Emerging COVID-19 Exposure Notification Technology, Data Privacy, and Cybersecurity Issues
By Jennifer K. Wagner, J.D., Ph.D
The ongoing COVID-19 pandemic has raised its own set of data privacy and cybersecurity issues, as people turn to technological solutions to assist with the daunting task of quickly identifying cases of infection (despite persistent problems with availability of diagnostic and serologic testing) and stopping the spread of the disease (despite the phased relaxation of public health safety measures) through contact tracing. Here we take a quick look at the emerging technologies, two competing pieces of federal legislation that have been introduced specifically to address data privacy and cybersecurity issues that COVID-19 technologies raise, and the situation in Pennsylvania.
A few introductory definitions might be helpful for those interested in this discussion but who might not be familiar with or regularly interact with public health information. The following table is intended to promote better communication among attorneys, scientists, and the public in connection with the many relevant data privacy and cybersecurity issues.
| Term | Definition | Sources |
| Case Investigation | “the identification and investigation of clients with confirmed and probable diagnoses” | CDC Guidance 2020 |
| Contact Tracing | “the subsequent identification, monitoring, and support of their contacts who have been exposed to, and possibly infected with, the virus” | CDC Guidance 2020 |
| Epidemiology | “the study of the distribution and determinants of health-related states or events in specified populations and the application of this study to the prevention and control of health problems” | JM Last. A Dictionary of Epidemiology, 3rd Ed. New York: Oxford University Press, 1995. |
| Digital Epidemiology | “epidemiology that uses digital methods from data collection to data analysis” or, alternatively, “epidemiology that uses data that was generated outside the public health system, i.e., with data that was not generated with the primary purpose of doing epidemiology” | H-E Park et al. 2018, PMC6230537; PA Eckhoff and AJ Tatem 2015, PMC4379987; M Salathé 2018, PMC5754279. For discussion of an ethical duty to participate, see B Mittelstadt et al. 2018, PMC5943201 |
| (Human) Genetic Epidemiology | “the branch of epidemiology that studies the role of genetic factors and their interactions with environmental factors in the occurrence of disease in various populations” | MJ Khoury 1997, PMID: 9360914 (citing MJ Khoury, TH Beaty, and BH Cohen 1993) |
| Molecular Epidemiology | “the study of the distribution and determinants of diseases and injuries in human and nonhuman animal populations using molecular microbiology methods” | LW Riley and R Blanton 2018, PMC6343655 |
| Infectious Disease Surveillance | “a continuous and systematic process of collection, analysis interpretation, and dissemination of descriptive information for monitoring health problems.” | LW Riley and R Blanton 2018, PMC6343655 (internal citation omitted); For history, see also L Simonsen et al. 2016, PMC5144901;
|
| Syndromic Surveillance | “methods relying on detection of individual and population health indicators that are discernible before confirmed diagnoses are made.” | KD Mandl et al. 2004, PMC353021 |
Google and Apple Release Exposure Notification API
On May 20, 2020, Google and Apple made a joint announcement of their exposure notification application programming interface (API), the culmination of a collaboration announced in April 2020 to support public health authorities in their response to the COVID-19 pandemic. The Exposure Notification API is intended to facilitate “privacy-preserving proximity tracing apps” to avoid some of privacy concerns that involved with use of GPS location data by instead relying on Bluetooth contacts. The technology uses an “opt-in” approach and makes it possible for privacy-conscious developers to design their contact tracing apps with adherence to data minimalization principles. It enables data to be generated, stored, and processed locally on the users’ own devices and only collects data from those individuals who self-report their positive COVID-19 status. Notably, however, there is nothing to prevent the contact tracing apps that connect to the Exposure Notification API from requesting user permissions and tapping into sensitive GPS location data or other identifying self-reported information, thereby possibly negating the privacy preserving benefits of the API.
