Skip Navigation
Report

Government Access to Mobile Phone Data for Contact Tracing

Summary: A patchwork of privacy laws provides inadequate protections for location data used for public health purposes.

Illustration of Covid-19 contact tracing
andreusK/Getty

In an effort to contain the coronavirus, companies and governments across the globe are developing technological tools to trace its spread. Many of these tools seek to monitor individuals and groups in order to help identify potential carriers of the virus, alert people who may have been infected, flag places that may be at high risk, and measure the impact of public health initiatives such as social distancing directives. While proposals run the gamut from analyzing networked thermometer data nationwide to deploying remote heat sensors for fever detection footnote1_0gz8tpn 1 See, e.g., Ed Garsten, “Drive-By Heat Sensors Could Help Detect Vehicle Occupants with COVID-19,” Forbes, April 1, 2020, https://www.forbes.com/sites/edgarsten/2020/04/01/drive-by-heat-sensors-could-help-detect-vehicle-occupants-with-covid-19/#455a60b62b0e; “Taking People’s Temperatures Can Help Fight the Coronavirus,” Economist, March 26, 2020, ; and Donald McNeil Jr., “Can Smart Thermometers Track the Spread of the Coronavirus?,” New York Times, March 18, 2020, https://www.nytimes.com/2020/03/18/health/coronavirus-fever-thermometers.html. , in the U.S. attention is focused mostly on using location or proximity data produced by cell phones to track movements and interactions at both the individual and population levels. footnote2_1ecuxro 2 This primer focuses on location data obtained through cell phones, though such data may also be gleaned from other surveillance technologies, like video, facial recognition, or automated license plate readers. See, e.g., Caroline Haskins and Ryan Mac, “A US Senator Wants to Know Which Federal Authorities Are Using Clearview AI to Track the Coronavirus,” BuzzFeed News, April 30, 2020, https://www.buzzfeednews.com/article/carolinehaskins1/senator-markey-clearview-ai-covid-contact-tracing; and Catherine Crump, You Are Being Tracked: How License Plate Readers Are Being Used to Record Americans’ Movements, American Civil Liberties Union, July 2013, https://www.aclu.org/issues/privacy-technology/location-tracking/you-are-being-tracked.

Many of these tools are being developed by the private sector, but the federal government and state governments are clearly interested in influencing their design and accessing the data they generate. footnote3_739mw93 3 Elliot Setzer, “Contact-Tracing Apps in the United States,” Lawfare, May 6, 2020, ; Ryan Browne, “How Governments and Big Tech Are Looking to Curb the Spread of Coronavirus with Your Smartphone,” CNBC, April 16, 2020, https://www.cnbc.com/2020/04/16/coronavirus-apple-google-and-governments-using-contact-tracing-tech.html; and Enlisting Big Data in the Fight Against Coronavirus: Hearing Before the Senate Committee on Commerce, Science, and Transportation, 116th Cong. (2020), https://www.commerce.senate.gov/2020/4/enlisting-big-data-in-the-fight-against-coronavirus. At the same time, the patchwork of laws governing the disclosure of location data to the government — by cell phone companies, smartphone application developers, data brokers, individuals, and others — does not adequately protect Americans’ privacy. Cell phone carriers are fairly heavily regulated when it comes to individually identifiable data, but constraints on other entities that collect similar information are markedly weaker. Aggregate data that does not explicitly divulge individuals’ locations, identities, or associations is subject to even fewer limitations, despite evidence that it can sometimes be disaggregated and de-anonymized. footnote4_bdqiift 4 Although aggregate data conveys information about groups rather than individuals, it may be possible to identify individuals, especially if the data refers to a small geographic area or group, or if it is combined with publicly available information and examined over time. See Sidney Fussell and Will Knight, “The Apple-Google Contact Tracing Plan Won’t Stop Covid Alone,” Wired, April 14, 2020,https://www.wired.com/story/apple-google-contact-tracing-wont-stop-covid-alone/; Ling Yin et al., “Re-Identification Risk versus Data Utility for Aggregated Mobility Research Using Mobile Phone Location Data,” PLoS ONE 10, no. 10 (2015), https://www.wired.com/story/apple-google-contact-tracing-wont-stop-covid-alone/; Ed Felten, “Is Aggregate Data Always Private?,” Tech@FTC Blog, Federal Trade Commission, May 21, 2012, https://www.ftc.gov/news-events/blogs/techftc/2012/05/aggregate-data-always-private; and Joseph A. Calandrino et al., “‘You Might Also Like:’ Privacy Risks of Collaborative Filtering,” IEEE Symposium on Security and Privacy (May 2011): 231–246, http://www.cs.utexas.edu/~shmat/shmat_oak11ymal.pdf.

