M. Ridgway Barker co-authored this article with Joseph Bambara, CIPP/US.
The Covid-19 pandemic has many potential victims, one of which is privacy. Some believe that we are beyond the point where we, as individuals, can control the privacy of our data.
The pandemic has opened more doors for intruders. Considering the billions of people who have smartphones, it is possible to reach people and draw extensive data from their devices. Smartphone applications put users’ privacy and security at risk. Applications (“apps”) that monitor us, e.g., social distancing, while perhaps helpful in controlling the spread of the virus, creates the potential for even greater ills. China was an early mover on contact tracing apps: people were required to install the Alipay Health Code app and fill in personal details. They then were issued with a QR code with one of three colors denoting quarantining status. The app reportedly shared location data with the police.
There is no question that using tracing apps to monitor Covid-19 is useful to the health of the general public. They report symptoms of the virus trace contacts through interaction and proximity analysis. They are used as quarantining enforcement tools, monitoring locations, and interactions. In this context, they are not necessarily optional tools. The apps generate and report data from your device without your involvement. And they can leak data to analytics firms and social media platforms. For example, the decentralized system that Apple and Google use will alert other users who come into proximity with an infected person’s phone. Google and Apple say that users can decide whether to opt-in or out of the technology. The roll out an application program interface, or API, in May 2020 and then release the underlying technology for use with third-party apps. We need legal and technical safeguards in place to ensure voluntary participation so that people who decline to use contact-tracing apps are not denied access to commercial or government spaces. “Privacy, transparency, and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders,” Apple said in a statement on April 10, 2020.
Unfortunately, we need more than promises. This new intrusion, coupled with the ever-present monitoring that goes on as part of commercial exploitation by Facebook, Google, and analytics companies who have been accumulating location data for years, should be a concern for us all. Privacy and security rules under the Health Insurance Portability and Accountability Act or HIPAA will also be affected if so-called “covered entities,” including health plans, or health care providers partner with tech companies to create their own contact-tracing apps. We need a two-pronged approach using law and technology to ensure privacy, transparency, and consent. We need federal legislation that would all-encompassing and pre-empt the conflicting state privacy laws. We need federal legislation that facilitates technologies like blockchain to control surveillance technology. We need to realize that real enforcement of laws also requires a technology solution to preserve our privacy. Bitcoin and the underlying technology blockchain have demonstrated in the financial space that trusted auditable computing is possible using a decentralized network of peers.
Using a blockchain for a personal data management system (see enigma.co) will ensure that users own and control their data. An individual will be able to store, query, and share their data only with their consent. Blockchain will replace things like usernames and passwords by providing all of us personalized, encrypted digital identities that we can use to manage everything from online information to our personal medical records. (see embleema.com). Blockchain will track and store all of our personal data, and because of its immutable nature, that information will remain safe and secure. Blockchain, coupled with well-crafted laws and regulations, is the combination we need to maintain the individual’s privacy.