A group of lawmakers from both parties is putting forth legislation that aims to protect Americans’ privacy and personal data while advancing public health initiatives in the face of COVID-19.
Well over 100,000 people in the United States have died as a result of the current pandemic, which is far from over. Mitigating the further spread of the disease will require robust contact tracing, among other efforts. The scale of tracing required, however, is enormous and difficult to manage.
In the modern era, any issue of scale is met with the promise of an app, and contact tracing is no different. Apple and Google worked together on an API for contact tracing, which was recently deployed to phones. But public confidence in contact-tracing apps is already mixed at best, and recent statements by state and local governments conflating public health contact tracing with police investigation of protesters have sown further distrust.
A proposed bill, called the Exposure Notification Privacy Act (PDF), seeks to limit what data entities collecting COVID-19 exposure data can collect and how they can use it.
The Act would first require all contact tracing to be opt-in only, requiring “affirmative express consent.” The text specifically mandates that every user of an app would have to consent clearly and voluntarily, rather than just having consent inferred from “continued use of a service or product,” as so many platforms currently do.
Operators of such apps would also be required not only to gather the minimum amount of user information necessary and de-identify aggregate data but also to promise not to combine it with other data in order to identify “any individual or device.” App makers would also be required to use the data they gather for public health purposes only, not for any commercial purpose, and any entity to which they might transfer user data would be required to adhere to the same conditions.
Senators Maria Cantwell (D-Wash.) and Bill Cassidy (R-La.) together introduced the bill, with Sen. Amy Klobuchar (D-Minn.) signing on as a co-sponsor.
“Public health needs to be in charge of any notification system so we protect people’s privacy and help them know when there is a warning that they might have been exposed to COVID-19,” Cantwell said in her written statement. She also told the Washington Post she’s not inclined to use contact tracing apps without such permissions in place, adding, “We’re all irritated our browser history might be sold a thousand times over, but when it’s your healthcare history, it’s a whole new realm.”
Cassidy echoed the sentiment to the Post, saying, “I think if you ask most people, ‘Do you trust Google to respect your privacy?’” the answer is no. “This is a matter of perception. It’s not an indictment of Google; we’re making sure people are comfortable with this.”
Several public health and digital rights experts and advocates endorsed the bill, expressing hope it could help technologists and public health officials strike the right balance of increasing public safety while protecting privacy.
This isn’t the first stab Congress has taken at a coronavirus-specific privacy bill, but it is the first such effort to hit the ground running with at least some support from both parties. The Public Health Emergency Privacy Act, introduced in May, has Democratic backers in both the House and Senate but is unlikely to win Republican support. That proposal followed an earlier bill, the COVID-19 Consumer Data Protection Act, which was put forth by Senate Republicans and is unlikely to win Democratic support.
https://arstechnica.com/?p=1680625