The technology’s function is fairly straightforward. Devices with apps connecting to the Exposure Notification API will exchange beacons (including an anonymous identifier or key) via Bluetooth with other smart devices nearby. Those identifiers are recorded locally on the device. If an individual uses the app later to self-report their positive COVID-19 status, the Exposure Notification API will push the individual’s recorded beacon keys from the most recent 14 days to the server. Other individuals’ devices enabled with the same app will periodically download the server’s COVID-19 positive beacon keys and check for matches against those beacon keys recorded on their device. If there’s a match, a notification is pushed indicating that the individual has been exposed to someone who has tested positive for COVID-19. The details—such as how long two devices need to be in close proximity to be considered a sufficient interaction to count as an exposure (a minimum of 5 minutes) and what information is ultimately communicated as part of any exposure notification (what the person exposed should do with that information)—are determined by the app developers for the public health authority.
It is largely up to the states’ public health authorities to determine if and how to use Google and Apple’s Exposure Notification API, thus raising potential interoperability, privacy, and cybersecurity issues inherent in a state-by-state approach. Three states (Alabama, North Dakota, and South Carolina) were quickly reported as having committed to using the Exposure Notification API (as were 22 countries, with Switzerland already launching the first contact tracing app using the Exposure Notification API). Other states might be reluctant to trust Google’s commitment to privacy (e.g., Arizona Attorney General filed a lawsuit against Google alleging it continued to track Android users’ locations via its browser searches, map, and weather app features even after users disabled location tracking settings unless a second, harder-to-locate setting was also disabled). Potential flaws have been reported for the contact tracing apps that might rely upon the Exposure Notification API, including the risk of false positives and risks of re-identification by the public health authority if the device IP address or GPS location or other identifiers are collected with the app (notwithstanding the efforts that Google and Apple had taken to ensure the Exposure Notification API itself limits data collection to only those who are infected and even then limits data collection to anonymized data). One obvious challenge is that people are mobile, cross jurisdictional borders, and interact with individuals who might not be residents of the same state: states will need to determine whether to cooperate with one another and share beacon key information about those who have self-reported as COVID-19 positive so that app users in both states can be properly notified of the exposure. Neighboring states who take distinct approaches (one Bluetooth-based and the other GPS location-based) could undermine the utility of a contact tracing app by missing cross-jurisdiction notifications.
COVID-19 Might Shape U.S. Data Privacy and Cybersecurity Policy More Broadly
Experts have increasingly weighed in on the topic of technology as part of the public health response. For example, Sean McDonald has pointed out the need for governance not merely good intentions, recognizing “technology can cause an enormous range of harms during disaster, from using ineffective tools to enabling sweeping abuses of power.” Additionally, Michelle M. Mello and C. Jason Wang have together outlined ethical issues raised by digital epidemiology (distinct from contact tracing), highlighting how privacy-preserving technologies are actually “antithetical to effective epidemiology and noting that “harnessing the power and ingenuity of the tech sector” necessitates “carefully placed constraints” that have not yet been created.
Two relevant and competing pieces of Federal legislation have been introduced. The COVID-19 Consumer Data Protection Act of 2020 (S.3663) was introduced on May 7, 2020 by Senator Wicker (R-MS) with four original cosponsors: Sen. Thune (R-SD), Sen. Moran (R-KS), Sen. Blackburn (R-TN), and Sen. Fischer (R-NE). The bill was referred to the Senate Committee on Commerce, Science, & Transportation, for which Senator Wicker serves as chairman. The Public Health Emergency Privacy Act (S.3749/HR.6866) was introduced shortly thereafter on May 14, 2020 by Senator Blumenthal (D-CT) and Senator Warner (D-VA), where it was referred to the Senate HELP Committee (a committee on which Sen. Bob Casey serves). A version was introduced in the House by Representative Eshoo (D-CA-18) with five original cosponsors— Rep. Schakowsky (D-IL-9), Rep. DelBene (D-WA-1), Rep. Clarke (D-NY-9), Rep. Butterfield (D-NC-1), and Rep. Cardenas (D-CA-29)—and was referred to the House Committee on Energy and Commerce (a committee on which Rep. Doyle, D-PA-18, serves). While both bills would require affirmative express consent, would set basic privacy and security requirements (including data minimization), and give the Federal Trade Commission the primary responsibility to enforce the law, the bills are different in key aspects.
