REPORTS. NARRATIVE: -- MEREDITH: AS THE PENNSYLVANIA DEPARTMENT OF HEALTH GETS SET TO LAUNCH IT’S COVID 19 CONTACT TRACING APP, SOME LAWMAKERS ARE BRINGING UP CONCERNS ABOUT YOUR PRIVACY AN WHETHER OR NOT YOU SHOULD DOWNLOAD IT. >> THIS TOOL HELPS US ALL IN A WAY TO FIGHT THE SPREAD OF COVID 19 PRETTY RAPIDLY. MEREDITH: BUT MEGHNA PATEL WITH THE DEPT OF HEALTH SAYS IT ONLY DOES THAT IF YOU WANT IT TO BY DOWNLOADING THE APP AND ACTIVELY SHARING YOUR INFORMATION. >> IT IS ABSOLUTLEY A CHOICE, IT IS AN OPTION AND IT IS A FOR THEM TO GET ALERTS IF THEY CAME IN CLOSE CONTACT WITH SOMEON MEREDITH: SHE EXPLAINED TO LAWMAKERS IN THE SENATE COMMUNICATIONS AND TECHNOLOGY COMMITTEE HEARING TODAY HOW THE APP USES BLUETOOTH TO DO THAT NOT GPS LOCATION TRACKING. , >> THERE IS ABSOLUTELY NO PERSONALLY IDENTIFIABLE INFORMATION COLLECTED IN ANY WAY THROUGH THIS APP. MEREDITH: PATEL SAID TODAY IN NORMAL CIRCUMSTANCES THE STATE COULD RETAIN THE INFROMATION FOR SEVEN YEARS BUT UNDER THIS , CONTEXT THEY WOULD KEEP THE INFORMATION UNDER TWO YEARS UNLESS THE STATE DECIDED OTHERWISE. IN LANCASTER COUNTY, I’M MEREDITH JORGENSEN, WGAL N
Are contact-tracing apps worth the privacy risk?
They’re only a tiny piece of the puzzle in helping fight the spread of COVID-19—and they’re yet to be proven effective.
![Marie Claire logo]()
Updated: 4:12 AM CDT Oct 2, 2020
North and South Dakota launched their contact-tracing app, Care19, on April 7, less than a month after COVID-19 was declared a global pandemic. Already, Vern Dosch, North Dakota’s contact-tracing facilitator, felt sure the app’s GPS location-tracking technology — used to keep an electronic diary of users’ whereabouts rather than relying on memory — would be met with some resistance.Consumer privacy concerns would surface less than two months later, when security app Jumbo Privacy published a finding revealing that Care19’s app developer, ProudCrowd, violated its own privacy policy by sharing user location data with third-party app Foursquare. Following the release of the report, Care19’s policy was amended to say that Care19 will take the location of a user’s phone and “call a service to determine nearby businesses that you may have visited.” That service is Foursquare. North Dakota is one of approximately 20 states and territories that have explored or built contact-tracing apps to supplement human-led contact-tracing efforts (which have historically aided in tracking and controlling highly transmittable diseases like syphilis, tuberculosis, and Ebola) to help fight the spread of COVID-19. An app enables users to provide contact tracers with a more detailed log of their locations or be notified faster if they’ve potentially been exposed to someone with COVID-19.One of the technologies sometimes used in such apps, GPS tracking, has raised major privacy red flags: What happens when the location data of thousands of people is hacked, sold, or shared? What about their COVID-19 results? Is that private health information out there too? What if untrusted third-party apps are developed without the involvement of public-health authorities? If companies realize they can track a person’s every move in the name of public health, what’s stopping them from doing so once the pandemic ends? Apple and Google have been pondering these questions for months. A day before Jumbo’s report on Care19 was released, the tech giants launched their joint exposure-notification technology, which uses Bluetooth rather than GPS tracking to alert app users if they’ve been in proximity of someone who has tested positive for COVID-19. The technology is not an app itself but is rather built into apps affiliated with public-health authorities. In an effort to strengthen privacy protections, Apple and Google’s exposure-notification technology identifies users through an anonymous key, which in turn generates a temporary random ID that regenerates every 10 to 20 minutes; users must explicitly choose to turn on or opt into the exposure notifications. On Aug. 5, Virginia, the first state to use Apple and Google’s technology, unveiled its contact-tracing app, COVIDWISE. If a COVIDWISE user tests positive for COVID-19, the Virginia Department of Health sends the person a randomly generated PIN. That person can then choose whether or not to notify the app of the positive test by inputting the PIN and triggering notifications to those who came in contact with him or her. North Dakota is taking notes. To ease privacy concerns and encourage user adoption, on Aug. 13, the state launched Care19 Alert, a supplement to the state’s original GPS-based app, which uses Apple and Google’s exposure-notification technology. Care19 Alert, also serving citizens in Wyoming (though not South Dakota), is the first app to use the Association of Public Health Laboratories (APHL) national key server, which securely stores the ID keys of affected users. In a perfect world, the APHL’s national server would enable exposure notifications across state lines — as long as every state created a contact-tracing app that used the exposure notification system and the APHL key server. Six months into the pandemic, many governors are still hesitant. The overall effectiveness of contact-tracing apps, which can cost millions of dollars to create, market, and maintain, has been a highly debated topic since Apple and Google first announced their joint initiative. It’s impossible to ignore the digital divide that exists between the elderly and low-income communities and the rest of society with easy access to smartphones. It also begs the following questions: What happens when people leave their phone at home? And what about the people who have access to an app but choose not to download it? For states to rally behind a tool whose efficacy has yet to be proven not only presents an issue regarding citizens’ privacy, but could also