Must Privacy Die To Save The World?
Remember the Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA?
For those of you who don’t, or don’t want to, or hadn’t even been born yet, let me take you back to the 90s when then-president Bill Clinton signed HIPAA into law. HIPAA was “designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.”
HIPAA was a behemoth and complex collection of legislation and created entirely new layers of bureaucracy all the way from the federal government down to the single-practitioner doctor’s office in the middle of nowhere.
A major component of HIPAA was the privacy rule, which established a set of national standards for the protection of individual’s health information. According to the U.S. Department of Health & Human Services, “the Privacy Rule protects all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”
One of the major purposes of HIPAA was to protect your health information and your privacy.
It seems that the COVID-19 pandemic is another watershed moment in history in which we will have to weigh individual privacy against public health concerns.
Fast forward to 2020 and a world gripped in the throes of a global pandemic and a major health crisis and our privacy is going to be pulled apart at the seams in ways we haven’t even imagined yet.
For example, last month Apple and Google announced a joint effort to develop a contact-tracing system for tracing the spread of COVID-19, the disease caused by the novel Coronavirus (SARS-CoV-2).
“Contact-tracing” is the process of identifying people who may have come into contact with an infected person and testing those contacts for infection. It is a time-consuming and imperfect process that has been used by public health workers to try and stop the spread of infectious diseases such as tuberculosis and HIV.
According to Google’s press release regarding the Apple/Google joint contact-tracing effort, “Since COVID-19 can be transmitted through close proximity to affected individuals, public health organizations have identified contact-tracing as a valuable tool to help contain its spread. A number of leading public health authorities, universities, and NGOs around the world have been doing important work to develop opt-in contact tracing technology. To further this cause, Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact-tracing. Given the urgent need, the plan is to implement this solution in two steps while maintaining strong protections around user privacy.”
Whenever privacy protection is highlighted by a technology company, that’s a red flag that you’re going to have to surrender some privacy in order for the new gadget or system to work effectively. If we haven’t learned this lesson already with the rise of social networking apps, then we never will.
What the Apple/Google partnership—let’s just refer to them as “Goople”—plans to build and release is an Application Programming Interface (API) that enables cross-platform interoperability between Android and iOS apps provided by public health authorities. These apps will be available to users via Google Play Store and the App Store.
Android is Google’s mobile operating system that runs on 52 percent of the world’s smartphones. iOS is Apple’s mobile operating system that runs on the remaining 48 percent of the world’s smartphones. Goople owns the underlying operating system of the world’s 3.5 billion smartphones.
Following the build and release of an API, Goople further announced that they would build “a broader ecosystem of apps for government health authorities” that uses Bluetooth to establish an “opt-in” contact-tracing network that retains extensive data on phones that have been in close proximity to one another.
According to a white paper on the proposed system, the Bluetooth contact-tracing feature “will only be used for contact-tracing by public health authorities for COVID-19 pandemic management”. Goople also states that no personally identifiable information or user location data will be collected and that the “list of people you’ve been in contact with never leaves your phone.” Lastly, they state that “explicit user consent is required.”
In other words, the contact-tracing system being developed by Goople will be an “opt-in” system.
The problem with an “opt-in” system for contact-tracing is the same problem you would have with voluntary shelter-in-place and social distancing efforts. Not everyone’s going to choose to do that. And if the majority of your population isn’t practicing social distancing and staying home except for essential activities like buying groceries, then your effort to flatten the curve of a pandemic will be unsuccessful.
This is why some states, including Oregon and California, have mandated shelter-in-place and social distancing with executive orders issued by the governor and enacted fines of up to $1200 for violation of those orders.
Goople’s contact-tracing system will be rolled out as an “opt-in” but will likely prove only partially effective because there will be a large user base that does not download the apps and opt-in.
If that is the case, and I think it will be, then lawmakers will be tasked with determining if public health concerns outweigh consumers’ privacy concerns. If that is determined to be the case, then the initial opt-in will become mandatory via legislation and contact-tracing will not be an app you can choose to install or not install on your phone—it will be integrated into the underlying operating system of your smartphone.
We have already surrendered so much of our privacy in the modern digital age, the rapid erosion of which can be traced back to the September 11, 2001 terrorist attacks on the World Trade Center and the Pentagon. It seems that the COVID-19 pandemic is another watershed moment in history in which we will have to weigh individual privacy against public health concerns. As we have learned with 9/11 and the ensuing Patriot Act, once you give up a piece of your privacy, you never get it back.
Regardless of what the Goopleplex tells us, I can’t imagine a contact-tracing system being effective without making it mandatory and providing personally identifiable information and location data to public health organizations. This is how contact-tracing has always worked. You have to know who is infected, where they went, and whom they interacted with.
COVID-19 is not the first pandemic we’ve had nor will it be the last. Must privacy die to save the world from these sorts of pandemics through a contact-tracing system that will need to trace our movements and interactions in order to limit the spread of disease? I suspect it might. Brace yourself not just for another pandemic, but an upcoming privacy fight.