The COVID-19 Consumer Data Protection Act is framed narrowly and requires basic cybersecurity and data privacy protections. Any individual or entity that must comply with the Federal Trade Commission Act as well as any Common Carrier or Non-Profit Organization would be subject to this law. The data covered would include personal health information only when collected for a covered purpose (i.e., tracking the spread, signs, or symptoms of COVID-19; measuring compliance with social distancing and other safety interventions; and conducting contact tracing for COVID-19 cases) as well as geolocation data, proximity data, device data (IP address, serial number, etc.). It would expressly exclude from “covered data” any aggregated data, business contact information, de-identified data, employee screening data, and publicly available information. Individuals would have a right to “report” inaccuracies in the data but not necessarily insist on corrections. The bill would not require data deletion but instead would give those subjected to the law the option to delete or de-identify covered data when it is no longer being used for purposes related to the COVID-19 public health emergency. Reporting would be required every 60 days to indicate how many individuals are affected by the data collection, processes, or transfers. S.3663 would give the Federal Trade Commission primary enforcement authority and also allow the State/Territorial Attorneys General to enforce the law; however, it would not allow for individuals to have a private cause of action. Notably, this version would preempt any state laws on point.
By contrast, the Public Health Emergency Privacy Act is framed more broadly, protecting a broader scope of COVID-19 emergency health data (including not only past, present, or future health status but also any other information in conjunction with it, including geolocation data, proximity data, demographic data, contact information, any other information from a personal device) and also requiring compliance by not only private individuals and entities but also public (governmental) entities with five exclusions (health provider, public health authority, service provider, de minimis collector or processor, and individual acting in personal/household capacity). The bill also offers stronger data privacy protections and data use restrictions, including important provisions (1) to prohibit the use of emergency health data for advertising; (2) to prohibit discrimination in commerce, public accommodations, employment, financial, housing, insurance, and education contexts; and (3) to prohibit the denial of voting rights based on an individual’s emergency health data, medical conditions, or participation in a program involving emergency health data. It would enable individuals to have not only the ability to report inaccuracies in the data but to “correct” them. The bill also would require data to be destroyed within 60 days of the end of the emergency or within 30 days of an individual revoking consent. Public reporting would be required every 90 days for those whose data practices affect at least 100,000 people. S.3749 would be enforced by the Federal Trade Commission, by the State/Territorial Attorneys General, and by individuals via a private cause of action with tiered relief for negligent violations and reckless, willful, or intentional violations. This version would not preempt state law.
Relevance to Pennsylvania
Reports about which states have committed to using the Google and Apple Exposure Notification API have indicated that Pennsylvania was not yet decided. The Pennsylvania Department of Health (PA DOH) website provides helpful information regarding its plans for contact tracing, including its use of the MITRE-Sara Alert contact monitoring app (which is web-based and reportedly used by at least four states—PA, WA, VT, and AR—and the Northern Mariana Islands). While PA DOH has not expressly indicated (as of May 30, 2020) whether it is building an app that will rely upon Google and Apple’s Exposure Notification API, it indicates, “The department will also examine Bluetooth proximity exposure notification technology that does not use GPS navigation data,” suggesting this remains a possibility.
In Pennsylvania, public-private partnerships have been key to COVID-19 contact tracing. Contact tracing is labor intensive, and—if the effort is to be effective in slowing and ultimately stopping the spread of the infectious disease—time is of the essence. The pursuit of technological solutions to help ease the operational burdens of that process must be expected, but it is imperative that data stewardship principles (including data governance as well as cybersecurity, data privacy, nondiscrimination) be identified, implemented, assessed to ensure their fulfillment, and continually improved.
Unfortunately, contact tracing and exposure notification for COVID-19 has become an unnecessarily partisan topic in Pennsylvania’s General Assembly, although no legislation specific to COVID-19 data privacy and cybersecurity appears to have been introduced yet.
Concluding Remarks
Like many things these days, it is uncertain whether federal legislation will come to fruition or whether a commonwealth-coordinated effort for contact tracing and exposure notification in Pennsylvania will be implemented. Nevertheless, the public health challenges of COVID-19 and the question of how to use emerging technologies responsibly will persist, at the very least, until a safe and effective vaccine has been developed and universally administered.
Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also conducts research as an Assistant Professor in the Center for Translational Bioethics & Health Care Policy at Geisinger. She is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Nature Communications; Nature Medicine; American Journal of Human Genetics; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer.