Are Contact-Tracing Apps Worth the Privacy Risk?

North and South Dakota launched their contact-tracing app, Care19, on April 7, less than a month after COVID-19 was declared a global pandemic. Already, Vern Dosch, North Dakota’s contact-tracing facilitator, felt sure the app’s GPS location-tracking technology—used to keep an electronic diary of users’ whereabouts rather than relying on memory—would be met with some resistance.

Consumer privacy concerns would surface less than two months later, when security app Jumbo Privacy published a finding revealing that Care19’s app developer, ProudCrowd, violated its own privacy policy by sharing user location data with third-party app Foursquare. Following the release of the report, Care19’s policy was amended to say that Care19 will take the location of a user’s phone and “call a service to determine nearby businesses that you may have visited.” That service is Foursquare.

North Dakota is one of approximately 20 states and territories that have explored or built contact-tracing apps to supplement human-led contact-tracing efforts (which have historically aided in tracking and controlling highly transmittable diseases like syphilis, tuberculosis, and Ebola) to help fight the spread of COVID-19. An app enables users to provide contact tracers with a more detailed log of their locations or be notified faster if they’ve potentially been exposed to someone with COVID-19.

One of the technologies sometimes used in such apps, GPS tracking, has raised major privacy red flags: What happens when the location data of thousands of people is hacked, sold, or shared? What about their COVID-19 results? Is that private health information out there too? What if untrusted third-party apps are developed without the involvement of public-health authorities? If companies realize they can track a person’s every move in the name of public health, what’s stopping them from doing so once the pandemic ends?

Apple and Google have been pondering these questions for months. A day before Jumbo’s report on Care19 was released, the tech giants launched their joint exposure-notification technology, which uses Bluetooth rather than GPS tracking to alert app users if they’ve been in proximity of someone who has tested positive for COVID-19. The technology is not an app itself but is rather built into apps affiliated with public-health authorities.

In an effort to strengthen privacy protections, Apple and Google’s exposure-notification technology identifies users through an anonymous key, which in turn generates a temporary random ID that regenerates every 10 to 20 minutes; users must explicitly choose to turn on or opt into the exposure notifications. On August 5, Virginia, the first state to use Apple and Google’s technology, unveiled its contact-tracing app, COVIDWISE. If a COVIDWISE user tests positive for COVID-19, the Virginia Department of Health sends the person a randomly generated PIN. That person can then choose whether or not to notify the app of the positive test by inputting the PIN and triggering notifications to those who came in contact with him or her.

North Dakota is taking notes. To ease privacy concerns and encourage user adoption, on August 13 the state launched Care19 Alert, a supplement to the state’s original GPS-based app, which uses Apple and Google’s exposure-notification technology. Care19 Alert, also serving citizens in Wyoming (though not South Dakota), is the first app to use the Association of Public Health Laboratories (APHL) national key server, which securely stores the ID keys of affected users. In a perfect world, the APHL’s national server would enable exposure notifications across state lines—as long as every state created a contact-tracing app that used the exposure notification system and the APHL key server. Six months into the pandemic, many governors are still hesitant.

The overall effectiveness of contact-tracing apps, which can cost millions of dollars to create, market, and maintain, has been a highly debated topic since Apple and Google first announced their joint initiative. It’s impossible to ignore the digital divide that exists between the elderly and low-income communities and the rest of society with easy access to smartphones. It also begs the following questions: What happens when people leave their phone at home? And what about the people who have access to an app but choose not to download it?

For states to rally behind a tool whose efficacy has yet to be proven not only presents an issue regarding citizens’ privacy, but could also hinder larger efforts to curb the disease. “We have to proceed in thinking about how to use these tools cautiously because it’s possible to harness technology in such a way that it actually creates more work [for contact tracers],” explains Jennifer Nuzzo, an epidemiologist and senior scholar at the Johns Hopkins Center for Health Security, referring to the Bluetooth technology that could mistakenly alert someone of exposure when the infected person is on the other side of a wall or more than six feet away. “If [the apps] cast way too wide of a net and they wind up identifying way too many contacts that aren’t meaningful contacts, then that could actually slow things down. Because now the contact tracers have to reach out to all of those people, and people might perceive the process to be of limited value.”