Moreover, there are few limits on the sharing of location information among government agencies. footnote5_hdp6u1q 5 Neither the Privacy Act of 1974 nor the Health Insurance Portability and Accountability Act (HIPAA) provides sufficient protection against information sharing. The Privacy Act, which protects records about individuals retrieved by personal identifiers like name or date of birth, does not apply to aggregate or anonymized location data, or databases that contain personally identifiable information but do not retrieve information using that data. Moreover, the act contains substantial exceptions, including permitting information sharing with law enforcement and disclosures for “routine uses,” which agencies often reserve when giving notice of a data collection proposal. Privacy Act of 1974, 5 U.S.C. § 552a (2020); Privacy of Individually Identifiable Health Information, 45 C.F.R. §§ 164.500 to 164.534 (2019). Similarly, HIPAA, which establishes the conditions by which a health-care provider or associate may disclose individually identifiable health information, does not meaningfully restrict disclosure of aggregate or de-identified data or non-health information. In addition, in light of Covid-19, HHS recently released a waiver that significantly curtails the scope of HIPAA protections and facilitates information sharing. See Office of the Secretary, U.S. Department of Health and Human Services, “Enforcement Discretion Under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID–19,” Federal Register 85, no. 67 (April 7, 2020), https://www.govinfo.gov/content/pkg/FR-2020-04-07/pdf/2020-07268.pdf. Instead, several laws promote government-wide information sharing. footnote6_7rs388t 6 For example, the National Counterterrorism Center (NCTC) is directed by statute to “ensure that agencies . . . have access to and receive all-source intelligence support needed to execute their counterterrorism plans or perform independent, alternative analysis” and to ensure that such agencies “have access to and receive intelligence needed to accomplish their assigned activities.” 50 U.S.C. § 3056 (2020). A recent memorandum written by U.S. Deputy Attorney General Jeffrey Rosen designating the coronavirus as a “biological agent” means that information collected by government health officials to counter the coronavirus might be shared with other agencies and law enforcement within the NCTC. See Jeffrey Rosen, U.S. Deputy Attorney General, to All Heads of Law Enforcement Components, Heads of Litigating Divisions, and United States Attorneys, memorandum, March 24, 2020, Department of Justice Enforcement Actions Related to COVID-19, https://www.justice.gov/file/1262771/download. For example, location data collected by the U.S. Department of Health and Human Services (HHS) for the ostensible purpose of combating the coronavirus might easily be shared with local governments, other federal agencies, or law enforcement. footnote7_j4obn1y 7 Within HHS, data sharing practices vary widely. In a 2018 report, the agency noted: “The Department lacks a consistent, transparent, and standardized framework for sharing restricted and nonpublic data among its agencies in a timely and efficient manner. Each agency, and often agency personnel for each dataset, has the autonomy to interpret the rules for data sharing processes. Data sharing processes can range from non-existent and informal, to formal and consistent. . . . The data governance rules are not formalized. The sharing of those datasets can be ruled by individual relationships and/or staff availability.” Office of the Chief Technology Officer, U.S. Department of Health and Human Services, The State of Data Sharing at the U.S. Department of Health and Human Services, September 2018,https://www.hhs.gov/sites/default/files/HHS_StateofDataSharing_0915.pdf. One significant concern is that location data collected by HHS or another government agency might eventually find its way into the hands of law enforcement, which would ordinarily be required to obtain a warrant or court order before obtaining such data. Both the Privacy Act and HIPAA Privacy Rule contain exceptions for disclosures to law enforcement. 5 U.S.C. § 552a (2020); 45 C.F.R. §§ 164.500 to 164.534.

Any effort to use location or proximity tracking must compensate for the lack of a regulatory framework that protects Americans’ civil liberties. As the Supreme Court has repeatedly recognized, location information can reveal intimate details of a person’s life, including visits to a lawyer, psychiatrist, specialized health clinic, or religious site. footnote8_64dnjj3 8 Several recent U.S. Supreme Court decisions regarding Fourth Amendment protections for location data have highlighted the sensitivity of this information. For example, the U.S. Supreme Court noted in Carpenter v. United States that location data reveals a wealth of detail about a person’s “familial, political, professional, religious, and sexual associations.” Carpenter v. United States, 138 S. Ct. 2206, 2217 (2018). In United States v. Jones, Justice Sotomayor discussed that disclosed in location data will be things that are indisputably private in nature — including “trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on.” United States v. Jones, 132 S. Ct. 945, 955 (2012) (Sotomayor, J., concurring) (quoting People v. Weaver, 12 N.Y.3d 433, 441–442 (N.Y. 2009)). Absent meaningful safeguards, government collection of revealing information might infringe on core civil liberties such as freedom of association and freedom of expression, especially if the data is misappropriated.

The government’s use of location or proximity data also raises equity concerns. In the United States, one out of every five adults does not own a smartphone — with older and low-income Americans representing a disproportionate share of those without such a device. footnote9_6g7i4fx 9 “Mobile Fact Sheet,” Pew Research Center, June 12, 2019, https://www.pewresearch.org/internet/fact-sheet/mobile. Using location data to inform a government response to the coronavirus will be less effective and less successful due to these gaps. On the flip side, inequities might also be manifested if measures of aggregate foot traffic generated by cell phone location data are used to calibrate the enforcement of social distancing measures. Communities where people move around more because they must commute to a job, need to travel farther to buy groceries, or are looking for shelter may become targets of outsize policing. footnote10_wwcp6k8 10 Amos Toh, “Big Data Could Undermine the Covid-19 Response,” Wired, April 12, 2020, https://www.wired.com/story/big-data-could-undermine-the-covid-19-response.

Statutory Overview

There is no comprehensive data privacy law in the United States; instead, a piecemeal statutory structure protects certain types of personal data. footnote11_bmgfb47 11 Zachary S. Heck, “A Litigator’s Primer on European Union and American Privacy Laws and Regulations,” Litigation 44, no. 2 (2018): 59 (“The United States has a patchwork of laws at both the federal and state levels relating to data protection and information sharing.”). The Stored Communications Act (SCA) and the Telecommunications Act are most relevant to the question of when private companies may voluntarily disclose location data (revealing where a person is) or proximity data (revealing how close a person is to another) to the government. Together, these two laws limit companies providing certain services to the public from voluntarily revealing an individual’s personally identifiable location or proximity information to the government, whether it originates from cell tower data, GPS, Bluetooth, Wi-Fi, a combination of these sources, or some other source entirely.

Specifically, the SCA prohibits entities that provide phone, messaging, data storage, or data processing services to the public from voluntarily disclosing to the government the content of communications they carry or maintain, or their customer’s records. footnote12_0gd1rlf 12 The Stored Communications Act (SCA) prohibits covered entities from knowingly divulging to any person or entity the contents of a communication. It also prohibits covered entities from knowingly divulging to any governmental entity customer records or other information. See Stored Communications Act of 1986, 18 U.S.C. § 2702(a) (2020). Whether location or proximity data might be categorized as “content” or a “record” within the meaning of the SCA is a fact-specific question that depends in part on the purpose for which it is logged or transmitted, as described in further detail below. footnote13_885p5o9 13 There is no definition of “record” in the SCA, but courts have interpreted the term to include some data revealing a customer’s location, most notably cell-site location data. For example, in Carpenter v. United States, the U.S. Supreme Court addressed the application of § 2703 of the SCA to cell phone location data. The Court held that a warrant was required to obtain seven days of historical cell-site location information (CSLI) obtained from a suspect’s wireless carrier, pursuant to an order issued by a federal magistrate judge under the act. Carpenter, 138 S. Ct. at 2213. Location or proximity data may also be considered the “content” of a communication, especially if the purpose of a service is to record or communicate such data. For example, Google has argued that its location history feature acts as a journal logging a person’s whereabouts, with the retained data therefore being the “content” of an entry. Brief of Amicus Curiae Google LLC in Support of Neither Party Concerning Defendant’s Motion to Suppress Evidence from a “Geofence” General Warrant (ECF No. 29), United States v. Chatrie, No. 3:19-CR-00130 (E.D. Va.), https://www.nacdl.org/getattachment/723adf0b-90b1-4254-ab82-e5693c48e951/191220-chatrie-google-amicus-brief.pdf. The Telecommunications Act prohibits phone carriers from disclosing their customers’ personally identifiable call location information to any entity, including the government and data brokers. footnote14_zpxlal9 14 The Telecommunications Act prohibits covered entities from disclosing customer proprietary network information (CPNI) to any entity, including the government, unless an exception applies. See Communications Act of 1934, 47 U.S.C. § 222(c)(1) (2020) (“Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.”). Express prior authorization is required for a customer to approve the disclosure of their call location information. 47 U.S.C. § 222(f)(1). See also “FCC Proposes Over $200M in Fines for Wireless Location Data Violations,” Federal Communications Commission, February 28, 2020, https://www.fcc.gov/document/fcc-proposes-over-200m-fines-wireless-location-data-violations. In the course of bringing this enforcement action, the FCC interpreted CPNI — without binding precedential effect — to broadly encompass “location information collected by carriers from a mobile device during a telephone call and . . . when the device is turned on and available for calls but not engaged in transmitting a voice conversation.” In the Matter of AT&T, Inc., Notice of Apparent Liability for Forfeiture and Admonishment, 35 FCC Rcd. 1743, 2020 WL 1024412, at *11 (F.C.C. Feb. 28, 2020), https://docs.fcc.gov/public/attachments/FCC-20-26A1.pdf. However, as confirmed in a 2013 FCC declaratory ruling, the clearly established scope of location data protected as CPNI is limited to location information logged in connection with the use of a “telecommunication service” that is, when making or receiving a call. See “CPNI (Customer Proprietary Network Information),” Electronic Privacy Information Center, accessed May 5, 2020, https://epic.org/privacy/cpni (citing 2013 ruling). A 2016 FCC order would have expanded the definition of CPNI in a manner confirmed to cover location information intermittently logged in the course of a phone’s connection to the network, but this order was repealed in 2017. “CPNI,” Electronic Privacy Information Center.

The Federal Trade Commission (FTC) Act might also protect Americans where companies have violated promises not to disclose particular types of data. But it can only be enforced by the federal government itself, which is unlikely to happen where it is the federal government seeking the data (see sidebar on page 4). The main types and sources of location and proximity data, as well as the relevant governing statutes, are outlined in the appendices to this report.

Whether each statute prohibits the disclosure of location or proximity data to the government depends on a number of factors. There are a number of key considerations:

  • Have people opted into an application or other program through which they know data may be shared with the government for the purpose of combating the coronavirus?
  • If not, does a company with this data have its customers’ consent to disclose it?
  • In what capacity was a wireless carrier, a developer of a smartphone application or platform, a data broker or analytics provider, or another source acting while collecting the data? For example, was the entity providing messaging, data storage, or data processing services?
  • Is the data aggregated in a fashion that makes it impossible to connect to individuals?
  • Has the data been sufficiently de-identified? That is, have individual data points been stripped of details such as a name, phone number, or address — that would make them immediately linkable to a given person?

Gaps in this regulatory framework permit workarounds for governments seeking people’s location or proximity data without their knowledge or consent. For example, while the government could not get an individual’s location information from a cell service provider, such as AT&T or Verizon, without a warrant, footnote15_po943yq 15 In Carpenter v. United States, the U.S. Supreme Court addressed the application of Section 2703 of the SCA to cell phone location data. The Court held that a warrant was required to obtain seven days of historical CSLI from a suspect’s wireless carrier. Carpenter, 138 S. Ct. at 2206.  it may be able to buy it from a data broker who is legally able to purchase similar information from a smartphone application developer who collects it. Constitutional arguments, not discussed here, may provide fodder for additional constraints. footnote16_5sjtzce 16 See, e.g., Alan Z. Rozenshtein, “Disease Surveillance and the Fourth Amendment,” Lawfare, April 7, 2020, https://www.lawfareblog.com/disease-surveillance-and-fourth-amendment.

Read the full report.

End Notes