Skip Navigation
Report

Government Access to Mobile Phone Data for Contact Tracing

Summary: A patchwork of privacy laws provides inadequate protections for location data used for public health purposes.

In an effort to contain the coronavirus, compan­ies and govern­ments across the globe are devel­op­ing tech­no­lo­gical tools to trace its spread. Many of these tools seek to monitor indi­vidu­als and groups in order to help identify poten­tial carri­ers of the virus, alert people who may have been infec­ted, flag places that may be at high risk, and meas­ure the impact of public health initi­at­ives such as social distan­cing direct­ives. While propos­als run the gamut from analyz­ing networked ther­mo­meter data nation­wide to deploy­ing remote heat sensors for fever detec­tion foot­note1_roc51lt 1 See, e.g., Ed Garsten, “Drive-By Heat Sensors Could Help Detect Vehicle Occu­pants with COVID-19,” Forbes, April 1, 2020, https://www.forbes.com/sites/edgarsten/2020/04/01/drive-by-heat-sensors-could-help-detect-vehicle-occu­pants-with-covid-19/#455a60b62b0e; “Taking People’s Temper­at­ures Can Help Fight the Coronavirus,” Econom­ist, March 26, 2020, ; and Donald McNeil Jr., “Can Smart Ther­mo­met­ers Track the Spread of the Coronavirus?,” New York Times, March 18, 2020, https://www.nytimes.com/2020/03/18/health/coronavirus-fever-ther­mo­met­ers.html. , in the U.S. atten­tion is focused mostly on using loca­tion or prox­im­ity data produced by cell phones to track move­ments and inter­ac­tions at both the indi­vidual and popu­la­tion levels. foot­note2_365fic4 2 This primer focuses on loca­tion data obtained through cell phones, though such data may also be gleaned from other surveil­lance tech­no­lo­gies, like video, facial recog­ni­tion, or auto­mated license plate read­ers. See, e.g., Caroline Haskins and Ryan Mac, “A US Senator Wants to Know Which Federal Author­it­ies Are Using Clear­view AI to Track the Coronavirus,” BuzzFeed News, April 30, 2020, https://www.buzzfeed­news.com/article/caroline­haskins1/senator-markey-clear­view-ai-covid-contact-tracing; and Cath­er­ine Crump, You Are Being Tracked: How License Plate Read­ers Are Being Used to Record Amer­ic­ans’ Move­ments, Amer­ican Civil Liber­ties Union, July 2013, https://www.aclu.org/issues/privacy-tech­no­logy/loca­tion-track­ing/you-are-being-tracked.

Many of these tools are being developed by the private sector, but the federal govern­ment and state govern­ments are clearly inter­ested in influ­en­cing their design and access­ing the data they gener­ate. foot­note3_uo86l9q 3 Elliot Setzer, “Contact-Tracing Apps in the United States,” Lawfare, May 6, 2020, ; Ryan Browne, “How Govern­ments and Big Tech Are Look­ing to Curb the Spread of Coronavirus with Your Smart­phone,” CNBC, April 16, 2020, https://www.cnbc.com/2020/04/16/coronavirus-apple-google-and-govern­ments-using-contact-tracing-tech.html; and Enlist­ing Big Data in the Fight Against Coronavirus: Hear­ing Before the Senate Commit­tee on Commerce, Science, and Trans­port­a­tion, 116th Cong. (2020), https://www.commerce.senate.gov/2020/4/enlist­ing-big-data-in-the-fight-against-coronavirus. At the same time, the patch­work of laws govern­ing the disclos­ure of loca­tion data to the govern­ment — by cell phone compan­ies, smart­phone applic­a­tion developers, data brokers, indi­vidu­als, and others — does not adequately protect Amer­ic­ans’ privacy. Cell phone carri­ers are fairly heav­ily regu­lated when it comes to indi­vidu­ally iden­ti­fi­able data, but constraints on other entit­ies that collect similar inform­a­tion are markedly weaker. Aggreg­ate data that does not expli­citly divulge indi­vidu­als’ loca­tions, iden­tit­ies, or asso­ci­ations is subject to even fewer limit­a­tions, despite evid­ence that it can some­times be disag­greg­ated and de-anonym­ized. foot­note4_depal75 4 Although aggreg­ate data conveys inform­a­tion about groups rather than indi­vidu­als, it may be possible to identify indi­vidu­als, espe­cially if the data refers to a small geographic area or group, or if it is combined with publicly avail­able inform­a­tion and examined over time. See Sidney Fussell and Will Knight, “The Apple-Google Contact Tracing Plan Won’t Stop Covid Alone,” Wired, April 14, 2020,https://www.wired.com/story/apple-google-contact-tracing-wont-stop-covid-alone/; Ling Yin et al., “Re-Iden­ti­fic­a­tion Risk versus Data Util­ity for Aggreg­ated Mobil­ity Research Using Mobile Phone Loca­tion Data,” PLoS ONE 10, no. 10 (2015), https://www.wired.com/story/apple-google-contact-tracing-wont-stop-covid-alone/; Ed Felten, “Is Aggreg­ate Data Always Private?,” Tech@FTC Blog, Federal Trade Commis­sion, May 21, 2012, https://www.ftc.gov/news-events/blogs/techftc/2012/05/aggreg­ate-data-always-private; and Joseph A. Calandrino et al., “‘You Might Also Like:’ Privacy Risks of Collab­or­at­ive Filter­ing,” IEEE Symposium on Secur­ity and Privacy (May 2011): 231–246, http://www.cs.utexas.edu/~shmat/shmat_oak11ymal.pdf.

