Pandemic Data-Sharing Puts New Pressure on Privacy Protections
Data sharing by technology companies is helping government officials fight the dizzying spread of the coronavirus by monitoring compliance with social distancing and stay-at-home orders.
It’s also putting privacy experts on edge.
Companies including Alphabet Inc.’s Google and Facebook Inc. were already collecting, for advertising purposes, huge volumes of data from websites and smart-phone apps like maps and weather services, which transmit signals about their owners’ location. Some of them are now stripping the data of personal identification markers, aggregating it, and providing it to researchers, public-health authorities and government agencies.
The ability to pinpoint the movements of individuals is crucial at a time when controlling the pandemic’s spread depends on compliance with government orders to stay home if possible, and to practice social distancing if not.
But consumer advocates fear that an emphasis on health over privacy could undermine the protection of civil liberties, similar to what happened after 9/11, when the U.S. secretly began collecting mass amounts of data on its own citizens in an effort to track down terrorists.
Risk of Intrusion
“There is an understandable desire to marshal all tools that are at our disposal to help confront the pandemic,” said Michael Kleinman, director of Amnesty International’s Silicon Valley Initiative. “Yet countries’ efforts to contain the virus must not be used as an excuse to create a greatly expanded and more intrusive digital surveillance system.”
In the U.S. the new data-sharing practices are happening on many levels. One leading effort that began two weeks ago involves a partnership between a network of researchers and tech companies such as Facebook, which supplies anonymous and aggregated geo-location data.
In assembly-line fashion, an analytics firm called Camber Systems takes mobile application data from digital ad companies and sends it multiple times a day to researchers who’ve joined the Covid-19 Mobility Data Network, according to network co-coordinator Andrew Schroeder.
Those scientists study the now-anonymous data from multiple sources for insights about mobility rates, which are then shared with foreign governments like Italy and Spain and with U.S. states and cities, including New York, Seattle and California, Schroeder said.
The network says the analysis, which is meant to help measure enforcement of social-distancing rules, doesn’t contain personally identifiable information and that contracts governing the use of the information prohibit raw data from going directly to governments.
Camber Systems declined to comment. Facebook said its data are aggregated in formats that prevent re-identification of individuals and that scientists and other users are subject to licensing agreements. Schroeder said the group is only using the data to address the public health crisis and not “for commercial purposes” or for “police surveillance.”
Separately, Facebook, Google, Microsoft Corp., Amazon.com Inc. and others have pledged to work together in coordination with government to combat the spread of the virus. An ad hoc tech industry task force has also spoken with White House officials and the U.S. Centers for Disease Control and Prevention, according to a person familiar with the matter. Members of that task force have discussed proposals to share analyses of social-distancing compliance and hospital usage, the person said.
Google announced Friday it would release new data about how the pandemic has cut down on foot traffic to transit centers, retail stores and public parks in more than 130 countries. The company said it’s responding to requests from public-health officials who want to know how people are moving around cities as a way to better combat the spread of Covid-19, the disease caused by the virus. Google reiterated in a blog post on Friday that, in its mobility reports, it’s using anonymized, aggregated data.
Apple Inc. launched yet another initiative when it announced on March 27 that it was developing an app in partnership with the White House’s coronavirus task force, the CDC and the Federal Emergency Management Agency. The goal is to give the CDC guidance on users who input symptoms, risk factors and other information. The company said that individual responses wouldn’t be sent to the government.
But on Friday, four Democratic senators sent a letter asking what Apple was doing about privacy compliance, data retention, cybersecurity, and the terms of agreements with governments.
With so many initiatives popping up, privacy gurus worry that information collected will later be used in ways it wasn’t intended. They say they don’t want to obstruct efforts that could help turn the tide in the crisis. Still, they want assurances that the data are truly anonymous. They want the data to be clearly defined, with real potential to be helpful, and to include limits on its reuse -- especially by law enforcement. They also want the data discarded once the coronavirus crisis ends.
The sources of anonymous data can sometimes be exposed by combining datasets. Even when made anonymous, location points that come from phone apps, for instance, can be linked to a person by checking who lives at the address where the phone rests at night.
“Location data can clue you in to a lot of other sensitive points about you,” said Sara Collins, policy counsel at Public Knowledge. “This discussion about backing into sensitive data from one data point I think is going to stay relevant.”
Some of the data-sharing initiatives have already exposed potential community-spread problems. Tectonix GEO, based in Maryland, specializes in visualizing geolocation data, including for the federal government. It teamed up with X-Mode Social, based in Virginia, which sells location data from mobile phones to marketers. In March, they used the phone coordinates found on a single Florida beach during spring break to show how people had congregated and then dispersed -- possibly spreading the virus far and wide.
X-Mode hasn’t shared any data with governments or heath agencies and hasn’t been been asked to, a spokesman for the company said.
Cuebiq Inc., which specializes in helping companies analyze the effectiveness of ad campaigns on travel, weather, and other location-based apps, is posting its own “Mobility Insights,” with county-level readings across the U.S. on the movements of people in areas under stay-at-home orders. Chief Executive Officer Antonio Tomarchio, said it chose to provide analysis from a wide geographic area to protect privacy while trying “to help as much as we can.”
“This is not like surveillance,” said Tomarchio, who’s watched the “disaster” unfold in his native Italy. “It’s not that we’re seeing each device.”
Business groups have used the pandemic to seek a delay in privacy rules, including a March letter from dozens of trade groups that urged California Attorney General Xavier Becerra to delay enforcement of the state’s new privacy law for six months due to Covid-19. The groups represent advertisers, tech companies, financial services firms, telecom providers, retailers, toymakers and more. Becerra’s office said it wasn’t planning any delay in the July 1 enforcement date.
“Industry wants to use its role addressing today’s threats to public health as a lobbying tool to weaken the resolve of lawmakers to protect privacy,” said Jeff Chester, executive director of the Center for Digital Democracy and a longtime online privacy advocate.
Use of consumers’ data is governed largely by individual services’ privacy policies, which are often contained in sprawling documents that most users click through without reading. Few, if any, of the data uses clearly run afoul of laws or regulations, privacy experts say.
Many of the proposed ways to use data to combat coronavirus in the U.S. also stop short of what several other countries have done.
In China, authorities used phone-carrier data to trace everyone who’s been in or near Hubei province, home to Wuhan, the epicenter of the outbreak. Singapore’s TraceTogether app uses Bluetooth technology to map a person’s contacts in case an infected person fails to recall all social interactions. And Israel has approved the use of tracking technology developed to combat terrorism to trace the movements of coronavirus patients.
The lack of a federal law in the U.S. and the potential for privacy erosions are prompting advocates to push for guardrails. “This pandemic is just another example of why we need a strong, comprehensive baseline federal privacy law and a U.S. data protection agency,” said Caitriona Fitzgerald, policy director of the Electronic Privacy Information Center, which has filed government records demands about the White House’s work with tech companies.
“People may choose safety for the moment,” said Jessica Rich, a former director of the Federal Trade Commission’s consumer protection bureau and now a fellow at Georgetown Law’s Institute for Technology Law & Policy. “When this crisis is over, we will have eroded privacy norms and expectations and even regulations. And will we be able to get that back?”
©2020 Bloomberg L.P.