INSUBCONTINENT EXCLUSIVE:
Heather Federman
Contributor
Share on Twitter
Heather Federman is a privacy lawyer and VP
of Privacy and Policy at BigID, a New York-based company that uses AI to help organizations be better privacy stewards for their customers
by accurately tracking personal data, governing access to sensitive information and complying with privacy regulations
Previously, she headed up privacy at Macy's and American Express.
With COVID-19 infections climbing in the U.S., officials are
desperate for ways to track and control the spread, especially with limited testing available.
Google and Apple announced a joint effort
last Friday to create a voluntary anonymous contact tracing network enabled by Android and iOS that would monitor the spread of infections
by keeping track of people who are infected and those with whom they come into contact
People would download mobile apps from public health officials that would notify them if they had come into close proximity with infected
people who also are using the network
The system would use Bluetooth Low Energy (BLE) transmissions, rather than GPS, so the location would not be tracked, and the tracking data
would be stored on the phone and not in a centralized database — all of which will help maintain the privacy of participants.
However,
there are numerous other COVID-19 mitigation efforts that are not as privacy-friendly because they employ location tracking and, most
likely, central data storage.
Google announced it will release &Community Mobility Reports& that show trends over time by geography based on
anonymized aggregated data from phones of people who have turned on the Location History setting
Facebook and other companies are providing to epidemiologists from around the world anonymized, aggregated data from mobile phones as part
of the COVID-19 Mobility Data Network.
And the Centers for Disease Control (CDC) is tracking the anonymized movements of American citizens
based on location data from mobile advertising companies
While privacy advocates consider these sort of tracking mechanisms to be invasive and unsettling, this data does help to reveal the public
spaces still drawing crowds and guide subsequent policy decisions, but it raises concerns.
While I applaud government efforts to more
effectively stop the spread of infections, there needs to be specific conditions and limitations on how this data is used, or we as a nation
will face serious consequences
The government must mobilize to combat this invisible enemy, but we must also have parameters for how data is protected and used
Specifically, we need five guarantees.
Temporality
The PATRIOT Act, passed just six weeks after 9/11, gave the government unprecedented
power to spy on American citizens
This may have made sense at the time, but the government continues to vacuum up millions of phone calls and text messages to this day
If companies like Google and Facebook are willing to share data with the government, there needs to be a clear and defined period as to the
time span of the sharing and the retention period of that shared data.
Civil liberties
Following the September 11th attacks, law enforcement
departments like the NYPD conducted illegal surveillance activities of the local Muslim population
That program has been compared to the Japanese-American internment camps of World War II and the FBI surveillance of African Americans who
opposed segregation in the civil rights movement.
We must not allow this current pandemic to become another example of civil liberties
The data being shared to protect us now cannot be used for surveillance or discrimination tactics, now or in the future.
Transparency
Any
company that shares sensitive data with the government, such as location data, must be required to provide timely and fulsome transparency
reports that are easy for the public to interpret.
Limited use and purpose specification
The OECD Fair Information Practice Principles
(FIPPs) state that personal data should not be used for any purpose beyond the specified purpose of the data processing activity
We&ve witnessed numerous media exposés and regulatory actions against companies sharing location data for secondary purposes
In this case, location data collected and used to limit the spread of the virus should only be used for that specific purpose.
Data
security
The government well-meaning intentions to protect citizens does not automatically mean it will secure their sensitive data
If anything, there will likely be an uptick in cybercrime during the pandemic
The government owes it to its citizens to ensure the appropriate administrative, technical and physical safeguards are in place.
As U.S
officials explore their options, it unclear what lessons from history or types of data protections, if any, are actually being discussed
We can only go on what we&ve heard from news reports: Palantir, the data mining company that uses War on Terrortools to track Americans, is
in talks with the CDC to do data collection related to disease tracking.
Facial recognition company Clearview AI, which has been harshly
criticized for selling its software to law enforcement, private companies and authoritarian regimes, is talking to state agencies about
using its data-driven insights to track infections
Unacast has been giving local counties social-distancing grades based on citizens& location data.
Let freedom ring
The U.S
does need to find a practical path forward
There are actually several different types of location data collected, used and shared by a variety of different commercial entities — so
it would be best to first determine which data is most valuable and who are the key partners
Doctors, researchers, academics, ethicists and legal experts should be actively included in conversations with these tech companies.
In
addition, privacy preserving techniques must be used when sharing location data
The Apple-Google joint effort is the latest; others include Private Kit: Safe Paths and MIT SafeTrace platform, which also allow users to
voluntarily share data through means that are anonymized, decentralized and encrypted.
The challenge here is that it difficult to actually
guarantee that anonymized data (data that has no chance of identifying a person) is truly anonymous, without being subject to additional
contractual, technical and administrative controls
And platforms that rely on users voluntarily submitting their location and health status could end up with a low adoption rate,leading to
skewed and inaccurate results.
Should it then be left up to our government to mandate all American citizens with a smartphone share their
location data in the name of public health? Whatever happens, now, more than ever, it imperative that our local, state and federal
authorities take into account the various data sharing proposals in a manner that puts the American citizen first.