Moreover, there are few limits on the shar­ing of loca­tion inform­a­tion among govern­ment agen­cies. foot­note5_lafp70d 5 Neither the Privacy Act of 1974 nor the Health Insur­ance Port­ab­il­ity and Account­ab­il­ity Act (HIPAA) provides suffi­cient protec­tion against inform­a­tion shar­ing. The Privacy Act, which protects records about indi­vidu­als retrieved by personal iden­ti­fi­ers like name or date of birth, does not apply to aggreg­ate or anonym­ized loca­tion data, or data­bases that contain person­ally iden­ti­fi­able inform­a­tion but do not retrieve inform­a­tion using that data. Moreover, the act contains substan­tial excep­tions, includ­ing permit­ting inform­a­tion shar­ing with law enforce­ment and disclos­ures for “routine uses,” which agen­cies often reserve when giving notice of a data collec­tion proposal. Privacy Act of 1974, 5 U.S.C. § 552a (2020); Privacy of Indi­vidu­ally Iden­ti­fi­able Health Inform­a­tion, 45 C.F.R. §§ 164.500 to 164.534 (2019). Simil­arly, HIPAA, which estab­lishes the condi­tions by which a health-care provider or asso­ci­ate may disclose indi­vidu­ally iden­ti­fi­able health inform­a­tion, does not mean­ing­fully restrict disclos­ure of aggreg­ate or de-iden­ti­fied data or non-health inform­a­tion. In addi­tion, in light of Covid-19, HHS recently released a waiver that signi­fic­antly curtails the scope of HIPAA protec­tions and facil­it­ates inform­a­tion shar­ing. See Office of the Secret­ary, U.S. Depart­ment of Health and Human Services, “Enforce­ment Discre­tion Under HIPAA to Allow Uses and Disclos­ures of Protec­ted Health Inform­a­tion by Busi­ness Asso­ci­ates for Public Health and Health Over­sight Activ­it­ies in Response to COVID–19,” Federal Register 85, no. 67 (April 7, 2020), https://www.govinfo.gov/content/pkg/FR-2020–04–07/pdf/2020–07268.pdf. Instead, several laws promote govern­ment-wide inform­a­tion shar­ing. foot­note6_f0b6fes 6 For example, the National Coun­terter­ror­ism Center (NCTC) is direc­ted by stat­ute to “ensure that agen­cies . . . have access to and receive all-source intel­li­gence support needed to execute their coun­terter­ror­ism plans or perform inde­pend­ent, altern­at­ive analysis” and to ensure that such agen­cies “have access to and receive intel­li­gence needed to accom­plish their assigned activ­it­ies.” 50 U.S.C. § 3056 (2020). A recent memor­andum writ­ten by U.S. Deputy Attor­ney General Jeffrey Rosen desig­nat­ing the coronavirus as a “biolo­gical agent” means that inform­a­tion collec­ted by govern­ment health offi­cials to counter the coronavirus might be shared with other agen­cies and law enforce­ment within the NCTC. See Jeffrey Rosen, U.S. Deputy Attor­ney General, to All Heads of Law Enforce­ment Compon­ents, Heads of Litig­at­ing Divi­sions, and United States Attor­neys, memor­andum, March 24, 2020, Depart­ment of Justice Enforce­ment Actions Related to COVID-19, https://www.justice.gov/file/1262771/down­load. For example, loca­tion data collec­ted by the U.S. Depart­ment of Health and Human Services (HHS) for the ostens­ible purpose of combat­ing the coronavirus might easily be shared with local govern­ments, other federal agen­cies, or law enforce­ment. foot­note7_uhu975r 7 Within HHS, data shar­ing prac­tices vary widely. In a 2018 report, the agency noted: “The Depart­ment lacks a consist­ent, trans­par­ent, and stand­ard­ized frame­work for shar­ing restric­ted and nonpub­lic data among its agen­cies in a timely and effi­cient manner. Each agency, and often agency person­nel for each data­set, has the autonomy to inter­pret the rules for data shar­ing processes. Data shar­ing processes can range from non-exist­ent and informal, to formal and consist­ent. . . . The data governance rules are not form­al­ized. The shar­ing of those data­sets can be ruled by indi­vidual rela­tion­ships and/or staff avail­ab­il­ity.” Office of the Chief Tech­no­logy Officer, U.S. Depart­ment of Health and Human Services, The State of Data Shar­ing at the U.S. Depart­ment of Health and Human Services, Septem­ber 2018,https://www.hhs.gov/sites/default/files/HHS_Stateof­Data­Shar­ing_0915.pdf. One signi­fic­ant concern is that loca­tion data collec­ted by HHS or another govern­ment agency might even­tu­ally find its way into the hands of law enforce­ment, which would ordin­ar­ily be required to obtain a warrant or court order before obtain­ing such data. Both the Privacy Act and HIPAA Privacy Rule contain excep­tions for disclos­ures to law enforce­ment. 5 U.S.C. § 552a (2020); 45 C.F.R. §§ 164.500 to 164.534.

Any effort to use loca­tion or prox­im­ity track­ing must compensate for the lack of a regu­lat­ory frame­work that protects Amer­ic­ans’ civil liber­ties. As the Supreme Court has repeatedly recog­nized, loca­tion inform­a­tion can reveal intim­ate details of a person’s life, includ­ing visits to a lawyer, psychi­at­rist, special­ized health clinic, or reli­gious site. foot­note8_gmffjyx 8 Several recent U.S. Supreme Court decisions regard­ing Fourth Amend­ment protec­tions for loca­tion data have high­lighted the sens­it­iv­ity of this inform­a­tion. For example, the U.S. Supreme Court noted in Carpenter v. United States that loca­tion data reveals a wealth of detail about a person’s “familial, polit­ical, profes­sional, reli­gious, and sexual asso­ci­ations.” Carpenter v. United States, 138 S. Ct. 2206, 2217 (2018). In United States v. Jones, Justice Soto­mayor discussed that disclosed in loca­tion data will be things that are indis­put­ably private in nature — includ­ing “trips to the psychi­at­rist, the plastic surgeon, the abor­tion clinic, the AIDS treat­ment center, the strip club, the crim­inal defense attor­ney, the by-the-hour motel, the union meet­ing, the mosque, synagogue or church, the gay bar and on and on.” United States v. Jones, 132 S. Ct. 945, 955 (2012) (Soto­mayor, J., concur­ring) (quot­ing People v. Weaver, 12 N.Y.3d 433, 441–442 (N.Y. 2009)). Absent mean­ing­ful safe­guards, govern­ment collec­tion of reveal­ing inform­a­tion might infringe on core civil liber­ties such as free­dom of asso­ci­ation and free­dom of expres­sion, espe­cially if the data is misap­pro­pri­ated.

The govern­ment’s use of loca­tion or prox­im­ity data also raises equity concerns. In the United States, one out of every five adults does not own a smart­phone — with older and low-income Amer­ic­ans repres­ent­ing a dispro­por­tion­ate share of those without such a device. foot­note9_5pfy­w74 9 “Mobile Fact Sheet,” Pew Research Center, June 12, 2019, https://www.pewre­search.org/inter­net/fact-sheet/mobile. Using loca­tion data to inform a govern­ment response to the coronavirus will be less effect­ive and less success­ful due to these gaps. On the flip side, inequit­ies might also be mani­fes­ted if meas­ures of aggreg­ate foot traffic gener­ated by cell phone loca­tion data are used to calib­rate the enforce­ment of social distan­cing meas­ures. Communit­ies where people move around more because they must commute to a job, need to travel farther to buy grocer­ies, or are look­ing for shel­ter may become targets of outsize poli­cing. foot­note10_7rcgygz 10 Amos Toh, “Big Data Could Under­mine the Covid-19 Response,” Wired, April 12, 2020, https://www.wired.com/story/big-data-could-under­mine-the-covid-19-response.

Stat­utory Over­view

There is no compre­hens­ive data privacy law in the United States; instead, a piece­meal stat­utory struc­ture protects certain types of personal data. foot­note11_wd1w­grt 11 Zachary S. Heck, “A Litig­at­or’s Primer on European Union and Amer­ican Privacy Laws and Regu­la­tions,” Litig­a­tion 44, no. 2 (2018): 59 (“The United States has a patch­work of laws at both the federal and state levels relat­ing to data protec­tion and inform­a­tion shar­ing.”). The Stored Commu­nic­a­tions Act (SCA) and the Tele­com­mu­nic­a­tions Act are most relev­ant to the ques­tion of when private compan­ies may volun­tar­ily disclose loca­tion data (reveal­ing where a person is) or prox­im­ity data (reveal­ing how close a person is to another) to the govern­ment. Together, these two laws limit compan­ies provid­ing certain services to the public from volun­tar­ily reveal­ing an indi­vidu­al’s person­ally iden­ti­fi­able loca­tion or prox­im­ity inform­a­tion to the govern­ment, whether it origin­ates from cell tower data, GPS, Bluetooth, Wi-Fi, a combin­a­tion of these sources, or some other source entirely.

Specific­ally, the SCA prohib­its entit­ies that provide phone, messaging, data stor­age, or data processing services to the public from volun­tar­ily disclos­ing to the govern­ment the content of commu­nic­a­tions they carry or main­tain, or their custom­er’s records. foot­note12_53zt0h9 12 The Stored Commu­nic­a­tions Act (SCA) prohib­its covered entit­ies from know­ingly divul­ging to any person or entity the contents of a commu­nic­a­tion. It also prohib­its covered entit­ies from know­ingly divul­ging to any govern­mental entity customer records or other inform­a­tion. See Stored Commu­nic­a­tions Act of 1986, 18 U.S.C. § 2702(a) (2020). Whether loca­tion or prox­im­ity data might be categor­ized as “content” or a “record” within the mean­ing of the SCA is a fact-specific ques­tion that depends in part on the purpose for which it is logged or trans­mit­ted, as described in further detail below. foot­note13_erji2lu 13 There is no defin­i­tion of “record” in the SCA, but courts have inter­preted the term to include some data reveal­ing a custom­er’s loca­tion, most notably cell-site loca­tion data. For example, in Carpenter v. United States, the U.S. Supreme Court addressed the applic­a­tion of § 2703 of the SCA to cell phone loca­tion data. The Court held that a warrant was required to obtain seven days of histor­ical cell-site loca­tion inform­a­tion (CSLI) obtained from a suspect’s wire­less carrier, pursu­ant to an order issued by a federal magis­trate judge under the act. Carpenter, 138 S. Ct. at 2213. Loca­tion or prox­im­ity data may also be considered the “content” of a commu­nic­a­tion, espe­cially if the purpose of a service is to record or commu­nic­ate such data. For example, Google has argued that its loca­tion history feature acts as a journal logging a person’s where­abouts, with the retained data there­fore being the “content” of an entry. Brief of Amicus Curiae Google LLC in Support of Neither Party Concern­ing Defend­ant’s Motion to Suppress Evid­ence from a “Geofence” General Warrant (ECF No. 29), United States v. Chatrie, No. 3:19-CR-00130 (E.D. Va.), https://www.nacdl.org/getat­tach­ment/723ad­f0b-90b1–4254-ab82-e5693c48e951/191220-chatrie-google-amicus-brief.pdf. The Tele­com­mu­nic­a­tions Act prohib­its phone carri­ers from disclos­ing their custom­ers’ person­ally iden­ti­fi­able call loca­tion inform­a­tion to any entity, includ­ing the govern­ment and data brokers. foot­note14_zoox­ph8 14 The Tele­com­mu­nic­a­tions Act prohib­its covered entit­ies from disclos­ing customer propri­et­ary network inform­a­tion (CPNI) to any entity, includ­ing the govern­ment, unless an excep­tion applies. See Commu­nic­a­tions Act of 1934, 47 U.S.C. § 222(c)(1) (2020) (“Except as required by law or with the approval of the customer, a tele­com­mu­nic­a­tions carrier that receives or obtains customer propri­et­ary network inform­a­tion by virtue of its provi­sion of a tele­com­mu­nic­a­tions service shall only use, disclose, or permit access to indi­vidu­ally iden­ti­fi­able customer propri­et­ary network inform­a­tion in its provi­sion of (A) the tele­com­mu­nic­a­tions service from which such inform­a­tion is derived, or (B) services neces­sary to, or used in, the provi­sion of such tele­com­mu­nic­a­tions service, includ­ing the publish­ing of direct­or­ies.”). Express prior author­iz­a­tion is required for a customer to approve the disclos­ure of their call loca­tion inform­a­tion. 47 U.S.C. § 222(f)(1). See also “FCC Proposes Over $200M in Fines for Wire­less Loca­tion Data Viol­a­tions,” Federal Commu­nic­a­tions Commis­sion, Febru­ary 28, 2020, https://www.fcc.gov/docu­ment/fcc-proposes-over-200m-fines-wire­less-loca­tion-data-viol­a­tions. In the course of bring­ing this enforce­ment action, the FCC inter­preted CPNI — without bind­ing preced­en­tial effect — to broadly encom­pass “loca­tion inform­a­tion collec­ted by carri­ers from a mobile device during a tele­phone call and . . . when the device is turned on and avail­able for calls but not engaged in trans­mit­ting a voice conver­sa­tion.” In the Matter of AT&T, Inc., Notice of Appar­ent Liab­il­ity for Forfeit­ure and Admon­ish­ment, 35 FCC Rcd. 1743, 2020 WL 1024412, at *11 (F.C.C. Feb. 28, 2020), https://docs.fcc.gov/public/attach­ments/FCC-20–26A1.pdf. However, as confirmed in a 2013 FCC declar­at­ory ruling, the clearly estab­lished scope of loca­tion data protec­ted as CPNI is limited to loca­tion inform­a­tion logged in connec­tion with the use of a “tele­com­mu­nic­a­tion service” that is, when making or receiv­ing a call. See “CPNI (Customer Propri­et­ary Network Inform­a­tion),” Elec­tronic Privacy Inform­a­tion Center, accessed May 5, 2020, https://epic.org/privacy/cpni (citing 2013 ruling). A 2016 FCC order would have expan­ded the defin­i­tion of CPNI in a manner confirmed to cover loca­tion inform­a­tion inter­mit­tently logged in the course of a phone’s connec­tion to the network, but this order was repealed in 2017. “CPNI,” Elec­tronic Privacy Inform­a­tion Center.

