Contact Tracing: Health First, Privacy Last?

Previously, we shared our concerns about the implications of Contact Tracing and how this will affect the Privacy of US citizens and beyond. We also pointed out and made a call for solving the lack of a National Privacy Framework, to be formalized by Federal Regulations or Law, and not left up to private industry.  Interestingly, such a “Federalized” Privacy Framework was called for by over 50 CEOs of the Nation’s largest companies in a letter to Congress well before the notion of Contact Tracing came to the forefront of the public eye.  The time is now more urgent than ever to create and mandate a National Privacy Framework, and this Framework ought to put the power in the hands of We the People, not the Free Market, as the actual “owners” of that information.

The call to action by these industry-leading CEOs is profound, not in their prescient insight, but in the deafening silence from Congress.  Their outcry clearly illustrates the support by commercial heavyweights to adopt a uniform framework we can all use to deliver the right cybersecurity protections, achieve proper business outcomes, and now – adequately support the urgent imperative for Contact Tracing.  Most importantly, they also point out the need for you to maintain rights over your data, much like the European Union (EU) defined in the General Data Protection Regulation (GDPR).“We are also united in our belief that consumers should have meaningful rights over their personal information and that companies that access this information should be held consistently accountable under a comprehensive federal consumer data privacy law.”

As Contact Tracing moves closer to a necessary reality, it has, unfortunately become apparent that privacy concerns are quickly becoming a reality, and the government has done nothing to ensure the proper protection and use of our information.  Certainly, we support, respect, and understand the fine balance between regulation and Free Markets.  But information about us has become used and abused by the Free Market, as so clearly pointed out by Shoshana Zuboff in “Age of Surveillance Capitalism,” and we must make our voices loud to advocate for Common Sense control over our information.  The only realistic way to achieve control is with a National Privacy Framework, much like the EU’s GDPR.

Apple and Google have partnered to help Government entities worldwide by allowing their Contact Tracing API to be leveraged. If the words ‘Privacy’ and ‘Google’ in the same sentence give you cause for concern, know that you’re not the only one; lest we forget they were issued one of the biggest fines to date by the EU’s GDPR regulators in France for rampant privacy violations. While both companies vehemently denied they will take advantage of this privilege and will take measures such as preventing third-parties from accessing location data, the structure of this approach is inherently decentralized. Worse yet, without national, uniform guidance, and explicit requirements for Data Protection in the form of Law and Regulation, it’s being left up to the organizations to decide upon and implement the “proper” cybersecurity controls to ensure privacy.

Why does this matter? Well, with an invasive capability such as Contact Tracing, abuse of power would lead to intimate knowledge about any of us, including our location, habits, and social circles (i.e. contacts).  We must establish clear-cut guidelines, in the form of a Federal Privacy Regulation, and a governing authority to monitor for compliance of the guidelines to ensure proper use, care, and disposal of your personal information. Currently, we are going the exact opposite direction when we already have two separate private organizations offering two separate solutions to a slew of governing bodies and health organizations who are all driven by their own motives.

For example, the UK’s NHS branch determined they wanted to design their own app rather than rely on Apple or Google. However, their ‘lone wolf’ efforts have already gained unwanted publicity in the form of a report on their complete lack of compliance with GDPR requirements and an inside tip that the first version of the NHS app failed initial cybersecurity tests.

The largest issue we face with Contact Tracing from a decentralized standpoint is that no one can give a clear answer as to what’s tracked, what’s not, what’s anonymous, what’s considered sensitive, who has access to what data, how long that data will live, how it will be used, how it will be destroyed. Essentially, there is no accountability for access to our most intimate information. In addition to the inherent benefits this yields the free market (as outlined in the call to action), a National Privacy Framework would establish this accountability.  It would provide us, about whom the data is collected and monetized, the rightful control over how our data is used, how it’s managed, by whom, and for how long.  We ought to have a right to control our information and explicitly allow or deny its use – by our own determination – and not that of the Free Market entities.

Contact Tracing is creating all sorts of buzz in the media and beyond. Still our call to action remains the same: establish bulletproof requirements around Contact Tracing in general and establish a National Privacy Framework to govern the access to and use of our information. Even more specifically, it needs to be carved into stone that Contact Tracing is solely used for health pandemics and not for the gain of individual for-profit organizations and government entities.

It is not enough for us to simply assume that state-level officials and private sector company leaders will make decisions in the best interest of the population’s privacy. We must establish and enforce a nationally recognized, federally mandated privacy Framework for all organizations participating in Contact Tracing implementation that ensures our privacy takes precedence. Striving to create better ways to keep people healthy does not mean that people should have to give up privacy. As proven in history time and time again, the last thing we want to do is make irrational decisions during a crisis, only to surface on the other side, being horrified by what we have ultimately created. The time is now; our voices must be loud.