COVID-19 and Digital Contact Tracing: Regulating the Future of Public Health Surveillance

Digital surveillance tools—technological means of monitoring, tracking, and notifying—are at the forefront of public health response strategies for the COVID-19 pandemic. Comprehensive and effective digital public health surveillance requires that public health authorities, regulatory powers, and developers consider interdisciplinary approaches. This entails accounting for the use of proximity data and Bluetooth technology; notification systems from technology companies; and laws and regulations associated with health information, biometric privacy, and mobile data. Of particular importance is incorporation of epidemiological considerations in development and implementation of digital tools, including usability across mobile devices, interoperability, regulation of literacy and disability compatibility, and incentivization for adoption. It is both feasible and prudent that the United States establish a federal network for public health surveillance aided by digital tools, especially considering that waves of COVID-19 are expected to continue well into 2021 and while the threat of other emerging infectious diseases persists.

Introduction

Given the scale of the coronavirus disease 2019 (COVID-19) pandemic, dependence on traditional contact tracing1 alone may prove insufficient for countries to effectively and efficiently track and trace the spread of the severe acute respiratory coronavirus 2 (SARS-CoV-2).2 With continued reliance on digital connectivity for numerous aspects of our lives, digital surveillance tools provide a potential opportunity to supplement existing contact tracing initiatives by facilitating the fast identification of known and unknown contacts.3 Pressure is mounting to develop epidemiologically-useful digital tools, as states across the United States continue lifting stay-at-home orders and attempt to return to normal operations.4 Over twenty states are currently considering, designing, or implementing digital contact tracing tools.5 The accelerated development and launch of these tools demand that we consider the interests of privacy, efficiency, and effectiveness in shaping the future of digital surveillance for emerging infectious disease threats and other existing public health issues.6

This Article discusses important aspects for the development and implementation of digital contact tracing tools, the demand for robust data stewardship, and the need for the U.S. federal government to create a regulatory framework for governing these tools and any future surveillance technologies for public health. Of importance are: (1) the overall development and regulation of digital surveillance tools within the context of epidemiology;7See infra Part I. (2) requirements related to protected health and medical information;8See infra Part II. (3) the formulation of a federal contact tracing program compared to state-level solutions;9See infra Part III. and (4) security and privacy concerns about cellphone tracking data.10See infra Part IV. However, considerations need to be made regarding: (1) important factors for user interfaces to promote adoption of the tools;11See infra Part V. and (2) alternative solutions to contact tracing apps that may be better options for nationwide, and even global, public health surveillance.12See infra Part VI. It would be feasible for the U.S. government to establish a national network for contact tracing, and considering that waves of COVID-19 are expected to continue well into 2021, the time to take a proactive stance is now.

I. Developing Digital Surveillance Tools

Contact tracing is a well-established method of tracking and tracing the spread of a virus to slow, and potentially stop, virus transmission during outbreaks.13Gostin & Hodge, supra note 1. Typically, case investigators conduct interviews with positively diagnosed individuals to establish their movements and interactions in order to identify, notify, and interview others possibly infected.14 However, traditional techniques are limited in the context of the COVID-19 pandemic and its scale, particularly given the possibility of transmission between strangers and asymptomatic carriers.15

Additionally, a trust deficit exists that reduces the willingness of many individuals to provide information about their whereabouts and interactions to government entities16—exacerbated by virally syndicated misinformation.17 The design and implementation of digital contact tracing tools, and exposure notification18 tools, should be grounded in the principle of proportionality,19 establishing data collection and processing at a scale that is: (1) proportional to the severity of the public-health threat; (2) limited to what is minimally necessary for achieving specific public-health objectives; and (3) scientifically justified.20 And notably, the recent partnership between Google and Apple is driving the design of contact tracing and exposure notification apps and other digital notification systems.

A. The Significance of the Google & Apple Partnership

Google and Apple partnered to provide a novel contact tracing application programming interface (API).21 The Google-Apple Exposure Notification (GAEN) API is inspired by the European consortium Decentralized Privacy-Preserving Proximity Tracing protocol (DP-3T) for exposure notification, and enables expanded access to Bluetooth scanning for apps using the API, improving the ability for signal detection between Android and Apple devices.22 The API also smooths operating functions and spares battery life but only for official public health authority (PHA) apps that adopt a decentralized design and abide by their Terms of Service (Terms).23

These Terms stipulate that the collection of location data is prohibited, data must be used only for COVID-19 response efforts, and developers must follow their retention limitation and non-discrimination requirements.24Id. Apps using the API must also obtain user consent for both app installation and the processing and sharing of positive diagnoses.25 The apps must also allow users to uninstall the apps.26Burgess, supra note 25. PHAs retain the power to determine the criteria to trigger an exposure notification and app customization, such as adding a symptom tracker or case mapper (e.g., the contact tracing app used in the United Kingdom).27Id.

Some locales have cited inadequate technical expertise and lack of resources as a barrier to implementing contact tracing or exposure notification apps.28 In September 2020, Apple and Google launched Exposure Notification Express, making exposure notification functionality a native component in operating systems of Apple and Android devices, which removed the need to download an app and lowered the barrier to entry for PHAs.29 Individuals merely need to opt-in to participation following a system update, sidestepping the hurdle of downloading a specialized app.30 However, functionality is only available when supported by a PHA that must deploy a “test verification server”31Id. to validate positive diagnoses during key uploads, and a “key server”32 to handle key uploads and downloads. PHAs remain responsible for determining risk exposure and customizing system notifications and alerts. Washington, D.C., Maryland, Nevada, and Virginia are expected to be among the first U.S. states and territories to implement Exposure Notification Express, with others likely to follow.33

1. Issues of Interoperability

For contact tracing to be effective, an app or digital tool from one state must be cross-compatible with those developed in another state. With people increasingly travelling across state borders, the ability for apps and digital tools to recognize one another is absolutely crucial for tracing exposures and preventing new hotspots of infection from emerging.34 Inconsistencies between state-level contact tracing apps could cause significant interoperability issues, particularly if some apps are centralized and others are decentralized.35 The Centers for Disease Control and Prevention (CDC) has stated that if apps are not interoperable, this could add burden on PHAs for integrating data seamlessly into their case management, contact tracing systems, and workflows, which would further exacerbate issues of siloed data management amongst state authorities.36

The European Data Protection Board (EDPB) has encouraged European Member States to have “a common European approach in response to the current crisis, or at least put in place an interoperable framework.”37 The EDPB stated that “[i]n order to promote the effective application of data protection principles, a common level of data minimisation and a common data retention period should be considered.”38Id. at 4. The EDPB also stressed that interoperability should not lead to increased collection of information, due to a lack of coordinated approach, or to decreased data security or data accuracy.39Id. Furthermore, the EDPB stated that “ensuring interoperability of [contact tracing apps with different underlying approaches] is technically challenging and may require substantial financial and engineering effort.”40Id. at 2.

North Dakota, South Dakota, Utah, and Rhode Island were among the first to implement contact tracing apps not based on the Apple Google API.41 In contrast to these contact tracing apps, which are centralized and can be location- or Bluetooth-based, exposure notification apps are decentralized Bluetooth-based apps that can use the GAEN API. A few states in the United States have initiated development of their own exposure notification apps, with Virginia42 being the first state to deploy an official app, followed by Alabama, North Dakota, and Wyoming.43 With the use of the GAEN API, there is potential for these and other state-level exposure notification apps to be connected via shared protocols to streamline data collection and sharing.44 In mid-July 2020, the Association of Public Health Laboratories also announced that it will host a national key server to support all U.S. states, allowing exposure notification app users to receive alerts even when travelling across state borders.45 Additionally, Google updated its Exposure Notification System to provide PHAs more flexibility in determining the level of risk associated with detected exposure, improve accuracy detection, and support for inter-country interoperability.46Burke, supra note 5.

