From contact tracing to telework practices, the privacy landscape has shifted during COVID-19. This article addresses several questions concerning how personal data is being used in contact tracing apps, and, more recently, for digital credentials that indicate whether someone has antibodies for the virus or has received the COVID-19 vaccination.
So-called “immunity passports” are now being tested by several countries including the U.S. It is speculated that people who carry such a passport will be allowed greater freedoms to gather in public spaces and travel. There are arguments for and against: some say that this will get us one step closer to “normal” and is a great tool to fight the spread of the pandemic; while others point to concerns about data privacy, as well as creating inequities between those who have had the vaccine and those who have not (current trends show that vaccination rates in the U.S. have been disproportionately lower within Black, Hispanic, and Tribal communities).
On the privacy front, Business Insider references a new report from security research company Top10VPN which concluded that “immunity passport apps — which tout themselves as enabling users to travel internationally, or go into their office or school — are riddled with privacy flaws and pose big ethical problems.”
The report’s author Samuel Woodhams explained to Business Insider one of the concerns: “Loads of them have these really generic, boilerplate privacy policies that don’t specify what information is being collected and don’t tell you how long it’s going to be stored for… “ He added that many of the apps ask for “intrusive amounts of data, including location data” and that many of the apps were built by private companies that may have “a financial incentive to share or use this data in other ways.”
So the question is whether people will adopt this technology in spite of potential data privacy risks in order to help open up borders while stopping the spread of COVID-19? If you look at the low adoption rates of contact tracing apps in the U.S., you might conclude that people will not, but read on…
As we explained in a previous blog, Apple and Google have limited the amount of personal information collected for their contact tracing technology. Their technology uses a Bluetooth-based system, rather than GPS and it stores data on people’s phones, not on a central database, so anonymity is purportedly retained. However, in spite of these efforts to protect personal data, only 18 states plus Washington, D.C. have adopted the technology since Google and Apple announced it last April.
Some blame the low adoption rate of contact tracing on our country’s antiquated data privacy and security laws and people’s increased awareness of privacy issues, which was heightened during the pandemic as we had to adopt more technologies to work, learn, and live. However, maybe there just wasn’t enough of an incentive to opt in to contact tracing apps? Maybe the benefit of being notified that you were exposed to someone who tested positive for the virus wasn’t enough of a “reward” to give up personal data? (See our article about the risk-convenience paradigm.) But if some version of the immunity passport app is the only way you can travel across borders (or maybe closer to home, go to the neighborhood pub), will people throw caution to the wind and adopt it? The contact tracing app has been opt-in, however, will governments require that we give up our personal data to support public health with this new immunity passport technology? Will workplaces require you to have this documentation before you can return to the office?
Over the next few months, these and other questions will be debated at home and abroad. We just need to ensure that we don’t end up with a small, elite group of people who are willing to risk their personal data so that they can travel and live “like normal” while the rest of us await our vaccinations and/or refuse to risk our personal data. We will keep you updated as the debate continues.