For those who do choose to download a contact-tracing app but still have privacy concerns, Neema Singh Guliani, former senior legislative counsel at the American Civil Liberties Union (ACLU), who specializes in surveillance, privacy, and national-security issues, has some advice: pay attention to the information provided and be aware of the technology the app is based on (i.e., Bluetooth or GPS), as well as terms-of-service language that can prevent users from obtaining reparations if an app violates its security standards or fails to adopt reasonable ones. Admittedly, terms-of-service agreements can be difficult for even trained privacy professionals to understand. Therefore, for contact-tracing apps to be effective and ensure public trust, they must have clear guidelines, meet benchmarks for efficacy, be integrated into a broader public-health strategy that meets the needs of those most impacted by the disease, and be accompanied by strong legal safeguards to protect privacy and other rights.

In June, Senator Maria Cantwell (D-WA) and Senator Bill Cassidy (R-LA) introduced a bipartisan bill known as the Exposure Notification Privacy Act to ensure app participation is voluntary, prohibit commercial use of data, and require public-health officials’ involvement in the app’s operation. As of press time, it still hasn’t been voted on. Meanwhile, at the state level, Utah lawmakers introduced legislation for its GPS-based contact-tracing app that required location data collected for public-health purposes be used strictly for COVID-19 response efforts and deleted within a certain time frame. However, the legislation failed; the app’s location-tracking feature has since been disabled due to privacy concerns.

In an effort to alleviate the demands on the public-health authorities building these programs, Apple and Google have stepped in again. On September 1, the tech companies launched Exposure Notifications Express, available on iOS 13.7 or later and Android 6.0 and above. It allows local public-health authorities to implement an exposure-notification system without building a separate app. Upon upgrading to the latest technology, users who live in a state that participates in the program can opt into the exposure notifications and be walked through on-boarding instructions for their device and their region.

Apple and Google say privacy and security remain core to the design; users must choose to turn on the exposure notifications, location data is not shared, the system isn’t monetized, and users can choose to disable exposure notifications at any time. According to the companies, Washington, D.C., Maryland, Nevada, and Virginia are expected to be the first U.S. areas to use the system. The express notifications do not impact existing apps, and users can still choose to download one if they want a different user experience. But the new tech further shows that apps may just not be worth the investment.

The Centers for Disease Control and Prevention (CDC) has stated that there is limited data on the performance of contact-tracing apps in the United States. On the other hand, the CDC did estimate that the U.S. would need to hire between 30,000 and 100,000 manual contact tracers. States including New York, California, and Massachusetts have already deployed manual contact-tracing programs, although case volume and low response rates have prevented them from being successful thus far. (Most states have not hired enough contact tracers to meet their needs.) The New York Times did report, however, that manual contact tracing is saving lives in high-risk areas like the Fort Apache reservation in Arizona, where people have been infected at more than 10 times the rate of individuals in Arizona as a whole. Human-led contact tracing there may not necessarily be slowing the spread, but it is preventing deaths by alerting people of possible infection before it's too late to save them.

With no national app in sight, and the recent launch of Exposure Notifications Express, states are continuing to evaluate the value of contact-tracing apps while grappling with the pros and cons of maintaining user privacy within them. It’s clear that Bluetooth is the more secure technology, but location data could potentially give public-health officials the ability to determine key transmission areas. So, where do states draw the line? Is it worth it—nay, ethical—for leaders to encourage their citizens to reveal their daily whereabouts if it means helping slow the spread of the virus? The answer is murky considering the apps’ unproven efficacy. Ultimately, it will be up to the states’ leadership—and its citizens—to decide.