Interstate interoperability for both contact tracing and exposure notification apps could be authorized and implemented through the U.S. Congress’s power to regulate interstate commercial activity.47 Some states may instead argue that public health measures, such as involuntary quarantines, are reserved for states to use at their discretion.48 It is in absence of federal regulation that states and territories retain the ability to exercise their powers to establish protocols, which could undermine interoperability.49 Furthermore, the complete lack of a federal solution creates an imbalance between states with varying levels of funding and technological sophistication among their public health departments. This imbalance creates a unique opportunity for private sector actors like “Big Tech” firms to effectively parachute into public health departments and provide turn-key contact tracing solutions, as seen with GAEN.50 In practice, states (which often have small cybersecurity budgets) must contract with a private developer to develop an app, host the data if centralized, and maintain information security.51 Divergence between state-offered apps could result in multiple apps with differing security issues.

B. Designing Contact Tracing Apps

The two major technologies involved in app development are Global Positioning System (GPS) technology (associated with location data) and Bluetooth technology (associated with proximity data).52 While some countries have adopted privacy-invasive surveillance strategies that rely on multiple pieces of personal information,53 others instead have developed contact tracing apps for individuals to download onto their smartphones including: (1) centralized location-based apps that typically rely on GPS location, WiFi, and cell tower data; (2) centralized Bluetooth-based apps; and (3) decentralized Bluetooth-based apps, as in exposure notification apps.54

1. Centralized Location-Based Apps

Centralized location-based contact tracing apps were the first to be deployed during the beginning months of the pandemic, such as Israel’s “HaMagen” in March 2020.55 Within this design category, location data is typically stored in two main ways. Israel’s app stores data on the internal memory of mobile devices, and with consent, this data may be transferred to a centralized server if an individual tests positive for SARS-CoV-2.56 In contrast, Norway, Bahrain, and Kuwait opted for apps that carry out “live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server.”57 This information is easily linked to individual users, as each of these countries requires users to register with a national ID number or valid phone number.58Bahrain, supra note 57.

However, GPS technology has documented issues with pinpointing a device’s movements, particularly in instances requiring differentiation between adjoining buildings.59 Experts have stated, “[c]urrent localization technologies [i.e., GPS location and WiFi] are not as accurate as the use of Bluetooth-based proximity detection, and may not be accurate enough to be consistent with medically suggested definitions for exposure.”60 Nevertheless, such tools could be used to support traditional contact tracing efforts, for instance assisting with identification of outbreak hotspots and memory recall of an individual.61 When deployed for these goals, contact tracing apps, such as Rhode Island’s “Crush COVID RI,” do not require widespread adoption in order to be effective.62 However, apps that utilize location-based approaches also bring many more surveillance risks, issues with public trust, and challenges in fully anonymizing data,63 as location data is very sensitive and difficult to truly anonymize.64

2. Centralized Bluetooth-Based Apps

Bluetooth technology is associated with fewer privacy risks than GPS and may also provide more accurate proximity data due to its increased precision (albeit at shorter range), though some have argued to the contrary.65Johns Hopkins Project, supra note 52. Bluetooth does require a bit of lag time for phones to sync to share information with those nearby.66 Additionally, the technology also struggles to determine whether a device is one or ten meters away from another device67—a crucial distinction for contact tracing, where the former may be categorized as an epidemiological contact and the latter would not.68

The inherent measurement error of Bluetooth technology can potentially deliver a number of false positive proximity events, whereby the app notifies a user that they may have been exposed in a proximity event when they actually have not been exposed.69 Besides leading to unnecessary anxiety and interference with a person’s life, false positives also strain testing capacity70 and may lead to notification fatigue, causing individuals to lose faith in the efficacy of the system and stop acting on its recommendations.71 There are also concerns of false negatives, which are exceptionally worrisome as it equates to Bluetooth devices being unable to sync and thus failing to identify a true exposure at scale.72

Several countries, including Singapore, Australia, France, and the United Kingdom, have utilized centralized Bluetooth-based apps. The U.K.’s National Health Service (NHS) app,73 which launched in May 2020,74 required individuals who tested positive for SARS-CoV-2 to upload both their personal phone ID code and the phone IDs of recent contacts to a central server. The NHS app allows individuals to upload their own randomized anonymized ID to a central database. Then, the app routinely checks for “matches” with other persons who have tested positive and were previously in their vicinity.75Id. Although these IDs are “anonymized,” officials are still able to view the entire network of contacts.76Servick, supra note 35. The centralized design allows health officials and researchers to check whether the appropriate individuals are receiving notifications.77Id. They can view all smartphones that receive an alert and whether those users later reported symptoms or a positive test through the app.78Id. This additional context can improve calculations about the accuracy of alert notifications, and enable PHAs to suppress notifications in “edge-cases,” when risk of inferential re-identification is high.79

Ultimately, the U.K. government abandoned the NHS app for a decentralized model once the technical and interoperability limitations of the centralized model became evident.80 During testing, the NHS app logged only one out of twenty-five contacts between people when it was used on iPhones.81 The French and Australian apps also have similar accuracy challenges, resulting in 460,000 of the nearly two million individuals who installed France’s app to uninstall the app soon after downloading it.82 In general, centralized Bluetooth-based apps struggle to recognize each other, and privacy protections baked into operating systems may prevent Bluetooth from continually sending out signals or passively scanning in the background.83 Additionally, requiring individuals to always have Bluetooth enabled on their mobile devices, as well as having their devices remain constantly unlocked and apps open, is not only a major inconvenience and battery drain,84 but also increases the risk of malicious actors hacking into user mobile devices for other criminal means.85

3. Decentralized Bluetooth-Based Apps

Decentralized Bluetooth-based apps that utilize the GAEN API do not suffer from the same technical limitations. Many countries, including Belgium, Estonia, Finland, and Switzerland, have opted for the decentralized approach where the data related to a cellphone’s recent interactions are isolated to only that device.86 This prevents the government, or any other centralized entity such as Apple or Google, from collecting a user’s proximity information—greatly reducing privacy and data security risks. Preliminary adoption evidence from the Swiss app demonstrates a proof-of-principle that digital contact tracing could be an effective complementary tool for reducing the spread of COVID-19.87

Over the past few months, privacy-minded research groups have led the charge for developing more widely-accepted protocols, including the DP-3T88Troncoso et al., supra note 22. and Private Automated Contact Tracing (PACT).89Chan et al., supra note 60. Privacy advocates have also encouraged decentralized approaches for contact tracing apps, arguing that the decentralized approaches leave data related to users’ social networks less vulnerable to hacking or exploitation.90 The European Parliament has also explicitly favored the decentralized approach.91 Unfortunately, the United States continues to lag in national efforts to implement an appropriate digital contact tracing network and is relying on each state to develop apps that must be epidemiologically relevant for nationwide, and even potentially global, contact tracing while maintaining privacy and security standards.92

C. Are Apps Even Necessary?

As established, the concept of digital contact tracing is similar to that of traditional methods,93 where individuals are asked to voluntarily self-isolate and monitor for symptoms based on their previous proximity to an infected person—the key difference now being the potential use of mobile devices and wearable technology to identify exposure events, and in some cases, to enable latent tracking of an individual’s actual location and movements.94Ferretti et al., supra note 2. It is important to stress that contact tracing and exposure notification apps should be considered only as a supplement to other traditional and ongoing public health response efforts. Placing too much significance and trust in location or proximity data as a panacea capable of stopping the spread of the disease is not only naive, but also creates a false sense of security for the general public.

Furthermore, aiming for tech exceptionalism and individualism in the context of contact tracing and exposure notification apps decreases their effectiveness and increases privacy risks. The creation of digital contact tracing and exposure notification tools should be viewed as a complement to improving diagnostic, screening, and surveillance testing initiatives. Additionally, contact tracing technologies should encourage ongoing relationships between the public and PHAs.95 Digital contact tracing apps and exposure notification tools would be of most use when incorporated in an ecosystem that involves the expansion of local, community workers to collect contact tracing data in confidence.96See id.

Effective digital contact tracing necessitates credible and equitable public health response. Ongoing discussions on success of contact tracing apps have been primarily concerned with adoption97—not the actual fidelity of the tracing and notification systems. While decentralized Bluetooth-based designs are the primary choice for digital tools, technological limitations with proximity data mean that manual review will still be necessary.98 To date, there is still no nationwide contact tracing app, leaving state and local authorities in charge of contact tracing whether in-person or via digital means. Neither the U.S. Department of Health and Human Services (HHS) nor the CDC—nor any other U.S. federal agency—appears interested in deploying a nationwide contact tracing app, burdening states with not only the responsibility of developing an app but also regulating it.99

The inability to have a one-size-fits-all solution should not stop the development of a national network that uses experts from relevant sectors to create a balanced contact tracing initiative. This requires that public health authorities and digital surveillance tool developers consider the following: (1) regulating standards for universal usability and accessibility, as well as incentivization, to promote adoption of and engagement with apps; (2) practices that are feasible for individuals with older mobile devices and non-smartphones; (3) state- versus federal-level issues regarding biometric privacy regulations, interoperability of apps across state boundaries, and enforcement of app usage in varying jurisdictions; and (4) security and privacy laws and rulings regarding health information and collection of mobile data.100Majumder & Desai, supra note 6.

It is particularly important that epidemiological and public health initiatives are equally integrated into a framework that involves regulation of privacy protections101 for mobile surveillance including transparency, adequately encrypted data management, limited scope of purposes and temporal limitations for collected data, anonymity, and informed consent.

II. Public Health Considerations

Current evidence that COVID-19 contact tracing and exposure notification apps would help control the epidemic is limited102Digital Contact Tracing, supra note 4. and fails to account for issues of public literacy, privacy rights and regulations, and digital inequities. A popularly cited model originating from a team at the University of Oxford was misreported as suggesting that COVID-19 apps need to be used by at least 60%103 of the population to control the current coronavirus outbreak.104 More recently, Oxford researchers have published further research that suggests digital contact tracing can help to control an epidemic at low levels of app uptake.105 Other COVID-19 researchers also state that adoption at lower levels would still have a positive effect on curbing the spread.106 However, others have suggested that contact tracing should occur at least at a 50% level to have a beneficial reduction in community spread.107

Nevertheless, the 60% figure has been frequently misreported in the United States,108 and has arguably impacted policy decisions related to contact tracing apps, leading some experts to call for contact tracing apps to be mandatory109 and for others to lose hope in the technology.110Kreps et al., supra note 97. In reality, contact tracing apps are not a zero-sum proposition, but rather one tool—once appropriately developed and regulated—to supplement other response efforts to reduce the rate of transmission.111 Recognizing this, the Massachusetts Institute of Technology has clarified and reiterated that adoption at rates lower than 60% may have an impact on controlling an outbreak.112 Regardless, without considering the social inequities and inequalities, the efficacy and ease of success for such applications should still be questioned.113Servick, supra note 35. As researchers and app developers around the world race to build and refine these digital tools, it is important to consider issues needed to win public trust and therefore widespread adoption of this measure.

A. Usability Across Disparate Populations

Approximately 95% of the U.S. population owns a cellphone, but only about 85% of individuals currently own a smartphone.114 Proactive measures must be taken to mitigate this inherent bias against those less likely to own a smartphone or have internet access, including individuals who have lower educational attainment, lower income earnings, are of a racial minority population, live in rural areas, and/or are of senior age.115 Concentrating on a population that potentially biases against these individuals means that usage of these apps would also be biasing against persons who are more likely to be without adequate healthcare access and/or are vulnerable to poorer health outcomes116—a contradictory proposal for an initiative concerned with public health. In this light, special attention should accentuate: (1) how any apps will reflect data from marginalized communities; and (2) should the app indicate infection clusters, the potential impact of labeling such communities as hotspots. Minority communities have experienced higher rates of SARS-CoV-2 infections and COVID-19 cases as a result of systemic issues,117 and there must be assurances that exposure and tracing data will not be used to further marginalize these communities.

Additional resources to respond to COVID-19 should also be distributed to areas most affected by lack of smartphone access to mitigate these inequalities. Various approaches have already been suggested to increase participation among this demographic. For example, the federal government could distribute wearable tracking beacons for individuals to wear—an approach that is being considered in a number of U.S. schools to overcome smartphone ownership gaps.118 This would be similar to Singapore, where the government has initiated distribution of “TraceTogether Tokens,” wearable tracking devices, to individuals who do not own smartphones (including migrant workers) and those who would prefer to not download an app onto their mobile device.119 However, this would entail the development of additional security and privacy extensions of current laws to apply to wearable devices.120 Furthermore, even with these interventions, the proliferation of uneven broadband access across the United States undermines the effectiveness of digital contact tracing and exposure notification tools, particularly in under-privileged and rural areas.121

Any contact tracing and exposure notification app and digital tool that comes to the market needs to be able to work on a variety of devices, especially allowing for interoperability between devices that use different operating systems. Such apps developed with Google and Apple’s API will work most effectively on Apple and Android devices, which account for three billion smartphones around the world.122 However, many smartphones utilize other operating systems, or even older operating systems, considering that most smartphones appear to last approximately two and a half to three years.123 Furthermore, consideration should be allocated to feature phones, not just smartphones, that use operating systems that would be incompatible with these newly developed apps.

B. Regulation of Literacy and Disability Compatibility

App design is crucial for contact tracing and exposure notification apps to truly be considered a universal proposition. This entails requiring the integration of usable, accessible, and universal design concepts for any app that is available on the market.124 In order to best meet accessibility principles, apps must have a usable design that meets the International Organization of Standardization’s (ISO) codes for usability.125 This means that efficiency, efficacy, and satisfaction should drive important features of usability including: (1) maintaining software equality and compatibility;126See discussion supra Section II.A. (2) developing the app with a human-centric approach; (3) meeting usability testing and assurance standards; and (4) designing a user interface that drives engagement across all people.127See Bevan et al., supra note 125. User interface design is particularly complex, and if the ISO’s guidelines prove too restrictive for app developers, HHS has established a set of interactive user interface guidelines that provide a similar level of considerations for usability while allowing more flexibility for users.128

In general, many apps lack accessible design and are poorly adapted for use by disabled people.129 Approximately 26% of the U.S. population, and about 15% of the global population, lives with some disability.130 Apple’s iOS has special “Accessibility” features for apps,131 but these features may only enhance user experience and engagement if the user interface is designed to maintain a simple structure and includes easy to read text at an accessible literacy level.132 This means that developers should consider limiting dynamic and animated aspects in apps while also using large buttons on static screens.133 In terms of the text itself, typeface should be of a basic structure and large size to account for those who have various issues with vision.134 Additionally, contrast ratios and color contrasts are important design aspects that need to be standardized.135

Furthermore, the content of the material presented in the app should conform to average literacy capabilities in the United States and provide accurate translations for major non-English languages. Approximately only four in five U.S. adults have English literacy skills to complete low-level inferences, and those who are traditionally non-English speakers are at lower literacy levels overall.136 Given the disproportionate rates of COVID-19 in communities of color, and communities where English may not be the first or only language spoken in the home,137 developers should be cognizant of the ways in which their apps can support or hamper the health of users from a design standpoint.

Developers should aim to implement universal design in their contact tracing and exposure notification apps. In this way, the design of the app is such that all people can use the app, to the greatest extent possible, without needing to implement additional parameters for adaptation.138 Not only are these products designed to minimize or eliminate the addition of extra assistive technologies but are also easily compatible with common assistive technologies and hardware should they be needed.139Id. Following rules outlined in the Americans with Disabilities Act,140 and fostering compliance enforced by FCC and HHS would help to ensure that developers are truly attempting universal design in their contact tracing and exposure notification apps before releasing those apps to the market.

C. Adoption Incentivization

Perhaps the largest obstacle to tackle is the inevitably limited scope and scale of the data collected by contact tracing apps. First, if privacy issues dictate that contact tracing apps must allow for user opt-in, how efficient and effective will these apps even be for epidemiological purposes? A recent survey suggests that over 60% of the U.S. population would likely install a contract tracing app on their smartphones.141 However, researchers have shown that adoption of new health behaviors relies on a complex relationship of psychological, sociological, and cultural factors at the individual level.142 Furthermore, it is a difficult undertaking to convince such a majority of the country to: (1) trust in the privacy and security standards implemented; (2) believe in the efficacy of the apps; and (3) actively use the app.143 By making exposure notification functionality available at the operating system level of Apple and Android devices, the Exposure Notification Express tackles these obstacles head-on for at least exposure notification–based tools.

In the context of centralized apps, there is the potential—albeit of low likelihood144—that governments not only use contact tracing apps for disease surveillance, but also use the location or proximity data to enforce travel restrictions and quarantine orders, including validation of fines and potential criminal charges.145 Privacy advocates continue to warn of “mission creep”146 and that government access to such health information could be used in discriminatory manners, such as the development of “immunity passports” that would allow only those who have not tested positive for SARS-CoV-2 to be able to travel.147 Additionally, the mandatory use of an app for monitoring locations in the context of quarantine enforcement is challengeable under the United States v. Jones test.148 If the government instead focused on a binary solution for quarantine compliance,149 this would perhaps be a feasible solution without breaking the law,150 but this focus on privacy of information fails to consider a person’s right to privacy of place.151

If individuals feel coerced into adoption, this could undermine trust in public health authorities and other strategies used to mitigate COVID-19. Additionally, mass acceptance of voluntary contact tracing and exposure notification apps may require that individuals believe in the call to action for society as a reason for adopting such public health behaviors.152 With nearly 40% of COVID-19 infections being asymptomatic,153 the current acceptance level of public health behaviors,154 the proliferation of misinformation,155 and the politicization of scientific and health information,156See generally id. a voluntary effort is unlikely to achieve sufficient scale for properly tracking the spread of the virus. This is especially true without the implementation of a comprehensive nationwide strategy to: communicate the individual and societal benefits; provide monetary and non-monetary incentives; and provide additional assurances that the privacy and fundamental rights of individuals and groups will be protected. For instance, only roughly 4% of Virginia’s population downloaded their contact tracing app in the first week of release,157 with the anticipation that only a portion of these users will actually use the app appropriately. This contrasts with Ireland’s adoption rate of 37% and Germany’s adoption rate of over 20%.158

Incentivization may be a useful option for promoting enough adoption and use of contact tracing and exposure notification apps to get to a sufficient level of engagement in the United States. To help policymakers and public health experts “revise their messaging and reverse the erosion of government trust,” another suggestion might be to link participation with direct benefits,159 whereby participation is potentially integrated with a wage replacement program set up for the purpose of supporting those affected by COVID-19. Referencing NFIB v. Sebelius,160NFIB v. Sebelius, 567 U.S. 519 (2012). Congress could also establish, within a federal framework, a tax incentive for contact tracing app usage—either providing those who engage with the app a type of tax deduction or creating a tax penalty for those who do not follow the mandate. In this way, users would become more likely to opt in for use of contact tracing and exposure notification apps, similar to the influx of Americans who signed up for Affordable Care Act161 insurance plans.162 This would create a type of mandatory requirement for usage but still allow users to have the ability to choose to opt in or deal with a monetary penalty. However, economic incentives such as these may also be criticized as a form of economic coercion, with a greater impact on under-privileged communities.

III. Health & Biometric Privacy

A. Self-Reporting vs. Healthcare Provider-Reporting

Contact tracing and exposure notification apps often process solely confirmed diagnoses for the purpose of initiating an exposure notification, but they may also allow for individuals to self-report symptoms.163 Before switching designs, the United Kingdom’s centralized app allowed for self-reporting of symptoms to trigger an exposure notification.164Id. The United Kingdom opted for this strategy because the epidemiological model the United Kingdom was relying on demonstrated that any delay in isolating symptomatic individuals has a “real effect on the spread of the virus.”165Id. If testing is low or slow, then apps designed to process only officially confirmed diagnoses may leave more community spreaders undetected, thereby increasing the occurrence of “false negatives.” On the other hand, self-reporting of symptoms can increase the occurrence of “false positives” and over-notification. Malicious or accidental false reports may cause unnecessary anxiety, notification fatigue, and ultimately cause users to lose faith in the efficacy of the system and stop acting on its recommendations.166 As previously mentioned, SARS-CoV-2 can be transmitted before symptoms are apparent,167Ferretti et al., supra note 2, at 1, 6. rendering self-reporting of symptoms itself too slow to control transmission and effectively mooted by asymptomatic carriers.168Id. at 6.

In the United States, federal legislation has been introduced that would outlaw self-reporting for exposure notification and contact tracing apps. The bipartisan Exposure Notification Privacy Act (ENPA) would require apps to process only confirmed diagnoses that trigger exposure notifications.169 This aligns with the Terms of Service for GAEN tools.170 To implement this in practice, PHAs must deploy a test verification server and a key server to validate positive diagnoses during a key upload (received from a test center or other healthcare provider).171 Apple has outlined twelve steps involved with verifying and submitting positive diagnoses with Exposure Notification Express.172

However, these twelve steps mean there are potentially multiple points of failure by PHAs, health care providers, test centers, individuals, and the system. First, a user with the functionality enabled on their device must get tested for COVID-19. Then, the health care provider or test center determines that the user is positive for SARS-CoV-2 and reports it to the PHA. The PHA then must generate a verification code using the test verification server. This code must be sent to the user, who must enter the code or click the provided link to inform their device of the positive diagnosis. The device subsequently contacts the test verification server to validate the verification code. If valid, a long-term authentication token is sent from the test verification server. The device then creates a hashed message authentication code and sends it to the test verification server along with the authentication token. In return, it receives a certificate and metadata. Next, the device prompts the user for permission to submit their keys to the key server. If the individual grants permission, the data is uploaded to the key server. Finally, if validated by the server, the keys are added to the database and become available for other devices to download to be used for on-device exposure detection.173Id.

B. Electronic Protected Health Information

Fundamentally, the information collected, stored, and shared via contact tracing and exposure notification apps is associated with health information, which suggests that such data may be under the purview of the 1996 Health Insurance Portability and Accountability Act (HIPAA).174 That contact tracing and exposure notification data may come within the purview of HIPAA protections is supported by both Apple and Google stating that only PHAs can use their system.175 As the 2009 Health Information Technology for Economic and Clinical Health Act requires, businesses that assist healthcare providers in the sharing of electronic protected health information (e-PHI) (i.e., contact tracing and exposure notification apps), must be compliant with the Privacy and Security Rules of HIPAA.176 Under HIPAA, the privacy of e-PHI is not only protected, but also subject to security regulations that protect the integrity, confidentiality, and availability/sharing of e-PHI.177

Ultimately, the requirement of “self-reporting,” or rather opt-in, for these apps nullifies HIPAA’s ability to protect user data and dictate the protocols for transmitting, using, storing, and destroying this data.178 However, many state-level laws supersede HIPAA’s guidelines and create a complex labyrinth of regulatory and legislative processes that could govern such information.179 Nevertheless, the HHS and its associated agencies, specifically the CDC and National Institutes of Health (NIH), should be involved in the regulatory processes, particularly for the creation of a nationwide contact tracing initiative, to ensure that health and medical information is adequately protected and aggregated in a secure way that still allows for optimal research efficacy.

The HHS previously lacked a transparent and standardized framework for aggregating and sharing data between its agencies.180 Accordingly, each agency retained autonomy in interpreting data sharing rules such that data at NIH could follow strict privacy procedures while perhaps the CDC remained more lax.181See id. In March 2020, the HHS finalized two rules under the bipartisan 21st Century Cures Act (Cures Act).182 The Cures Act aims to promote interoperability of ePHI under the first rule, which requires that the United States Core Data for Interoperability standard is used as part of a new API certification criterion for apps.183

The second rule under the Cures Act prevents “information blocking” practices, such as anti-competitive behaviors by developers of e-PHI information security.18445 C.F.R. § 170.401 (2020). This suggests that the inclusion of the FTC and FCC is critical—the FCC would regulate the transmission of electronic and digital communications, and the FTC would regulate apps acting deceptively or in an unfair manner. Additionally, while the FDA does not regulate devices in public health surveillance, they do provide additional useful guidance on related mobile medical apps that should be considered.185 Issues related to access to location data collected by the HHS require additional scrutiny, particularly since HIPAA’s Privacy Rule contains exceptions for disclosures to law enforcement.186

C. “Opt-In” and Non-federal Biometric Privacy Regulations

In contrast to HIPAA, some state laws dictate the protection and transfer of personal data once a user has opted-in, notably Illinois’ Biometric Information Privacy Act (BIPA)187 and California’s Consumer Privacy Act (CCPA).188 Other states have also passed biometric privacy laws,189 or currently have proposed biometric privacy laws pending,190 but BIPA particularly includes a private right of action.191740 Ill. Comp. Stat 14/20. BIPA also sets forth a comprehensive regulatory framework that could be mirrored in federal regulation, restricting how private entities collect, use, and share biometric information and biometric identifiers under specific security requirements.192740 Ill. Comp. Stat 14/15. Biometric identifiers include “retina or iris scan[s], fingerprint[s], voiceprint[s], or scan[s] of hand or face geometry.”193740 Ill. Comp. Stat 14/10.

On August 4, 2020, Senator Merkley and Senator Sanders introduced the National Biometric Information Privacy Act of 2020 to Congress.194 The proposal, similar to BIPA, contains a private right of action and a requirement for businesses and employers to obtain the “opt-in” consent of an individual prior to the collection or disclosure of biometric identifiers.195 The bill also contains a right of access for individuals to know what information a covered entity has collected about them.196 The bill is supported by various consumer and privacy rights organizations197 amid growing concerns that non-white individuals are more likely to be misidentified by facial recognition technology.198

The risk of inaccurate yet pervasive surveillance enabled through facial recognition technology can have alarming consequences.199 In this regard, it is striking that digital contact tracing and exposure notification tools are similarly associated with accuracy concerns, surveillance risks, and equity issues. As this Article discusses in Part I, these concerns vary depending on how such apps are designed and implemented.200See discussion supra Part I. Nevertheless, in alignment with BIPA, there is widespread consensus in liberal democracies that contact tracing and exposure notification apps ought to be “opt-in,” as demonstrated by the fact that most contact tracing apps are not mandatory.201 Almost all federal and state contact tracing proposals reflect this despite significant divergences in other areas.202

However, in the context of contact tracing and exposure notification apps, the issue of consent is more nuanced than a binary choice between “opt-in” or “mandatory.” For instance, different app functionalities203 should not be bundled together “so that the individual can provide his/her consent specifically for each functionality.”204 Individuals should be provided with granular choices to choose their desired functionalities without being forced to opt in to others, and be provided with the opportunity to provide additional consent if an app is materially changed.205Id. Consent could be required at each of the following points: (1) to download an app onto a device; (2) to process the positive diagnosis of a user; and (3) to share personal data with third parties.206Id. The E.U. Commission’s app guidance states that under the ePrivacy Directive, “storing . . . information on the user’s device or gaining access to” stored information is prohibited unless the user provides consent.207

To comply with the ePrivacy Directive, consent is required both to install apps and to place information, such as random identifiers, on devices.208Id. Sharing data about individuals who have been diagnosed, or tested positively with interoperable apps from other jurisdictions, “should only be triggered by a voluntary action of the user.”209 However, the EDPB also states that “the mere fact that the use of contact-tracing applications takes place on a voluntary basis does not mean that the processing of personal data will necessarily be based on consent.”210 In Europe, the General Data Protection Regulation (GDPR) provides a legal basis for processing personal data, if processing personal data is necessary for the performance of a task in the public interest.211 National laws enacted to provide measures allowing for the monitoring of epidemics may also be relied upon if certain requirements are met.212 However, subjecting an individual to a decision solely based on automated processing, which subsequently produces a legal effect upon the individual, remains prohibited.213

IV. Security & Privacy Implications for Mobile Tracking Data

Sociology scholars have long studied the complex relationship between trust and cooperative behaviors.214 Specifically for COVID-19–related surveillance technologies, researchers have demonstrated a correlation between the willingness to adopt contact tracing apps and their accuracy and privacy standards.215 However, within the context of data sharing, public trust in information and communication technology providers is strained in light of large-scale data breaches and sales of consumer data to third parties.216 This skepticism was highlighted in a recent poll that suggested Americans are more likely to trust contact tracing apps offered by public health authorities than Apple and Google, with the majority expressing doubt about whether these companies would protect the privacy of their health data.217 Additional polling also found that Americans are divided on whether it is acceptable for the government to use cellphones to track people who have tested positively for SARS-CoV-2, with acceptance levels falling in relation to the tracking of people who may have had contact with someone who has tested positive.218Auxier, supra note 143.

Without adequate legislation to safeguard personal information, developers of contact tracing and exposure notification apps face an uphill battle convincing users that sharing their data will only be limited to approved third parties, such as healthcare professionals and public health authorities, and will only be collected, shared, and stored for a limited time. Most crucially, developers will need to reassure prospective users that law enforcement will not have data access. Perhaps the most complicated aspect of digital contact tracing is establishing how current laws could protect user privacy in proximity and location data and other personal information.219

A. Digital Tracking Technologies & U.S. Regulation

Government surveillance remains a contentious debate in the United States, and privacy advocates have voiced concerns about mission creep, where government entities and private actors could use collected data beyond the scope and timeframe of an app’s intended use.220 Contact tracing data collected in a centralized manner, particularly by private entities, may provide public health authorities with insights about how COVID-19 is spreading, who may be at a higher risk of exposure, and where to allocate resources most effectively and equitably.221 While the private sector is driving the development of digital tools, both federal and state governments remain interested in influencing their designs and data access standards.222 Further complicating the issue is the “patchwork” of laws that govern disclosure of collected data, where the constraints on third-party entities are much weaker than those that regulate disclosure for telecommunications carriers.223

In 2018, the U.S. Supreme Court famously held in Carpenter v. United States224 that individuals have a reasonable expectation of privacy in their cell-site location information.225 Carpenter has demonstrably affected the impact of the third-party doctrine, which pertains to the idea under the Fourth Amendment that an individual does not have a reasonable expectation of privacy in information voluntarily turned over to other parties.226 The case ultimately focused on the nature of the information obtained, rather than the nature of the search by law enforcement.227Carpenter, 138 S. Ct. 2206.

The Court’s ruling requires law enforcement to obtain a warrant to access an individual’s historical whereabouts from the records of a cellphone provider and will likely apply to other historically collected geolocation data.228 Carpenter also created the rule of “technological equivalence,” whereby the use of a technology may be considered a “search” if it “gives [law enforcement] the power to gather information that is the ‘modern-day equivalent’ of activity that has been held to be a Fourth Amendment search.”229Ohm, supra note 225, at 360. With contact tracing and exposure notification apps, the context of location and proximity data could be postulated as comparable to specific geolocation information given the nature of the data and the possibility of third parties gathering information—invoking Carpenter’s warrant requirement for gathering cell site location information and adding a layer of protection against open access.230

While major operating system developers are cautious about third-party access to mobility data, including proximity and location data, a relaxing of such restrictions for the sake of COVID-19 is certainly possible—although generally improbable, due to privacy concerns. Many privacy advocates have stressed the importance of only collecting and sharing data after a user has provided consent or opted in.231 However, some developers have indicated that they are willing to share infection status, proximity data or location data, and phone contacts with law enforcement in “legally justified cases.”232Schectman et al., supra note 231.

Under the legal frameworks of the Electronic Communications Privacy Act,233 Stored Communications Act (SCA),234 and the Telecommunications Act,235 there is also the possibility for electronic communications associated with a contact tracing or exposure notification app to be accessed by the federal government and law enforcement, even though such data may contain potential health information that would bar access by any entity not “authorized” to access health and medical information.236 The SCA and Telecommunications Act are most relevant, as they limit third-party companies from voluntarily disclosing either location data or proximity data to law enforcement, regardless of its originating source.237

The Federal Trade Commission Act may also provide protections against third-party companies that violate disclosure agreements, but it may only be enforced by the federal government.238 It is unlikely that the federal government would enforce such protections given that the federal government would be the one seeking data.239 The FCC could potentially intervene as well.240 The FCC could impose a fine similar to the $200 million fine proposed against AT&T, Sprint, T-Mobile, and Verizon for disclosing location data to law enforcement via third-party brokers.241

In addition to Carpenter, Justice Sotomayor’s concurrence in United States v. Jones stressed the highly sensitive nature of location data.242 Utilizing Bluetooth technology does limit geolocation surveillance but proximity data still retains the potential for re-identification—smartphones still broadcast an identifier, though randomized and encrypted in some manner.243 There is a potential for the government to require the public to download and use contact tracing and exposure notification apps, triggering a Fourth Amendment contest under the Jones test even if the app were to use only Bluetooth technology.244 This type of mandate would also need to survive a challenge bolstered by the Privileges and Immunities Clause,245U.S. Const. art. IV, § 2, cl. 1. which the Supreme Court, in 1868, interpreted as providing a fundamental right to freedom of movement.246 With digital contact tracing and exposure notification requiring surveillance of all individuals, not just those who test positive for SARS-CoV-2, the constitutionality of contact tracing and exposure notification would rely on analysis of the Fourth Amendment’s special needs doctrine247 and raise concerns similar to those involved with the USA PATRIOT Act.248

B. Accountability Measures

Much of the discussion regarding contact tracing and exposure notification apps has not adequately addressed requirements for public engagement at a level that would optimize epidemiological value.249 Adoption of beneficial public health measures and behaviors depends on a number of factors, especially public understanding of the potential benefits for themselves250 and their community.251 Previous studies have demonstrated the utility of digital contact tracing initiatives, albeit not at the scale necessary to mitigate the spread of COVID-19, in controlling infection spread.252

Public trust is a central piece of the puzzle when implementing contact tracing and exposure notification apps. Not only do privacy laws need to be concisely explained to potential users when opting in, but there also needs to be some level of guarantee that all aspects of the system protect internal data and protect from unauthorized external access. Absent meaningful safeguards, the public remains concerned that the collected data may be misappropriated, potentially even being used for targeting and infringing on civil liberties.253Panduranga et al., supra note 16, at 1. Additionally, the public needs to believe that companies are being genuinely forthright with the limitations of their technologies254—realizing that these apps should not be marketed as some sort of mandated scientific tool but rather a mechanism to improve individual health while simultaneously improving public health and the greater good.255

Google and Apple stipulate a number of terms for public health authorities to abide by in order to use the GAEN API.256 Nevertheless, this still opens the field to multiple companies, with varying standards of data privacy policies, to be responsible for appropriately harvesting relevant SARS-CoV-2 and COVID-19 information without compromising people’s personal data and related metadata.257 Clear guidelines could provide as to how Google and Apple should develop and update their APIs to ensure appropriate protections for location and health information. Additionally, such guidelines must be established that simplify the sharing of personal data and potential electronic health information for pandemic response at the state and federal levels while still preserving and upholding privacy rights.

Transparency about data practices is a fundamental trust-based incentive to promote responsible data use.258IDAC, supra note 6. Providing detailed Data Protection Impact Assessments,259 as required by the GDPR, and making source code available for public scrutiny improves the ability for scientific experts, privacy watchdogs, and regulators to promote accountability.260 For instance, both Germany and Ireland have opted to make their source code public,261Jee, supra note 158. an approach encouraged by EU institutions.262 External oversight and consequences for misuse and abuse are also crucial elements of accountability. Guidance from the EU Commission states that EU “Data Protection Authorities should be fully involved and consulted in the context of the development of the app and they should keep its deployment under review.”263 Due to the nascence of the deployment of digital tools for contact tracing, continuous performance monitoring and auditing of the app functionality is also important to assess accuracy and effectiveness over time.264 In particular, unforeseen results, such as disparate impact, should be proactively identified and mitigated in an ongoing manner.

Safeguarding an individual’s general personal data has always been a challenge in contact tracing,265 now potentially more complicated with the proliferation of automated processing and the collection of unique digital identifiers. Consumers need to believe that the level of anonymization used for personal data is sufficient for maintaining privacy and that their data will not be used in ways that may harm them.266 Studies have already demonstrated that despite the removal of personal-identifying data and generating randomized IDs, it may still be possible to determine identities in large medical datasets.267Rocher et al., supra note 64, at 2. Along with potentially being personally identified, there is also concern that the centralized contact tracing-generated social graphs268 may also reveal identifying information about known associates.269Bode et al., supra note 265. The American Civil Liberties Union (ACLU) released guidelines stressing that users should not be forced to use an app by the U.S. government, an employer, or a school, and there should also be protections to prevent abuse of social graphs by such entities.270

V. Proposed Regulation

Consistent, concise, and evidence-based communications from trusted sources, including public health officials and other scientific authorities, are likely to be especially important to promote the adoption of contact tracing or exposure notification apps.271 However, fragmentation of app design and deployment at the state level has heightened confusion in the United States, and public messaging has generally been inconsistent around this topic.272 For instance, in the wake of overwhelming protests following the murder of George Floyd, the Commissioner of Minnesota’s Department of Public Safety publicly stated that law enforcement was conducting “contact tracing.”273 This false conflation between contact tracing in the context of public health and standard law enforcement investigations may potentially undermine public health efforts and reduce the willingness of individuals to participate in contact tracing, especially in marginalized communities that are often subjected to over-policing.274 Accordingly, Congress and several state legislatures have proposed legislation that would impose strict purpose, retention, and sharing limitations on data collected for contact tracing and exposure notification purposes, and to prevent law enforcement and immigration authorities from accessing or using contact tracing and exposure notification information.275

Manual contact tracing efforts are clearly no match for the current scale of the pandemic, and many contact tracers rapidly hired remain inadequately trained to perform case investigation, a function that the CDC has referred to as a “specialized skill.”276 Thus far, public engagement with manual contact tracers has also been disappointing.277 In an attempt to earn trust, New York enacted a law requiring COVID-19 contact tracers to be “representative of the cultural and linguistic diversity of the communities in which they serve.”2782020 N.Y. Sess. Laws 115 (McKinney). As outlined above in Parts II and III, there are a number of federal regulatory agencies, along with the U.S. Congress, that can establish federal-level privacy and security standards, as well as mandates for contact tracing app adoption amongst the public. It would be feasible to establish a federal network, and considering that waves of COVID-19 are expected to continue well into 2021, now would be the time for the federal government to take a proactive stance.

Regulatory powers need to take initiative and provide concise guidance on public health surveillance, perhaps involving the creation of a public health oversight body that is independent from political or corporate interests. Forthcoming research additionally suggests that the issue of contact tracing is not necessarily ideological or has not yet been politicized, creating opportunities for bipartisan elite to mobilize constituents to opt in.279Zhang et al., supra note 254. This means there is potential for a comprehensive national strategy with bipartisan backing that would encourage the general public to voluntarily participate in digital contact tracing initiatives. For instance, Senator Warren introduced legislation for a national contact tracing program, calling for it to be included in a future pandemic response package that Congress passes.280 Supported by many Democratic co-sponsors, the Coronavirus Containment Corps Act would require the CDC to develop a national contact tracing strategy and create privacy protections relating to manual contact tracing and digital tools.281 Senator Schatz has also introduced legislation that would require the CDC to establish a national plan for contact tracing and testing.282

In April 2020, FTC Commissioner Christine Wilson expressed her views on “Privacy in the Time of COVID-19.”283 In the past, Commissioner Wilson has called for Congress to enact comprehensive federal privacy legislation.284 However, in the midst of the public health crisis, Commissioner Wilson acknowledged that legislators are focused on enacting urgent emergency response measures and called for governments to follow the principles of necessity and proportionality in making demands or requests for data sharing from private companies during the public health emergency.285Wilson, supra note 283. The FTC should establish rules and accountability measures for digital contact tracing and exposure notification tools for technology and communication companies. Thus far, the FTC has not been forced to create protective measures for consumers, despite the blatant necessity.286

The proposed COVID-19 Consumer Data Protection Act of 2020, introduced by leading Senate Republicans to regulate COVID-19–related data, neither provides additional resources for the FTC to create enforcement mechanisms for consumer privacy protections nor advocates for any other rule-making authority.287 It would, however, require the FTC to “issue guidelines recommending best practices for covered entities to minimize the collection, processing, and transfer of covered data.”288Id. at § 3(g)(2). In contrast, the Public Health Emergency Privacy Act, introduced more recently by leading Senate Democrats, does advocate for the FTC, as well as HHS, to participate in regulatory capacities for a broad range of covered entities, including contact tracing apps, that handle and process COVID-19 consumer data.289

These two federal bills were introduced to regulate data collected, used, and shared for COVID-19–related purposes, i.e., emergency health data, and include voluntary adoption and user consent as key components.290S. 3363, § 3; S. 3749, §§ 2–3. Both bills contain provisions requiring individual consent and would prohibit covered entities from using emergency health data for purposes unrelated to responding to COVID-19.291S. 3363, § 3; S. 3749, §§ 2–3. However, despite many substantive similarities between the two proposals, significant differences remain in terms of enforcement mechanisms, preservation of existing state laws, anti-discrimination, research exemptions, and scope.292 These are familiar areas of debate regarding comprehensive federal privacy legislation.293 Due to partisan divides, it is unlikely that either of these proposals will be enacted.

It is therefore notable that the ENPA has bipartisan support to create strong legal safeguards for users whose personal data are collected by private entities through “automated exposure notification services,” i.e., contact tracing apps and exposure notification apps.294 Many provisions of this narrower bill align with longstanding privacy principles, as well as the requirements for apps contained in GAEN’s Terms.295 However, unlike the Terms,296 the ENPA would apply more broadly to all contact tracing and exposure notification apps.297S. 3861. In addition to requiring consent, the bill contains numerous provisions to guard against mission creep.298 App operators would also be prohibited from using data for commercial purposes or transferring data to executive agencies for secondary purposes (such as law or immigration enforcement).299See S. 3861.

To promote accountability and oversight, the ENPA includes a provision that would extend the purview of the Privacy and Civil Liberties Oversight Board (PCLOB) to federally declared public health emergencies.300Id. § 9(b). Currently, the PCLOB is responsible for ensuring that federal counterterrorism actions appropriately safeguard privacy and civil liberties.301 The ENPA also features a strong anti-discrimination provision302 and would require contact tracing and exposure notification apps to process only “authorized diagnos[es],” and app operators would be required to “collaborate with a public health authority.”303Id. §§ 2(3), 3(a)−(b), 4(a)(2). To comply with this provision, more guidance is likely necessary to determine the extent to which private entities (such as employers) would need to collaborate with public health authorities.

Depending on how the anti-discrimination provision is interpreted, employers could be precluded from implementing contact tracing and exposure notification apps in the workplace.304 In contrast, the provision could be interpreted to mean that a developer of an enterprise solution or an employer must seek guidance, input, or approval from a public health authority. In this way, the provision could promote the legitimacy of enterprise contact tracing solutions by ensuring that they are designed and implemented to support the work of public health authorities. However, due to significant legal and contextual differences, a more practicable alternative solution may be to create separate regulatory frameworks for consumer-based apps and employer-based apps.

Although none of these federal proposals are likely to pass in the near future, they contain many similar elements to various state-level proposals that have considerable support. For instance, the New York State Senate and Assembly passed a bill intended to protect the confidentiality of contact tracing information and prohibit law and immigration enforcement from accessing the information.305 In August 2020, the California legislature almost passed a similar bill, which would have required that data collected for the purpose of contact tracing be used, maintained, or disclosed only to facilitate contact tracing efforts, and would have prohibited law enforcement from participating in contact tracing.306 Legislative analysis of the bill states that effective contact tracing depends on the availability of complete data, which in turn depends on the participation and openness of individuals who trust that their data will not be misused.307 The ACLU, and many other privacy and consumer advocacy organizations, supports these bills.308

Aiming to promote trust more broadly in collection, use, and sharing of data to mitigate the spread of COVID-19, another New York bill contains transparency requirements, data minimization obligations, retention limitations, and data security obligations for government entities and third-party recipients of emergency health data.309 On July 30, 2020, the New Jersey Assembly passed similar, but narrower legislation, which would require public health authorities and “third part[ies]” to abide by purpose and retention limitations for contact tracing data.310 California almost passed a similar bill.311 However, opponents argued that it put privacy before public health, and that the anti-discrimination provisions would deny covered entities the ability to mitigate health risks to consumers and employees posed by other individuals.312

On January 14, 2021, the Washington Privacy Act of 2021 (WPA) had its first Public hearing in the Washington State Senate Committee on Environment, Energy & Technology.313 The Washington State Legislature considered two previous iterations of the comprehensive data privacy legislation, but both narrowly failed to pass into law.314 This year, the WPA contains sections to specifically regulate uses of “geolocation data, proximity data, or personal health data” for detecting COVID-19 symptoms, enabling automated contact tracing, or identifying outbreak hotspots.315S. 5062 § 201(7). Private and public sector entities would be regulated, including institutions of higher education.316Id. §§ 201(6), 301(2). The bill also contains individual consent requirements and creates various individual rights (access, correction, deletion, and processing opt out).317Id. §§ 202(1)(b), 203. It also contains various responsibilities and restrictions for data handlers, such as purpose specification, data minimization, data retention limitation, confidentiality, security, and transparency.318Id. § 207. Finally, the WPA would prohibit entities from disclosing covered data to law enforcement, selling the data, and sharing it in the absence of a contract.319Id. § 202.

Unless appropriate guardrails are put in place, data collected by governments through contact tracing and exposure notification tools and apps could be used in unexpected, inappropriate, or even harmful ways.320See supra Part IV. This issue has frequently been cited as a factor undermining the willingness of individuals to participate in contact tracing, particularly among over-policed and undocumented communities.321 As previously outlined in Part I, contact tracing apps designed in a decentralized manner adopt a privacy-by-design322 approach, effectively cutting government entities and tech companies out of the loop, matching the user ID on each mobile device rather than in a centralized server. “Privacy-by-design” is a deliberate and systematic approach to privacy and data security, whereby privacy and security is built in to the design of products and services from the outset.323See id. It has been advocated for by the FTC,324See id. as well as overseas in Europe.325

In the absence of adequate legal regulation in the United States to promote public trust and to prevent inappropriate data sharing or usage, technology providers have been left with little choice but to build in these essential regulatory protections by design,326 inevitably making functionality and usability tradeoffs. Adequate legal regulation in this space could create new avenues for greater technological creativity and functionality. This would allow for the collection and use of digital contact tracing and exposure notification data by PHAs to improve calculations about the accuracy of alert notifications, to enable PHAs to suppress notifications in “edge cases” when risk of inferential identification is high, to identify outbreak hotspots, and to use for COVID-19 research purposes. It is evident that there is an urgent need for comprehensive federal privacy legislation to promote public trust and adoption of socially beneficial digital products and services, to set clearer rules of the road for businesses, and to promote digital innovation.327

VI. Alternative Solutions for Contact Tracing Apps

Contact tracing apps are not the only mechanism available for collecting and aggregating relevant surveillance information; data can also be aggregated from social media and search engine results to observe population-level trends.328 Since aggregated data is not associated with a known individual, it has fewer privacy risks than individualized location data, though location data is still challenging to fully anonymize.329 As discussed previously in Part IV, third-party companies are a rich source for such data, and government entities can already access location data in the absence of a warrant by purchasing it from these data brokers.330 In lieu of deploying any custom contact tracing solutions, private actors may already have tools available to them that could assist in the contact tracing process.

Digital advertising firms have long considered real-time location data as one of the many identifiers used to deliver relevant advertisements, along with associated device specific IDs (e.g., Google Advertising ID (GAID)/Android Advertising ID (AAID) and Apple’s Advertising Identifier (IDFA)).331 However, only a fraction of advertising requests transacted between mobile devices and ad delivery platforms are accurate within fifty to one hundred meters of a specific location.332 This is primarily due to the fact that location data, sent as part of advertising queries, does not often utilize the precise location information built into mobile operating systems.333Id. Thus, an ad-tech based solution for contact tracing needs to be improved in both precision and accuracy to be effective, potentially by using operating system level tools like GPS location, cell site location data, and proximity to WiFi networks.

In general, these practices are facing increased scrutiny from bipartisan lawmakers, who are calling on the FTC to investigate the online advertiser economy.334 In August 2020, a group of lawmakers sent a letter to Mobilewalla after it emerged that the company had potentially used location data collected from cellphones to identify specific characteristics of American protesters at Black Lives Matter demonstrations.335 The company is part of an “ecosystem of data brokers that purchase or collect data from web browsers and apps installed on Americans’ mobile devices.”336Id. at 1. After having conducted an investigation into the data-sharing ecosystem, Senator Wyden has stated that he plans to introduce a bill titled “The Fourth Amendment is Not for Sale Act,” which would prevent law enforcement from buying personal information from data brokers to circumvent the usual warrant process.337

Nevertheless, privacy protections remain a major aspect in creating a contact tracing and exposure notification system that is not only safe, but is also trusted to be safe.338 An option to consider is the use of differential privacy, where an algorithm could potentially be used to read the data on an individual’s phone and only broadcast relevant information on infection status and, perhaps, previous locations without broadcasting personal data and metadata.339 Researchers at Harvard University have developed a differential privacy tool that could be implemented in contact tracing and exposure notification apps to help address privacy concerns while still retaining functionality.340 Id. Such apps developed in the United States should also consider compatibility with contact tracing digital surveillance programs in other countries. International travel accelerated the global spread of COVID-19, and it is to be expected that any future pandemics would follow similarly.341

When considering that ultimately a global framework will be necessary, alternate solutions to contact tracing exclusive of specific apps may be the better solution. As mentioned earlier in this Article,342 some countries are experimenting with wearable proximity tracking devices that would provide a level of scalability for this consideration.343See Asher, supra note 119. Facial recognition technology has been suggested as a possible alternative to utilizing Bluetooth or location tracking technologies for contact tracing.344 This idea though has not gained traction, particularly considering the risks highlighted in Part III of this Article, and a New York bill was introduced which would ban the use of facial technology to track the spread of COVID-19.345

Some countries have implemented the use of location-based QR code check-ins to assist in exposure notification and contact tracing efforts.346 However, New Zealand has faced hurdles implementing this strategy due to the fact that it requires individuals to proactively scan their devices to check in to premises.347 Adoption hurdles have also arisen among businesses because this inefficient system can cause long queues of customers.348Id. To address problems like this, the United Kingdom is rolling out a hybrid solution.349 Their decentralized proximity detection app based on the GAEN API also contains a separate QR-code feature, as well as a symptom-tracking feature.350Id. Such an app could be a feasible option for the United States, since it would be easy to facilitate across all states, and would already have international implementation. However, limitations remain with a user still needing an app-supported mobile device to participate.

Another potential tracking option that has not been as widely discussed is the use of near field communication (NFC). Similar to Bluetooth technology, NFC allows for the remote transfer of information between devices.351 NFC is unique in that devices can require a physical engagement with a “tag” to transfer data.352Id. This gives consumers more control over when their information is broadcasted, in comparison to Bluetooth’s continuous broadcasting.353Id. Further, NFC inherently provides reassurance that physical proximity actually occurred.354Id. However, as mentioned in Part II of this Article, user adoption and engagement are major hurdles to overcome, and NFC-based apps require that users actively want to use the app compared to passive transmission with Bluetooth and GPS.355Id. Nevertheless, in considering between GPS, Bluetooth, or NFC, both the FTC and FCC should be involved from a regulatory standpoint.356

Conclusion

Ultimately, the United States needs to supplement traditional public health response efforts with the powerful utility of digital contact tracing tools, especially as we continue to develop strategies to reopen the country. With digital exposure notification and contact tracing relying completely on the identification of positive SARS-CoV-2 diagnoses, we must increase the availability and use of high-sensitivity, fast testing across the country. Additionally, although the United States’ public is divided on using cellphones for exposure notification and contact tracing, the majority express disapproval over using mobile device data to track an individual’s movements for compliance with public health measures.357Auxier, supra note 143. What may help shift public trust in, and facilitate use of, these tools is specific regulation in this area, buy-in from respected community leaders, and consistent messaging about the importance of doing what is best for ourselves and our society as a whole. In order to promote ideals of social good and unity, we must ensure that these tools are to be used only for public health initiatives. It is critical to understand that “[t]he power to do good things increases as we share information, but we need frameworks.”358O’Neill, supra note 112. COVID-19 is merely a moment in a continuing spectrum of possible pandemics, and creating an effective contact tracing network at the national level now will not only help contain COVID-19 in the present, but also better prepare the United States to address future emerging infectious diseases.

* Divya Ramjee is a PhD candidate at American University in Washington, D.C., in the Department of Justice, Law & Criminology. Her research interests include cybercrime and intellectual property crime, biotechnology, and the application of artificial intelligence methodologies in the fields of criminology, law, and security. This author is currently employed by the U.S. Department of Justice (DOJ); the views expressed in this Article are exclusively those of the author and do not necessarily represent the views of the DOJ, its components, or the United States. Pollyanna Sanderson is a Policy Counsel at Future of Privacy Forum and was previously a Google Public Policy Fellow, resident at the National Consumers League. Her primary focus is privacy legislation at the federal and state levels. She has previously written and spoken about digital contact tracing applications both within the United States and internationally. The views herein do not necessarily reflect those of Future of Privacy Forum supporters or board members. Imran Malek is an Associate at Skadden, Arps, Slate, Meagher & Flom LLP. Prior to earning his JD from Boston University, he was a product manager and software engineer focused on the intersection of digital advertising, machine learning, and data portability. The views herein do not necessarily reflect those of Skadden Arps, its staff, or its clients. Robust digital public health surveillance warrants interdisciplinary guidance, and as such, we greatly thank the following experts for their advice and recommendations: Andrew Sellars, JD, Boston University; Maimuna Majumder, PhD, Harvard Medical School; Angela Rasmussen, PhD, Columbia University; Saskia Popescu, PhD, MPH, MA, University of Arizona; Joseph Amon, PhD, MSPH, Drexel University; Natalie E. Dean, PhD, AM, University of Florida; Jessica Malaty Rivera, MS, The COVID Tracking Project; Elsa B. Kania, PhD (cand., Harvard University), Technology and National Security Program, Center for a New American Security; Katelyn Ringrose, JD, Future of Privacy Forum; Margaret Cunningham, PhD, Forcepoint; Ghinwa El Hayek, MPH, American University of Beirut; and Gabriela Zanfir-Fortuna, PhD, JD, LLM, Future of Privacy Forum. Finally, thank you to Alissa Gutierrez, JD candidate, for invaluable editorial assistance.