Governments and public health officials agree that contact tracing is essential to controlling the spread of Covid-19 and allowing for measured reopenings. But successful contact tracing depends on public trust and participation.
As states like New York continue to develop contact tracing programs, it is vital that they institute adequate privacy protections for the data collected given the insufficiency of legal safeguards at the federal level. In July, the New York State Legislature passed a contact tracing privacy bill (S. 8450-C/A. 10500-B) that is a promising model. The bill, which is awaiting the governor’s signature, limits information sharing between public health agencies and police and immigration enforcement. It also establishes broad confidentiality protections for contact tracing data and specific notice and consent requirements for confidentiality waivers.
While contact tracing has been used for decades to limit the spread of diseases like tuberculosis, HIV, and Ebola, it has never been implemented in the United States on the scale envisioned today. Nor has it traditionally relied on digital methods now under consideration, like using cell phone location data to supplement in-person interviews. In New York City, former Mayor Michael Bloomberg is reportedly developing smartphone applications to assist with contact tracing. Such applications generally use GPS location and/or Bluetooth proximity data — revealing how close one person is to another — to identify people who may have exposed to Covid-19.
Although digital contact tracing tools initially received an enthusiastic reception from state governments eager to contain the spread of Covid-19, experts have cautioned that digital tools cannot replace traditional methods, and the potential for civil rights and privacy abuses is high.
Regardless of which contact tracing method is used, it is essential that robust privacy protections are established. Ensuring that contact tracing information remains confidential and out of the hands of law enforcement is critical for fostering community trust and therefore participation in contact tracing programs.
For instance, in an effort to facilitate greater confidence in contact tracers, New York City reported that half of all contact tracers it hired live in the communities most affected by the virus, which are predominately Black and Latino. Nevertheless, as recognized by the state bill’s sponsors, distrust continues to hamper contact tracing efforts.
To this end, the bill requires that all contact tracing information be kept confidential. It allows for the sharing of contact tracing data only as necessary to carry out contact tracing or for permitted purposes. Those include disclosure to health care providers in a medical emergency, facilitating public health related actions in relation to an affected individual, and investigating, prosecuting, or defending a legal action for a violation of the contact tracing privacy bill. It is unclear, however, from the text of the bill or the sponsor statements, exactly what role is contemplated for law enforcement or immigration authorities in these contexts.
The bill also prohibits law enforcement or immigration authorities from acting as contact tracers and prohibits contact tracers from providing information to law enforcement or immigration authorities, except for permitted purposes.
The bill is a certainly a step forward for New York in its response to Covid-19. However, as the state considers additional contact tracing privacy legislation — for example, imposing requirements on the collection and use of digital contact tracing data — there are several additional points to consider.
First, the contact tracing information protected in future bills should explicitly include any geolocation or proximity data gathered through digital contact tracing tools. The government’s collection of this type of information raises heightened privacy concerns because of its deeply personal nature. Location information can reveal intimate details of someone’s life, including with whom they associate, where they pray, what doctors they visit, or where they spend the night. While location and proximity data are arguably “Covid-19-related information” falling within the bill’s definition of contact tracing information, this should be plainly stated. Given its sensitivity, location and proximity data should be subject to the same privacy protections as other contact tracing information, such as a Covid-19 diagnosis.
Second, future bills should require the deletion of contact tracing data. The New York bill would give nongovernmental entities, such as private contractors, 30 days to expunge or de-identify contact tracing information in their possession. This limitation is subject to a 15-day extension with a person’s informed consent if the data is actively being used in contact tracing. A more privacy protective bill would require that contact tracing information be deleted every 30 days as opposed to giving third parties the option to de-identify it. This is because true de-identification is very hard to achieve. Studies have repeatedly found that it is extremely difficult, if not impossible, to prevent anonymized data, particularly location data, from being re-identified.
Lastly, the New York bill permits disclosures of aggregate, de-identified data in some instances for public health or research purposes. While the bill requires that recipients of such data maintain technical safeguards to prevent re-identification, the exact safeguards are not specified, and it is unclear what oversight will be in place to ensure they are followed. This is concerning because even aggregate data poses privacy risks. For example, location data aggregated to a neighborhood level might reveal whether residents of specific neighborhoods (from which demographics such as race or religion can often be inferred) are traveling to sensitive events like protests. Although aggregate data conveys information about groups rather than individuals, it is also possible to identify individuals if there are multiple filters placed over the data, or if the data refers to a small geographic area or group. For example, if there are only a few Muslim families living in a particular neighborhood, filtering an aggregated, neighborhood-level dataset by religion and age might result in the exposure of identifiable information about a specific family. Future bills should detail more stringent protections for the release of aggregate or de-identified data.
New York’s contact tracing privacy bill is an important foundation for future Covid-19 contact tracing privacy legislation. It establishes solid confidentiality rules, separates public health contact tracing efforts from law enforcement and immigration agencies, and sets out clear procedures for confidentiality waivers. However, it is also important that future bills address the privacy risks posed by de-identified and aggregate data and build in explicit protections for geolocation and proximity data.