Op-Ed: NJ, other states must prioritize privacy protections for COVID-19 app

Overcoming user distrust requires the state to be transparent about what kinds of data will be collected and how it will be protected
Laura Hecht-Felella

As COVID-19 rates explode throughout the country, states are finally deploying smartphone applications to combat its spread. New Jersey is one of at least 24 states that have released an app within the past several months. The launch of COVID Alert NJ comes as Gov. Phil  Murphy reports difficulties persuading people to cooperate with contact tracing. In this context, the app, which is voluntary, stands a chance of helping only if it is trusted to keep user information secure.

To foster broader adoption and implementation, state COVID-19 apps should have robust, built-in privacy protections that are communicated clearly to the public. New Jersey’s app is built on the Google/Apple Bluetooth Exposure Notification platform. This platform is the most privacy-protective because it relies solely on Bluetooth proximity data, as opposed to location data like GPS. When an individual reports a positive test result, the system can anonymously notify other app users who have been nearby. In addition, users store proximity identifiers locally on their phones. This decentralized model protects against hackers and limits the potential for government surveillance by minimizing data collection.

New Jersey’s model is superior to state apps that feature GPS location tracking. Unlike proximity, which only measures whether people are within a certain distance of one another, GPS can track someone’s every movement. GPS monitoring poses a major risk to privacy because, in the words of U.S. Supreme Court Justice Sonia Sotomayor, it “generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” Unsurprisingly, these less privacy-protective apps have had the hardest time attracting users.

Indeed, public distrust has threatened to hamper even traditional contact-tracing efforts, in which public health officials reach out directly to individuals who have been diagnosed with COVID-19 to identify people they have had contact with. In particular, communities of color, especially immigrant communities, have expressed concerns about the sharing of contact-tracing data with police or immigration authorities.

To enhance user trust and adoption, protection of app data must go hand in hand with transparency. People will be more likely to use apps when they understand what data is being collected from them and who has access to it.

In particular, states must address what happens to user data once it is voluntarily shared with state health authorities. Will app data be disclosed to law enforcement, and why? If app data is used to inform deployment of police to enforce social distancing, it could exacerbate the potential harms experienced by people of color, who have been most affected by the coronavirus and are also most impacted by systemic overpolicing. A contact-tracing privacy bill that would restrict sharing of contact-tracing data and require data deletion or deidentification passed the New Jersey Assembly in July.

States should also be forthcoming about their data retention policies. Will app data be deleted? If so, how often? How is the data encrypted and stored? Strong data minimization policies and limitations on data retention are an important check on the ability of COVID-19 apps to facilitate, purposely or not, government surveillance. They will also mitigate the risk that data collected to combat COVID-19 is repurposed in the future for some other objective.

Because the state’s app is relatively new, New Jersey must make efforts in the coming months to critically examine the app’s effectiveness in combating the spread of the pandemic and the sufficiency of the safeguards they have developed. The state should share key data points, including the app’s rate of accurate exposure notifications to better inform public discussion. Moreover, maintaining and improving privacy protections are continuing processes, requiring regular privacy audits. New Jersey should release the results of these audits publicly and be transparent about any modifications or improvements they produce.

It remains to be seen whether COVID-19 apps will prove an effective supplement to traditional contact tracing, but they will have a meaningful public health impact only with higher adoption rates. Transparency, accountability and user privacy are key to promoting usage. To this end, New Jersey should continue to be upfront with the public about how its app works and the efforts to minimize privacy risks.