COVID-19 privacy: The debate over contact tracing and healthcare data

COVID-19 has ignited a high-level clash between President Trump and privacy experts. The president wants to find ways to reopen the battered economy. Meanwhile, privacy advocates worry about patient healthcare data with possible creation of a national virus surveillance system.

The privacy community has raised worries about recently- proposed COVID-19 contact tracing technology in smartphones as well as related tech. Three congressional Democrats sent a letter Friday to presidential advisor Jared Kushner asking for strong legal safeguards to ensure privacy of health surveillance data.

The congressional letter raised concerns that the Trump Administration is seeking help from companies with “checkered histories in protecting user privacy” and asks which companies are involved.  The letter from U.S. Senators Mark Warner, D-Virginia,  Richard Blumenthal, D-Connecticut, and U.S. Rep. Anna Eshoo, D-Californa, added, “We have serious concerns that these public health surveillance systems may serve as beachheads for far-reaching health data collection efforts that go beyond the current [pandemic] crisis…We fear that further empowering technology firms and providing unfettered access to sensitive health information during the COVID-19 pandemic could fatally undermine health privacy in the United States.”

The elected leaders also wrote that an “urgent and forceful response to COVID-19 can coexist with protecting and even bolstering our health privacy.”

Meanwhile, the Electronic Privacy Information Center has filed a freedom of information request with the U.S. Department of Health and Human Services to access a March 22 memorandum from health technology companies touting their ability to gather patient information.  The companies named in the request are Collective Medical, PatientPing and Juvare.

The three companies, at the behest of administration officials, described a “national coronavirus surveillance system to give the government a near real-time view of where patients are seeking treatment and for what, and whether hospitals can accommodate them,” according to a report in Politico as described by EPIC.

EPIC is worried whether Trump Administration officials are undertaking steps that could violate the Health Insurance Portability and Accountability Act and other laws. 

On Friday, Apple and Google unveiled a partnership on Bluetooth-based COVID-19 contact tracing technology designed to help governments and health agencies reduce the spread of the virus. Their approach includes application programming interfaces and operating system-level technology used in their competing smartphones.  

RELATED:Google and Apple partner on Bluetooth COVID-19 tracing 
 

The APIs, coming in May, will enable interoperability between Android and iOS devices using apps from public health authorities, the two companies said.

In coming months, the two companies are working to enable broader Bluetooth-based contact tracing by building functions into underlying platforms. 

Users would choose to opt in for the contact tracing, as well as enable interaction with a broad ecosystem of apps and health authorities.  “Privacy, transparency and consent are of utmost importance in this effort and we look forward to building this functionality in consulting with interested stakeholders,” Apple and Google said.   Draft technology was released, including Bluetooth cryptography.

Google explained the process on its web site. 

Centers for Disease Control and Prevention officials have argued that increased virus testing will be the first step toward returning society to normalcy while the next step will be scaling up the capacity for tracing the contacts of those who test positive.

MIT has described a chirping technology that also relies on short-range Bluetooth signals emitted by smartphones.  If a person tests positive for COVID-19, they can upload the chirps their phone has put out in the past 14 days to a database.  Other phone users can scan the database to see if any of the chirps match the ones picked up by their phones.  If there’s a match, a notification will inform that person that he or she may have been exposed exposed to the virus.

“I keep track of what I’ve broadcasted and you keep track of what you’ve heard and this will allow us to tell if someone was in close proximity to an infected person,” said Prof. Ron Rivest of MIT. 

He said that cryptographic techniques will generate random, rotating numbers that are not only anonymous, but also pseudonymous, and constantly changing so their ID that can’t be traced back to any person.

MIT has a privacy-first initiative called SafePath, which is a broad set of mobile apps developed by a team led by Ramesh Raskar at the MIT Media Lab.

Smartphones already have the ability to advertise their presence via Bluetooth. One example is  Apple’s Find My feature.

South Korea is using apps that noftify officials if a diagnosed person has left home and can tap into a person’s GPS data to pinpoint where they have been.

MIT, like Apple and Google, would not use GPS, nor a personal ID or phone number. MIT said it is forming collaborations with Apple, Google and Microsoft.

Whether the actual smartphones can keep a user’s information anonymous might not be as important to government privacy experts as much as what companies do with the data they collect. A big concern is whether such companies might build profiles of a person’s health history.   Another concern is that a government, including the U.S., might find ways to locate and track people with COVID-19 to prevent them from going into public places. 

In the South Korean contract tracing system, alerts are being sent out that have identifiable information such as a person’s age or gender, where they work and the neighborhood where they live. That is a “lot of information that you don’t necessarily need to share in order to alert somebody,” said Josephine Wolff, an assistant professor of cybersecurity policy at Tufts University in a CNBC interview on Monday.

Wolff said time restrictions on how long contact tracing will last could be important to users, once the virus spread slows.

Kara Swisher, a co-founder of Recode, predicted on CNBC Monday that broad legislative efforts to invoke laws that protect data privacy will be put on hold as the nation deals with COVID-19. The question is what happens to the legislation after the virus passes, she added.