The Federal Trade Commis­sion (FTC) Act might also protect Amer­ic­ans where compan­ies have viol­ated prom­ises not to disclose partic­u­lar types of data. But it can only be enforced by the federal govern­ment itself, which is unlikely to happen where it is the federal govern­ment seek­ing the data (see side­bar on page 4). The main types and sources of loca­tion and prox­im­ity data, as well as the relev­ant govern­ing stat­utes, are outlined in the appen­dices to this report.

Whether each stat­ute prohib­its the disclos­ure of loca­tion or prox­im­ity data to the govern­ment depends on a number of factors. There are a number of key consid­er­a­tions:

  • Have people opted into an applic­a­tion or other program through which they know data may be shared with the govern­ment for the purpose of combat­ing the coronavirus?
  • If not, does a company with this data have its custom­ers’ consent to disclose it?
  • In what capa­city was a wire­less carrier, a developer of a smart­phone applic­a­tion or plat­form, a data broker or analyt­ics provider, or another source acting while collect­ing the data? For example, was the entity provid­ing messaging, data stor­age, or data processing services?
  • Is the data aggreg­ated in a fash­ion that makes it impossible to connect to indi­vidu­als?
  • Has the data been suffi­ciently de-iden­ti­fied? That is, have indi­vidual data points been stripped of details such as a name, phone number, or address — that would make them imme­di­ately link­able to a given person?

Gaps in this regu­lat­ory frame­work permit work­arounds for govern­ments seek­ing people’s loca­tion or prox­im­ity data without their know­ledge or consent. For example, while the govern­ment could not get an indi­vidu­al’s loca­tion inform­a­tion from a cell service provider, such as AT&T or Veri­zon, without a warrant, foot­note15_ad5zgoh 15 In Carpenter v. United States, the U.S. Supreme Court addressed the applic­a­tion of Section 2703 of the SCA to cell phone loca­tion data. The Court held that a warrant was required to obtain seven days of histor­ical CSLI from a suspect’s wire­less carrier. Carpenter, 138 S. Ct. at 2206.  it may be able to buy it from a data broker who is legally able to purchase similar inform­a­tion from a smart­phone applic­a­tion developer who collects it. Consti­tu­tional argu­ments, not discussed here, may provide fodder for addi­tional constraints. foot­note16_pgme9ui 16 See, e.g., Alan Z. Rozen­shtein, “Disease Surveil­lance and the Fourth Amend­ment,” Lawfare, April 7, 2020, https://www.lawfareb­log.com/disease-surveil­lance-and-fourth-amend­ment.

Read the full report.

End Notes