hinder larger efforts to curb the disease. “We have to proceed in thinking about how to use these tools cautiously because it’s possible to harness technology in such a way that it actually creates more work ,” explains Jennifer Nuzzo, an epidemiologist and senior scholar at the Johns Hopkins Center for Health Security, referring to the Bluetooth technology that could mistakenly alert someone of exposure when the infected person is on the other side of a wall or more than 6 feet away. “If cast way too wide of a net and they wind up identifying way too many contacts that aren’t meaningful contacts, then that could actually slow things down," she said. "Because now the contact tracers have to reach out to all of those people, and people might perceive the process to be of limited value.”For those who do choose to download a contact-tracing app but still have privacy concerns, Neema Singh Guliani, former senior legislative counsel at the ACLU, who specializes in surveillance, privacy, and national-security issues, has some advice: pay attention to the information provided and be aware of the technology the app is based on (i.e., Bluetooth or GPS), as well as terms-of-service language that can prevent users from obtaining reparations if an app violates its security standards or fails to adopt reasonable ones. Admittedly, terms-of-service agreements can be difficult for even trained privacy professionals to understand. Therefore, for contact-tracing apps to be effective and ensure public trust, they must have clear guidelines, meet benchmarks for efficacy, be integrated into a broader public-health strategy that meets the needs of those most impacted by the disease, and be accompanied by strong legal safeguards to protect privacy and other rights. Apple and Google say privacy and security remain core to the design; users must choose to turn on the exposure notifications, location data is not shared, the system isn’t monetized, and users can choose to disable exposure notifications at any time. According to the companies, Washington, D.C., Maryland, Nevada, and Virginia are expected to be the first U.S. areas to use the system. The express notifications do not impact existing apps, and users can still choose to download one if they want a different user experience. But the new tech further shows that apps may just not be worth the investment.The Centers for Disease Control and Prevention has stated that there is limited data on the performance of contact-tracing apps in the United States. On the other hand, the CDC did estimate that the U.S. would need to hire between 30,000 and 100,000 manual contact tracers. States including New York, California, and Massachusetts have already deployed manual contact-tracing programs, although case volume and low response rates have prevented them from being successful thus far. (Most states have not hired enough contact tracers to meet their needs.) The New York Times did report, however, that manual contact tracing is saving lives in high-risk areas like the Fort Apache reservation in Arizona, where people have been infected at more than 10 times the rate of individuals in Arizona as a whole. Human-led contact tracing there may not necessarily be slowing the spread, but it is preventing deaths by alerting people of possible infection before it's too late to save them. With no national app in sight, and the recent launch of Exposure Notifications Express, states are continuing to evaluate the value of contact-tracing apps while grappling with the pros and cons of maintaining user privacy within them. It’s clear that Bluetooth is the more secure technology, but location data could potentially give public-health officials the ability to determine key transmission areas. So, where do states draw the line? Is it worth it—nay, ethical—for leaders to encourage their citizens to reveal their daily whereabouts if it means helping slow the spread of the virus? The answer is murky considering the apps’ unproven efficacy. Ultimately, it will be up to the states’ leadership — and its citizens — to decide.
North and South Dakota launched their contact-tracing app, , on April 7, less than a month after COVID-19 was declared a global pandemic. Already, Vern Dosch, North Dakota’s contact-tracing facilitator, felt sure the app’s GPS location-tracking technology — used to keep an electronic diary of users’ whereabouts rather than relying on memory — would be met with some resistance.
Consumer privacy concerns would surface less than two months later, when security app Jumbo Privacy revealing that Care19’s app developer, ProudCrowd, violated its own privacy policy by sharing user location data with third-party app Foursquare. Following the release of the report, Care19’s that Care19 will take the location of a user’s phone and “call a service to determine nearby businesses that you may have visited.” That service is Foursquare.
North Dakota is one of that have explored or built contact-tracing apps to supplement (which have historically aided in tracking and controlling highly transmittable diseases like syphilis, tuberculosis, and Ebola) to help fight the spread of COVID-19. An app enables users to provide contact tracers with a more detailed log of their locations or be notified faster if they’ve potentially been exposed to someone with COVID-19.
One of the technologies sometimes used in such apps, GPS tracking, has raised major privacy red flags: What happens when the location data of thousands of people is hacked, sold, or shared? What about their COVID-19 results? Is that private health information out there too? What if untrusted third-party apps are developed without the involvement of public-health authorities? If companies realize they can track a person’s every move in the name of public health, what’s stopping them from doing so once the pandemic ends?
