Technology companies are rushing to aid in the fight against the global COVID-19 pandemic by developing applications that can aid in contact tracing and assist public health authorities in containing the spread of the virus. These efforts, while promising, often involve processing massive amounts of personal location and health data, which carries significant privacy risks.
On April 9, the U.S. Senate held a paper hearing on enlisting big data in the fight against coronavirus, recent use of consumer data, ways to protect consumer privacy and how to handle COVID-19 related data once the pandemic ends. The senate received testimony from the Network Advertising Initiative, the Interactive Advertising Bureau, and the Future of Privacy Forum among others. Big data refers to the huge volume of consumer data collected from sources such as smartphones, mobile apps, fitness trackers, connected cars and other connected products. Big data also refers to advanced computing capabilities that analyze large data sets to identify trends and predictions.
Government officials and health-care professionals have turned to “big data” to help fight the global pandemic on various fronts. Big data has informed contact-tracing apps that rely on self-reported data about health status and location data to inform the public of virus hotspots and alert those who may have come in contact with someone with the virus. Big data is also used to manage resources and supply chains to distribute needed medical equipment, and is used to track the effectiveness of social distancing, stay at home guidelines, and monitor public spaces in an effort to shape public policy. A global team of infectious disease epidemiologists are working with tech companies to use aggregated mobility data to update public officials on how well social distancing interventions are working using anonymized aggregated data sets, providing the data to analytics support for interpretation.
The use of big data, however, has created privacy risks. Risks include overly granular heat maps or case reporting that may make it possible to associate a positive coronavirus status with identifiable people. Symptom trackers may also pose privacy risks if they collect personal information. Witnesses also expressed concerns of cookies on mobile apps that inevitably connect IP addresses and other mobile data to individuals.
Witnesses strongly encouraged a privacy by design framework as companies race to address the pandemic with technology solutions. First and foremost, privacy should be embedded into the design and operation of the product, network infrastructure and business practices. Witnesses also suggested utilizing privacy risk assessment frameworks to identify, and mitigate or eliminate risks.
The witnesses agreed that the current pandemic only highlights the need for a comprehensive national privacy law, but until then, witnesses suggested various ways to limit privacy risks including various contractual controls like the following: