Speaker 0
0:10 – 1:28
Welcome to Tech Talk. Bye. CT. Tea. Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Jamal Magby, and it's time to talk tech. In an effort to fight the spread of the novel coronavirus, some countries have begun using highly personalized location data to locate and identify potential cases. While having access to this data may aid in curtailing the spread of the virus, many privacy advocates are concerned that collecting such data without certain safeguards could pose an immediate danger to privacy and civil liberties and also have long term consequences. So are there alternatives to the sharing of location information that have promise? And what happens to all of the data these governments are collecting? Does personal data have to be shared to fight the spread of the coronavirus? Here to answer some of these questions is Greg Nochan, senior counsel and director of the Freedom, Security, and Technology project at the Center for Democracy and Technology. Greg, thank you for being here today. Thanks for having me. I appreciate it. So with this recent pandemic, why are governments around the world seeking to obtain data to help stop the spread of COVID nineteen? What do they wanna do with it?
Speaker 1
1:28 – 3:17
Well, this is a worldwide problem, and, it's gonna require solutions, but it's not necessarily the case that all countries are gonna be doing the same thing. There are many different approaches that are being taken. So, for example, in Europe, governments are demanding and they are receiving anonymized and aggregated location information. This doesn't allow the the way it's being sent, as I understand it, it's not going to allow for, the reidentification of the information being sent. But rather, it it tends to show trends, like, are people moving are are people who are in one area that has a high infection rate, traveling to other areas that have low infection rates. Why is such data useful? It would help a government determine that in these areas of low infection, they might see higher infection, and they might want to, deliver medical services or be ready to deliver medical services to those areas that currently don't have high infection rates. Because the data is aggregated and and, not identifiable, that's probably going to be okay. It's probably going to be a good use of data. Always a concern, though, that because it's location information, it can be reidentified because location information, unlike some other data, is, can be easy to, reidentify.
Speaker 0
3:18 – 3:27
So we're talking about a a lot of location data. But besides location, what are the types of data would be useful for contact tracing and quarantine enforcement?
Speaker 1
3:28 – 6:20
So the other types of data that they're talking about even go beyond those two purposes. So, for example, even outside of quarantine enforcement and contact tracing, there's one company that is, that sells these, etherometers, we'll call them. And it is, collecting data about the etherometers that are showing high fever rates in, certain areas and, providing that information publicly so that health authorities can decide, that maybe in these high fever areas, they need to be ready to deliver more medical resources. In the area of contact tracing, for example, governments are also, developing or working with private entities to develop applications that record not location, proximity data. And proximity is, how close you are and for how long to a person who has been infected. It doesn't matter where that happened. That's the location information, the where. But this just develops proximity information, and it uses, Bluetooth signals to do that. When it comes to quarantine enforcement, different approaches are being taken. One particularly intrusive one, in India involves the person who has been ordered quarantined to take a selfie of themself every hour. Wow. Send it every waking hour and send it off to the authorities to show that they're abiding by the, quarantine rules. Another approach, Poland is using one that requires a person to download an app that will notify authorities if they, leave quarantine with their cell phone. So, these are these are very intrusive, methodologies for enforcing quarantine. Say there was a what I'm gonna call a soft quarantine. Say there's an order, like we have in Maryland where I live, not to congregate in groups of 10 or more, and, one could imagine that there would be, there could be a generation of information, by cell phones that would help authorities enforce that quarantine. Maryland authorities are not asking for that data at this point, or at least to our knowledge,
Speaker 0
6:20 – 6:32
but I could imagine something like that down the road. Some of these policies seem really intrusive. Are there any good approaches to data sharing that provide both useful information and can protect privacy? Yes.
Speaker 1
6:33 – 7:57
And, companies are rolling them out in the last few days. Facebook and Google have both rolled out, and and there's other, companies doing this as well. The they're rolling out what I'm gonna call mobility data. It's showing how people are changing their travel patterns in response to stay at home orders. So, for example, the data can show, are people reducing the total amount of travel that they do? And this data is being reported on a county by county basis. Are they reducing their visits to recreational establishments? Are they reducing their visits to grocery stores and pharmacies? How has their travel changed in response to places of work? Are they abiding by, the rules that say they shouldn't be traveling to work. The data is aggregated, so it's not, individualized. But it does show, for example, maybe a 50% reduction in, mobility near offices and an increase in mobility, near residences. That would show that people are tending to stay home more than they were before, the coronavirus outbreak.
Speaker 0
7:58 – 8:05
What is the state of US law on protecting data during national emergencies like the one we're facing now? How does the Patriot Act that you're in?
Speaker 1
8:06 – 13:16
We don't have a comprehensive privacy statute in The United States. So what there is is a patchwork of laws that, frankly, do not provide much protection at all. The patchwork of laws on the consumer side really only protects certain classes of data, health data. It it really only protects the health data when it's held by particular types of entities. And and so it's really a very poor, scheme. On the electronic communication side, data like location information, that's actually also pretty poorly protected. Location information, when the government seeks it directly, it has to there has to be a tie to crime, and it would have to have a court order showing that there's, reasonable suspicion about that criminal activity. Now the problem though is in the area of electronic communications, law is also not very clear and not very helpful. First, for a provider that collects, cell site location information or information from a mapping function, That provider is permitted by law to share that information with a third party, which then is not covered by the electronic communications privacy act in the same way. And that third party can then share the data directly with law enforcement entities. That's not a good approach. It's a huge loophole in the Electronic Communications Privacy Act. When it comes to data held by the providers that are covered by the Electronic Communications Privacy Act, so that would be a a a company like, the one that provides your email service or your cellular telephone service or the service that maintains your calendar online. Those are all covered by the Electronic Communications Privacy Act. For for those companies, they can disclose the information in an emergency. The statute gives them a lot of discretion in deciding whether an emergency, pertains or not. Certainly, we are in an emergency now, but the statute gives the provider the ability to ask questions about whether the data is actually necessary to respond to the emergency. Let me explain why that's important, and it's a it's actually a good way to approach, emergencies in terms of disclosure of information. If there wasn't provider discretion, one could imagine right now that the government would go to the providers and say, give us all the location information that you have. We'll figure out how to use it. Right? That's not a good approach. Instead, we have a voluntary system where the provider can voluntarily provide the information. And the providers are asking questions like, are you asking for data that will actually be useful in responding to the emergency that we now face? Mhmm. So the government has to justify it to the providers, and we're all kinda counting on them to require those justifications and to be reasonable when they are requiring those justification. And I think that's actually, a fairly good approach. So for example, if the government went to a provider of cellular telephone service and said, give us all the location information on all your users. We think the providers will say no. That information is not going to be helpful in determining whether in doing contact tracing, determining whether an infected person has infected others. Reason, it's not precise enough to show proximity within six feet for a period of time. It's just not precise enough to show that it wouldn't be useful in responding to this emergency. So so they they, we believe would turn those requests down. Now if there was a request for information that was justified and that could be used reasonably in this emergency, we would expect them to say, yes to that request and to disclose information to their users about how they had responded to that request. So we're we're talking to these companies. We want them to be, responsible, get a stewards, and we want them to act responsibly when they receive requests for information that might actually be useful in fighting the pandemic.
Speaker 0
13:17 – 13:24
So are there any other ways big data can support the government's need for information without endangering privacy and civil liberties?
Speaker 1
13:26 – 15:19
Yes. It it can, help. It can be sliced and diced to help the government understand trends. Trends like, are people abiding by stay at home orders? Are they, altering their travel patterns in order to limit their travel as required by the stay at home orders. It's that kind of trend data that I think is, being, demanded by and reasonably, health officials, so they can understand how people are responding to this to this threat. So in addition to the, disclosure of mobility information that I talked about earlier, the information that shows that people are or are not, abiding by stay at home rules and stay away from work rules. Companies are also, deploying symptom trackers that help people report when they have symptoms of, coronavirus, and that can be used to determine where to deliver medical services. They're engaging in, research by donating supercomputing resources to help the medical professionals better understand the disease, and they're providing heat maps. These are these are maps available from multiple sources that show the number of cases of coronavirus officially confirmed and also deaths. Wow. And they and they, layer this information on population density maps that help determine where resources should be deployed. So there's a number of things going on with big data, that are not privacy invasive, that are useful to fighting the pandemic.
Speaker 0
15:24 – 15:41
Greg, it's been a pleasure having you, and thank you for joining us. Keep up with more of the work our policy teams are doing related to the coronavirus response at cdt.org backslash coronavirus, And on Twitter, Facebook, and LinkedIn at SymDemTech. I'm Jamal Magby. Thanks for listening.