Apple and Google have been pondering these questions for months. A day before Jumbo’s report on Care19 was released, the tech giants launched their joint , which uses Bluetooth rather than GPS tracking to alert app users if they’ve been in proximity of someone who has tested positive for COVID-19. The technology is not an app itself but is rather built into apps affiliated with public-health authorities.
In an effort to strengthen privacy protections, Apple and Google’s exposure-notification technology identifies users through an anonymous key, which in turn generates a temporary random ID that regenerates every 10 to 20 minutes; users must explicitly choose to turn on or opt into the exposure notifications.
On Aug. 5, Virginia, the first state to use Apple and Google’s technology, its contact-tracing app, COVIDWISE. If a COVIDWISE user tests positive for COVID-19, the Virginia Department of Health sends the person a randomly generated PIN. That person can then choose whether or not to notify the app of the positive test by inputting the PIN and triggering notifications to those who came in contact with him or her.
North Dakota is taking notes. To ease privacy concerns and encourage user adoption, on Aug. 13, the state , a supplement to the state’s original GPS-based app, which uses Apple and Google’s exposure-notification technology. Care19 Alert, also serving citizens in Wyoming (though not South Dakota), is the first app to use the (APHL) national key server, which securely stores the ID keys of affected users.
In a perfect world, the APHL’s national server would — as long as every state created a contact-tracing app that used the exposure notification system and the APHL key server. Six months into the pandemic, many governors are still hesitant.
The overall effectiveness of contact-tracing apps, which can to create, market, and maintain, has been a highly debated topic since Apple and Google first announced their joint initiative. It’s impossible to ignore the digital divide that exists between the elderly and low-income communities and the rest of society with easy access to smartphones. It also begs the following questions: What happens when people leave their phone at home? And what about the people who have access to an app but choose not to download it?
For states to rally behind a tool whose efficacy has yet to be proven not only presents an issue regarding citizens’ privacy, but could also hinder larger efforts to curb the disease.
“We have to proceed in thinking about how to use these tools cautiously because it’s possible to harness technology in such a way that it actually creates more work [for contact tracers],” explains Jennifer Nuzzo, an epidemiologist and senior scholar at the Johns Hopkins Center for Health Security, referring to the Bluetooth technology that could mistakenly alert someone of exposure when the infected person is on the other side of a wall or more than 6 feet away.
“If [the apps] cast way too wide of a net and they wind up identifying way too many contacts that aren’t meaningful contacts, then that could actually slow things down," she said. "Because now the contact tracers have to reach out to all of those people, and people might perceive the process to be of limited value.”
For those who do choose to download a contact-tracing app but still have privacy concerns, Neema Singh Guliani, former senior legislative counsel at the ACLU, who specializes in surveillance, privacy, and national-security issues, has some advice: pay attention to the information provided and be aware of the technology the app is based on (i.e., Bluetooth or GPS), as well as terms-of-service language that can prevent users from obtaining reparations if an app violates its security standards or fails to adopt reasonable ones.
Admittedly, terms-of-service agreements can be difficult for even trained privacy professionals to understand. Therefore, for contact-tracing apps to be effective and ensure public trust, they must have clear guidelines, meet benchmarks for efficacy, be integrated into a broader public-health strategy that meets the needs of those most impacted by the disease, and be accompanied by to protect privacy and other rights.
Apple and Google say privacy and security remain core to the design; users must choose to turn on the exposure notifications, location data is not shared, the system isn’t monetized, and users can choose to disable exposure notifications at any time. According to the companies, Washington, D.C., Maryland, Nevada, and Virginia are expected to be the first U.S. areas to use the system. The express notifications do not impact existing apps, and users can still choose to download one if they want a different user experience. But the new tech further shows that apps may just not be worth the investment.
The Centers for Disease Control and Prevention has stated that there is in the United States. On the other hand, the CDC did that the U.S. would need to hire between 30,000 and 100,000 manual contact tracers. States including New York, California, and Massachusetts have already deployed manual contact-tracing programs, although case volume and low response rates have prevented them . (Most states have not hired enough contact tracers to meet their needs.)
, however, that manual contact tracing is saving lives in high-risk areas like the in Arizona, where people have been infected at more than 10 times the rate of individuals in Arizona as a whole. Human-led contact tracing there may not necessarily be slowing the spread, but it is preventing deaths by alerting people of possible infection before it's too late to save them.
With no national app in sight, and the recent launch of Exposure Notifications Express, states are continuing to evaluate the value of contact-tracing apps while grappling with the pros and cons of maintaining user privacy within them. It’s clear that Bluetooth is the more secure technology, but location data could potentially give public-health officials the ability to determine key transmission areas.
So, where do states draw the line? Is it worth it—nay, ethical—for leaders to encourage their citizens to reveal their daily whereabouts if it means helping slow the spread of the virus? The answer is murky considering the apps’ unproven efficacy. Ultimately, it will be up to the states’ leadership — and its citizens — to decide.
