge them to quarantine. But some fear that a massive digital contact-tracing infrastructure could become a hulking, invasive surveillance system. (Koichi Kamoshida / Bloomberg)

It is a big promise from Silicon Valley to a nation looking for ways to be freed from home confinement: Smartphones could discreetly detect those who may have COVID-19 and nudge them to quarantine, blunting renewed outbreaks as Americans start to once again venture out.

But as tech firms lay the foundation for a potentially massive digital contact-tracing infrastructure, Washington is grappling with whether such technology can work without becoming a hulking, invasive surveillance system.

It is a vexing problem that could leave Americans exposed to another vast intrusion in their everyday lives by governments or big tech companies.

Apple and Google, which are leading the efforts to develop tracking apps, have pledged that participation would be voluntary and include guardrails to protect confidentiality. But the inability of Congress to pass meaningful data-privacy rules — and the poor track record of many tech firms in protecting privacy — heightens the risk, lawmakers and outside experts say.

“If information about who has COVID-19 gets into the wrong hands, it could lead to things that are harmful,” said Rep. Anna G. Eshoo (D-Menlo Park).

She is among several lawmakers calling on the Trump administration to place strict limits on what contact-tracing data can be collected and shared. The White House has so far issued none, even as it consults behind closed doors with tech firms on the development of a tracing infrastructure.

“Without a national privacy law, this is a black hole,” Eshoo said.

The technology, which Google and Apple plan to launch in mid-May, enables people to have their phone track the Bluetooth signals emitted by the phones of every other person with whom they come in close contact.

If a person tests positive for COVID-19, the disease caused by the coronavirus, an app provided by their public health department would send an alert to all other users of the app with whom the infected person had contact over the previous two weeks. Identities would not be revealed, just the day of the contact, how long it lasted, and the strength of the Bluetooth signal.

Privacy experts voice two big fears:

Such a system would only be useful if it's widely used. It's unclear if tracing technology can be effective at all if the entire system is anonymous, voluntary and inhibits the creation of large surveillance databases. So once a system is launched, there will inevitably be pressure to require some people to use it.

And if the system is widely used — and especially if it's connected to a database — there will be a huge risk that data would live on well beyond the pandemic, giving governments and corporations easy access to information about people's movements and healthcare needs that eclipses what they now have.

“What I am afraid of is some folks in the tech community will use this huge public need as a way to be invasive with private data and create a beachfront in the health sector,” said Sen. Mark R. Warner (D-Va.), a technology entrepreneur himself.

“It is not like the big platforms are coming at this with clean hands."

Before the pandemic hit, Warner was already investigating collaborations tech firms were forging with big healthcare and fitness companies.

Access to healthcare data could enable tech companies to build profiles of people's ailments and needs, exposing them to targeted marketing campaigns, and also to potential discrimination by employers, insurance companies, landlords or others.

Existing healthcare privacy rules don’t protect Americans from many of those intrusions, and even those regulations are being eased to give medical professionals flexibility as they deal with the deluge of COVID-19 patients. The potential for tech companies to aggressively move into this area has many privacy analysts unnerved.

“These companies have been lobbying all along to get the government to look the other way while they grab our healthcare information to more effectively monetize it,” said Jeffrey Chester, executive director of the Center for Digital Democracy, a group that advocates for digital privacy.

“We have to get a handle on this pandemic, but we also have to look at the motivations here.”

On the other side of the debate are people like Stewart Baker, who served as assistant secretary of Homeland Security in the George W. Bush administration and, earlier, as general counsel of the National Security Agency.

“If you asked Americans in February 2020, are they prepared to have the governor of their state tell them to go home, stay home and lose their jobs, everyone would have said no. Yet here we are,” Baker said.

Baker is urging tech companies to embrace the type of monitoring system deployed in Singapore, where the government is collecting large amounts of Bluetooth-generated data on the movements of citizens and their social contacts and notifying anyone with a contact who later turns out to be infected.

“It is a trivial intrusion on our liberty as citizens when you compare it to all the other things during this pandemic where we have said, 'This is necessary, we will do it,'” he said.

Lawmakers who have taken the lead in investigating the exploitation and abuse of user data by big tech firms worry that the point of view Baker expresses is gaining currency in the White House, as officials meet behind closed doors to develop a strategy for contact tracing. They warn of implications that could last far beyond the pandemic.

When the idea of contact-tracing apps first emerged, there were optimistic predictions that America could lean on its tech pioneers to help safely reopen the economy without the privacy intrusions embedded in tracking apps in China, Taiwan and South Korea.

That optimism, however, is fast fading. Even countries such as France and Germany, which adhere to strict privacy laws, are drafting plans for data-collection systems that step around those rules so public health bureaucracies can identify who went where, when they went there and — most importantly — who they may have come in contact with along the way.

Some prominent computer scientists involved in building contact-tracing tools in Europe are alarmed by the direction that governments there are headed.

The group, called the DP-3T Project, had been pushing a privacy-oriented approach similar to what Apple and Google have discussed — alert systems that keep the data collected anonymous and largely confined to the phones of users who opt in.

By contrast, the contact-tracing tools some European leaders are now pursuing “can easily be turned into an instrument of surveillance with considerable human rights implications," the group warned in a recent white paper.

The apps that American technology firms are developing are voluntary in theory, but companies could make their use a condition of employment, said Ashkan Soltani, a security researcher and former chief technologist for the Federal Trade Commission during the Obama administration.

“They alert the employer whether you have been in contact with someone who has been infected,” Soltani said. But, he said, the technology is full of gaps and could potentially label employees at risk when it should not.

A Bluetooth signal might be unaware that an infected individual who appeared to be in close proximity to an employee was on the other side of a wall, for example. Nor would the technology be able to register that a person identified as being at risk was wearing protective gear when they had a brush with contagion while shopping.

In some nations that are already aggressively relying on digital tracking, the technologies are far more intrusive. Taiwan is collecting personal insurance and passport travel records, as it tracks down who might be infected and orders them to quarantine.

Countries that use such systems are also digitally tagging people with different color codings, which determine whether they are permitted to move freely in public.

Officials at Apple and Google say their infrastructure is designed to avoid such intrusion. Yet Washington is full of questions about whether it can be effective if the companies abide by that pledge — and also whether these companies with a dismal record on privacy can be trusted to be in the driver’s seat at all.

Google and Apple, at least, are acutely aware of the optics. On Friday, the companies distributed a FAQ to consumers stressing that the data accumulated by them will be anonymous, impossible to monetize and will stop being collected after the pandemic.

The assurances have yet to assuage lawmakers such as Republican Sen. Josh Hawley of Missouri, a fierce critic of technology firms, who sent a letter to the CEOs of both companies last week.

“Americans are right to be skeptical of this project,” he wrote. “Too often, Americans have been burned by companies who calculated that the profits they could gain by reversing privacy pledges would outweigh any later financial penalty.”

Hawley challenged the executives to hold themselves personally liable financially if the firms break their privacy pledge.

So far, the executives have not made that commitment.