Using Cellphone Data to Track COVID-19 Contacts Raises ‘Big Brother’ Concerns

Colleen O'Dea | April 16, 2020 | Coronavirus in NJ, Social
Apple, Google assure users that information is kept strictly anonymous, but some experts caution that hacking the data isn’t that hard. What does the data say about NJ residents?
Credit: Apple.com
Apple’s COVID-19 app

Wondering if New Jerseyans are following Gov. Phil Murphy’s stay-home orders? Google reports that visits to retail, transit stations and workplaces are down by 45% or more, while another location-intelligence company shows all travels are down statewide by as much as 50% in northern counties.

While such data is helpful to officials trying to contain the COVID-19 pandemic that has killed close to 3,200 in the state over the past five weeks, its availability and specificity prompts some questions: Is the individual right to privacy being violated by trackers and how intrusive might future efforts to track the spread of disease in the United States become?

Ellen Goodman, a professor and co-director of the Rutgers Institute for Information Policy and Law, said matters of public health always seem to supersede an individual’s right to privacy. For instance, health officials quiz individuals involved in tuberculosis and measles outbreaks to determine who else they may have exposed and questions for those who contract HIV are even more intrusive, asking about sexual partners.

“There’s always tension between privacy and public health,” she said. “It has been relatively accepted that the privacy interests are sort of subservient to public health interests.”

Protecting anonymity — thus far

So far, data tracking that has occurred and that has been proposed in the United States appears to be designed to protect individuals’ anonymity. The partnership announced last week by tech giants Apple and Google to develop Bluetooth technology public-health authorities could use for anonymous contact tracking and reporting “seems to be pretty privacy protected,” Goodman said. The concept is to allow phones to log and store contacts with others’ phones and then anonymously alert an individual when he has potentially been exposed to someone who comes down with the disease.

That’s not to say it’s perfect. An analysis of the technology in The Markup lists eight potential ways that the platform might be misused. These range from “trolls” attaching a phone to a dog and letting it run loose to log dozens of contacts and then falsely alerting individuals they were exposed to someone who tested positive to other phone apps accessing the contacts and trying to use them for advertising, marketing or other purposes.

Nothing happening in the United States comes to close to what some other countries have done. Israel is tracking individual patients, while China and Taiwan are going a step further and reporting to police those who violate quarantine or stay-at-home orders. Perhaps the most intrusive system is in South Korea, where the government has mapped everyone’s cellphone data and made it public so people can check whether they have been exposed.

The Centers for Disease Control and Prevention (CDC) is getting $500 million from the recent federal stimulus package “for public health data surveillance and analytics infrastructure modernization.” It’s unclear exactly what the agency plans to create with that money.

Concerned about Apple’s COVID-19 app

New Jersey’s U.S. Sens. Bob Menendez and Cory Booker, both Democrats, expressed concern last month about a COVID-19 screening app created by Apple, in conjunction with the CDC, Federal Emergency Management Agency and the White House Coronavirus Task Force. The app and website allow users who answer a series of questions to get CDC recommendations on whether to get tested, contact a doctor or take other steps. Apple said the app and website “were built to keep all user data private and secure.”

But in a letter to Apple CEO Tim Cook, the senators wrote, “We are nonetheless concerned for the safety and security of Americans’ private health data … all data collected via Apple’s screening tools should remain confidential and must not be used for any commercial purposes in the future.” They said that while technological innovations are necessary to combat the disease, “Americans should not have to trade their privacy at the expense of public health needs.”

Murphy said the same thing Thursday during his daily press briefing on the virus.

“We should be able to fight the pandemic and not violate people’s First Amendment rights and their right to privacy, and we should be able to find common ground, and I believe so far, we have,” he said.

The Murphy administration has taken a data-driven approach to attacking the virus, providing a host of data both at daily briefings and via the state’s COVID information hub. It is using information residents provide when answering questions in a symptom tracker on the site to “anticipate hot spots,” the governor wrote in an Op-Ed published Monday on NJ Spotlight. But when asking for an individual’s ZIP code, the tracker does not state that the information will be used for the second purpose of zeroing in on potential COVID clusters.

Goodman said gathering that data may help officials and probably does not violate anyone’s privacy. Still, it would be good for the state to tell individuals that they will be using their ZIP code and symptoms for that secondary purpose of helping to find hot spots.

“The key to this is getting public trust,” she said. “It’s the same thing with Google and Apple, if people don’t trust it, then they’re not going to opt in. If people don’t trust this website, they’re not going to give that information … I don’t blame them (the state) for doing it. I think it’d be best practice if they said, ‘We are using the unidentified, aggregated ZIP code information to help protect citizens.’”

Cracking code is too easy

Murphy said his staff was aware of “community mobility reports” that Google began releasing at the end of last month that chart movement trends to such places as grocery stores and parks to enable officials to judge how well social distancing policies are working. Google says its data is “anonymized” to protect individuals’ privacy, but research has shown that it does not take much work to pull identities from such data.

Although Murphy didn’t say so specifically, these reports may have played some role in his decision to close state and county parks on April 7. Anecdotal reports of groups of people congregating in parks did factor into the closure, the governor said.

Google’s first report release, on March 29, found that its users’ trips to New Jersey parks had dropped about 36% below the baseline before the start of the spread of the virus. An updated report released April 5 showed a 26% increase in visits to parks across the state, with some counties having much larger increases. That change moved New Jersey from among the 10 states with the greatest drop in parks visits to one of the 10 states with the largest increase in such visits.

Murphy and health officials have been clear in stressing that staying home and social distancing are the best ways to prevent the spread of the disease. The governor issued a stay-at-home order March 21.

What data says about NJ residents

The Google mobility data shows state residents are doing well in complying by curtailing some kinds of travel. Specifically, New Jersey is matched only by the District of Columbia in the greatest reduction of travel to retail stores, restaurants and such recreation sites as museums and movie theaters — a drop of 66% in the April 5 report compared with the baseline. Travel to grocery stores, transit stations and workplaces in New Jersey is also lower than earlier this year. New Jersey also has more people than the national average staying at home — 16% compared with 13% nationally, the data shows.

Cuebiq, a company that helps businesses measure their impacts on consumers, is making public its data, which reveals patterns for mobility and store visits. Travels are down throughout the state compared with last year’s averages, with the greatest curtailment — more than 50% — in all northern counties except Warren and Burlington. The smallest reduction in trips is in Cumberland, where it is down 15%.

Such travel information is helpful for state and health officials to know where and whether people are staying home. Goodman cautioned, though, that individuals may still have a right to be wary about the use and sharing of their travel patterns even via an anonymized platform.

“Researchers have shown that data that has been de-identified, or anonymized, can be re-identified with just a couple of data points if someone wanted to,” she said. “That’s probably not what’s going on here, but it is possible, so people are right to be skeptical of the kind of, ‘Don’t worry, it’s anonymized’ catch-all response to these concerns.”