Privacy concerns have states taking it slow on contact tracing apps
From the onset of the COVID-19 pandemic, it’s been clear that state and local health authorities would have to undertake one of the biggest contact-tracing efforts in medical history.
Contact tracing — in which patients are interviewed about where they’ve been and who they’ve seen recently — is a centuries-old practice, and a staple of public health efforts since at least the 1920s. Over the decades, it’s been relied upon to help control flu outbreaks, HIV and other sexually transmitted infections and Ebola.
But the 2020 coronavirus pandemic is the biggest global health crisis since smartphones and other mobile devices became ubiquitous, and since its start, populations have been promised that contact tracing will move online, too. Officials have increasingly turned to technology in hopes of eventually containing the deadly, fast-spreading virus, for which a vaccine remains months or even years away. Some national governments, including those in Australia, South Korea, Germany and Canada, have already or are in the process of rolling out apps designed to let their citizens know if they’ve been exposed to a recent outbreak.
In the United States, where the federal response to the pandemic has been inconsistent, responsibility for contact tracing has fallen to individual states, counties and cities. And now, public health agencies across the country are considering whether their approaches to stop a virus that’s infected 3.6 million people and killed nearly 140,000 will include apps.
Whether such apps would become the hottest new digital-government product, though, remains a murky proposition. A poll taken in spring found that 71% of Americans said they would not use a contact-tracing app, citing worries about digital privacy and intrusive health surveillance.
“There will be uncertainty to trust something’s not tracking you,” said Tony Anscombe, then chief security evangelist at the cybersecurity firm ESET. “We know lots of things do track us.”
The upshot for state and local health officials, and their partners in IT, is whether to develop apps at all, or stick to the tried-and-tested — albeit modernized — form of contact tracing. But based on several interviews with industry professionals, health officials and government IT leaders, contact tracing efforts appear set to remain less digital than once expected.
Track the virus, not locations
North Dakota was the first state to offer its residents an app that promised to tell users if they’d been nearby someone who tested positive for the coronavirus. But the app, Care19, tracks the movement of COVID-19 patients based on GPS coordinates, creating a potential log of users’ locations that could be used for other purposes later. Despite officials’ insistence that the GPS data collected by Care19 was being anonymized, a security review of an early version of the app — which was built on top of a program initially designed to follow the movements of college football fans — revealed GPS data was being transmitted to the marketing company Foursquare.
The issue has since been fixed and two more states — South Dakota and Wyoming — have joined Care19, but adoption remains very slim: just 4% of North Dakotans were using it by late June, the medical news publication Stat reported.
Yet the nature of contact tracing is dependent on knowing where an infected person has been. The challenge in getting that information digitally is how to do it without jeopardizing a person’s identity.
“A lot of apps have GPS tracking,” said Chris Hazelton, a the director of product marketing at the mobile security company Lookout. “They leverage GPS and Wi-Fi, so that gives you good information about where a person has been. That can be really helpful, but also a big invasion of privacy.”
More promising, potentially, is app development based off of an API developed by Apple and Google. Rather than GPS, the API, called Exposure Notification, uses Bluetooth technology to locate users. Phones running apps based on that API exchange unique keys — random-number sequences that change every few minutes — with any matches with the local health agency’s master list of keys from COVID-19-positive users triggering an alert about potential exposure to the virus.
Apple and Google, which collectively control more than 99% of the global smartphone market, have said Exposure Notification does not allow apps to access devices’ GPS systems, which Hazelton called the “right approach.”
Still, two months after the API’s release, it’s gained only a small foothold in the United States, with just four states — Alabama, North Dakota, South Carolina and Virginia — expressing interest in using it for their contact-tracing apps, though none have gone public yet.
‘Tried and true’
Despite the growing prevalence of mobile apps that provide government services — and the rare collaboration by two of the world’s biggest tech rivals — most states are sticking to what Maryland Deputy IT Secretary Lance Schine called “classic contact tracing.”
Since the start of the pandemic, statewide and large municipal health agencies have tried to staff up armies of contact tracers who make phone calls to people who’ve tested positive for COVID-19 and ask about their recent activities. It’s an age-old process, though it is now supported by a modern software stack.
At least 35 states, including Maryland, have turned to the customer resource management giant Salesforce to manage their tracing efforts, especially with infection rates around the country surging to new records almost daily.
“If you think about manual tracing, it is tried and true,” Paul Tatum, a Salesforce vice president, said in a recent interview. “Rarely have we seen something at this scale. It was manual, on clipboards, little boutique systems at a local level. This is going to be millions on a scale they’ve never seen before.”
So instead of buzzing smartphones with Bluetooth signals, contact tracers spend their days making phone calls, building lists of potential new exposures and sending text alerts and emails about where people can get tested for COVID-19. Salesforce is also making its contact tracing workflows the backbone of Work.com, a new platform meant to help businesses and governments manage their eventual re-openings, company executives announced on Wednesday.
Avoiding identifiable data
Even if most contact tracing programs remain modernized versions of an established process, there are lingering privacy concerns. Salesforce says its software runs on its FedRAMP-certified government cloud and complies with health privacy laws, but some state officials have moved to impose more stringent restrictions.
In Kansas, the state legislature last month passed emergency legislation prohibiting contact tracing that uses cellphone location data to identify or track individuals. Anscombe, the security evangelist, said the bill was a good move, and that more legislation may be needed elsewhere.
But there’s also a need for privacy controls even when apps don’t come into play. Katy Ruckle, the chief privacy officer for Washington state, told StateScoop she’s been advising her health department on its manual contact tracing.
“Traditional contact tracing has been a part of population health for decades,” she said. “The things I’m looking for are confidentiality and highlighting the sensitive nature of the information they’re gathering.”
Ruckle also said that as Washington’s contact tracers survey the public, she’s making efforts that they’re not collecting identifiable data on residents, just a questionnaire that can’t be traced back to any individual.
“We want to rely on aggregate data to control the outbreak,” she said.
‘It’s just another tool’
Despite the current limited enthusiasm for contact tracing apps, more may emerge as the pandemic drags on, skeptical officials and experts conceded. Anscombe said state governments may want to eventually develop apps to prevent profit-minded corporations, like health insurers, from filling the void on their own.
“Would you trust a health company to do it?” Anscombe said. “I would trust a state to do it with the right legislation. By not doing something you may open the opportunity for a commercial company to start doing something.”
Some states are also being cautious by setting up boards and commissions to review the available technology before moving forward on a tracing app, such as Arkansas, which recently impaneled a 12-member group that includes the state’s chief information security officer, Nolan Leatherwood.
In Washington, Ruckle said she’s been in “a few conversations” with other officials, but added that the state is still well short of deciding whether to roll out an app at all. But if it does, Ruckle said she wants to make sure any app developed is secure, gives users the right to consent and make decisions about what information is collected, minimizes the amount of data being harvested and does not share with third parties.
Still, contact tracing apps should not be seen as complementary to the phone-based process, not a replacement, Ruckle said.
“It hasn’t really been around long enough to see if it’s going to help,” she said. “But it’s not something that’s replacing the traditional method of contact tracing. It’s just another tool to help stem the outbreak.”
This story was featured in StateScoop Special Report: Digital Government: The Next Decade (2020)