BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Contact Tracing Apps Reinforce The Need For A Federal Data Privacy Standard

Forbes Technology Council

Richard Bird is Chief Customer Information Officer at Ping Identity. He is a sought after speaker on digital identity and data privacy.

After a delay, contact tracing apps are coming to smartphones in the U.S. Virginia just became the first state to launch an app using Google and Apple’s Exposure Notification System (ENS). Google announced that 20 U.S. states and territories — about 45% of the population — will soon be using contact tracing apps based on technology, and 16 countries and regions around the world have used them.

Given that experts say it takes about 60% of a population for contact tracing apps to be effective, this effort to detect and prevent the spread of Covid-19 still has some hurdles to overcome. But for people who will be using it, privacy concerns remain. 

Google has addressed privacy concerns related to location tracking by announcing that with the release of Android 11, devices won’t need to have location settings on to use ENS. But that doesn’t solve all the issues these apps pose. While the technology may help slow the spread of coronavirus, it comes at a big social cost and poses what I see as the biggest ethics quandary in my 20 years in the infosec industry. These apps will force citizens to rely on big tech companies — whose business is enabled by monetizing data — to protect the privacy of their sensitive data. These apps play on humanity’s greatest fear: our mortality. 

Other countries are aware of this privacy dilemma. Norway pulled its contact tracing app because real-time GPS data was being constantly uploaded, among other reasons. One recent study found that such apps are being used as mass surveillance tools in Middle Eastern countries. Meanwhile, another study found that of 17 Android contact tracing apps, only one used full encryption and obfuscation to hide sensitive data.

The issue isn’t just the type of data collected but who is collecting it. A recent Axios poll found that a majority of respondents would reject an app developed by tech companies (66%), and even more (68%) would not use one from the U.S. government. Meanwhile, 51% said they would use one from the Centers for Disease Control or other public health officials. 

Commercial interests trump consumer privacy

Big tech companies don’t have the best track record of serving as model stewards of consumer data, as the myriad privacy controversies involving Google and Facebook, and the existence of GDPR itself, attest to.

When we are intellectually honest with ourselves, the fundamental problem with the privacy demands and obligations placed on big tech and other industries is that they request that the data of a consumer be protected while failing to require that the actual consumer be protected as well. Because of this glaring disconnect, all I have ever needed to do is be you and I get your stuff.

This fundamental weakness in identity control hasn’t been magically remedied with the introduction of contract tracing apps. The promise of anonymization has already proved to be an exercise in willful ignorance, in particular given the heat maps that fitness app Strava presented in late 2017 that clearly showed the locations of sensitive military bases and operations. 

The undeniable reality is that the data being aggregated in contact tracing apps has tremendous value. And if it has value, someone will either misuse it or simply ignore the promises made to consumers around privacy and security. A critical question that needs to be resolved in the United States is whether a human being’s digital persona requires a higher duty of protection by companies or if the constant siren call of monetization is the top priority. So far, companies have not shown interest in putting the security and safety interests of consumers ahead of their profit-making.

There are factors mitigating the risks with the use of Apple and Google's technology. So far, use in the U.S. is voluntary. GPS is not used, and the data is encrypted, stored locally and limited to virus contact tracing. However, it’s naive for anyone to think those mitigations can’t be overcome and that anonymized and seemingly innocuous data has no value. If you have enough data and apply statistical analysis, you can triangulate anonymized data to identify exact locations and individuals. In the end, it’s just a math problem. 

National privacy law would protect consumers during coronavirus and beyond

We need a national data privacy standard to address issues that arise with well-intentioned emergency technology like these apps. Absent federal regulation, tech companies will make the rules about protecting consumer data, and the bias could slant toward commercial interests. Contact tracing as it’s being deployed isn’t a solution; it’s a symptom of specious reasoning. Society believes technology can solve its problems, but only by sacrificing privacy. However, we don’t have to make that trade-off.

At a minimum, we need an interim measure to protect consumers using the contact tracing apps during this pandemic. There are three measures in Congress that would address this, and the strongest is the bipartisan Exposure Notification Privacy Act, sponsored by Senator Maria Cantwell. The measure would require apps to be created in collaboration with public health authorities, to include strong privacy safeguards to prevent data misuse, and to get consent to collect data and delete it when consumers request. Meanwhile, Democratic senators want to include privacy provisions in the next round of the coronavirus relief legislation.

Finally, we need to ensure that people can use technology without exposing who they are. You can’t say you’re truly protecting people’s data if their identities aren’t protected too. That’s why our company is a member of the Better Identity Coalition, which is working with policymakers to improve digital security, privacy and convenience for consumers via next-generation remote identity proofing and authentication verification systems. This means contact tracing and other apps that store sensitive information would be better able to safeguard consumer data from hackers and big tech.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on Twitter or LinkedInCheck out my website