COVID-19 tracking tech – weighing personal and public health benefits against privacy

Contact tracing apps, symptom checkers and other data-driven tools provide tangible benefits, but experts say that more can be done to educate individuals on what information they collect and how it's handled.
By Dave Muoio
04:34 pm

COVID-19 may not be the first pandemic the world has faced, but the virus' challenge comes amidst widespread skepticism of longstanding public health institutions. Government-led responses to outbreaks have varied from country to country, and incongruent messaging between political leaders, health agencies and other sources of information have fueled varying levels of concern and distrust among individuals seeking to protect themselves from the disease.

Perhaps unsurprisingly, these past several months have also seen an extensive range of novel technologies released to help educate worried consumers or connect isolated patients to testing or care. Among the best known of these tools are contact tracing and symptom-reporting apps, some of which are increasingly being deployed by local and national public health agencies.

"We're in a technology world, and I think for public health to be able to explore these new technologies so that we can provide the best information to people to protect their health is really critical," Janet Hamilton, executive director of the Council of State and Territorial Epidemiologists, a U.S. organization representing public health epidemiologists, told MobiHealthNews.

"We're seeing situations where, for example, people are becoming less and less likely to answer their phone, and people are becoming less and less likely to provide names of individuals they have been in contact with," she continued. "So how can we use the technology that we do have to fill in the gaps so that people are able to get information that allows them to change their behaviors. How can they access information that helps them improve their health? I think technology absolutely plays a role in that, and exposure notification apps are a part of that." 

A precedent for distrust

A recent survey found that the majority of consumers and IT professionals would support a nationwide rollout of contact tracing technology. But at the same time, both groups overwhelmingly reported concerns that these tools could threaten their privacy and personally identifiable information – skepticism that isn't necessarily unfounded.

COVID-19 apps deployed in Norway and South Korea, for example, were reported to expose users' private information, while published analyses suggest that the majority of COVID-19 apps freely available for download make little effort to protect the data they're collecting. Major technology firms like Google and Apple that have released their own fair share of COVID-19 tools are also facing more scrutiny than ever from the public and lawmakers over their collection and use of various personal data for personal gain.

Even individuals who have avoided COVID-19 apps may not realize that their data is already being used to inform public policy. In the past few weeks alone, a handful of analyses have been released in which researchers reviewed aggregated, de-identified location data collected from mobile phones to gauge compliance with COVID-19 stay-at-home orders or estimate the fallout of a superspreader event. This information was purchased from vendors that, unknown to many users, are constantly collecting and repurposing GPS data gleaned from third-party smartphone apps that requir users to enable location services.

When considering the quantity of personal data at play and the opportunities for them to fall into the wrong hands, individuals have more than enough reason to think twice about downloading COVID-19 apps or consenting to share their data, Pollyanna Sanderson, policy counsel at the nonprofit Future of Privacy Forum, told MobiHealthNews.

But these approaches can provide a clear benefit to individuals and communities feeling the toll of COVID-19, meaning that it's vital that public health organizations and other authorities help users understand the trade-offs of each approach so they can make an informed decision on whether or not to participate.

"I think there need to be some communication efforts from the powers that be in order to educate the public about how apps do protect their privacy, especially the decentralized apps," Sanderson said. "Increased awareness about that would probably increase trust and adoption. But there are apps that are privacy invasive as well, so it's really difficult for consumers who might not be privacy or tech experts."

Digital tools can inform individual behavior and broader policy

In describing the benefits of these data-driven technologies, Hamilton said that they are delivered at two levels of action – those that a public health department can take, and those that an individual can. Both of these are dependent on a range of variables, such as the type of information being collected, the number of people from whom those data are being collected and the current frequency of virus transmissions occurring across a community.

At the individual level, contact tracing or symptom-reporting apps are valuable because they can help the user understand their risk and adjust behaviors appropriately, Hamilton said. A prompt from the app can encourage a symptomatic user to seek out testing, or let them know when they have encountered a COVID-19-positive individual and should consider staying away from high-risked loved ones in the near future.

“For example, if you're taking care of elderly parents and you know you've been exposed, you might change your visitation cycle, or you might change how you're interacting when you do go visit," she said. 

For public health departments, more specific information can improve the effectiveness of human-conducted contact tracing interviews, Hamilton continued. Named contacts, for instance, tell the department exactly who to reach out to with warnings to quarantine, while accompanying GPS data can provide answers when a case's recollections fall short.

It's not at all uncommon that people might not remember that they took a particular trip to a grocery store or something along those lines," Hamilton said. "Some of the exposure notification apps and using people's locations can really help with that. If you're doing an interview with case investigators several days and sometimes maybe a week after you've had certain kinds of behaviors, it can be really hard to remember those. Those are the places where we can really do our best at providing and using those apps to help people fill in the gaps of what people don't necessarily remember."

But certain conditions will render these use cases less and less reliable. Contact tracing, which aims to isolate a specific instance in which a contact occurred, is harder to rely on when an infection is prevalent in the case's community.

"Even if you know the five places they went, they could have been infected in any of those five places, whereas if there's less community transmission being able [to hone] in on that exact exposure location can provide more of an indication," Hamilton explained.

Similarly, a tech-driven contact tracing system can only be effective when both sides of a transmission event have opted into its network. Low rates of adoption have been a frequent point of criticism for these tools, and have led to unsuccessful smaller-scale (but still costly) deployments being reworked or completely abandoned. In particular, many reviews and discussions on the technology have centered around an Oxford University study released in April and a statement from its lead author suggesting that the epidemic could be halted with a contract tracing app adoption rate of 60%.

Although that original statement also stressed benefits despite lower adoption rates, the point was emphasized a few weeks ago with another Oxford University study specifying that any level of uptake could still save lives.  Hamilton and Sanderson both made similar points, noting that even below the cutoff for community-wide benefits the tools will still provide individual users with behavior-changing warnings. They also stressed that none of these tools should be considered infallible, and that COVID-19 is prevalent enough for people to continue social distancing, handwashing and other preventive practices.

"Just because you didn't get informed that you might have come in contact with someone doesn't truly mean that you didn't," Hamilton said. "It just means that the level of data and detail wasn't there for you to be informed of that. So I think when there's really broad community transmission, you should take a lot of precaution."

Looking past COVID-19-specific apps, de-identified GPS data analyses can have a role to play in crafting policy, Hamilton added. An understanding of a population's general behaviors can help authorities assess their control measures and make adjustments as necessary.

"To say 'here is the control measure that was implemented, and this is the degree to which it was or was not followed' is critical, because it gives us the opportunity to understand why it wasn't, and/or what changes need to be made to these guidelines in the future," she said.

Understand what data is collected and how it's handled

Having information on hand can help limit the pandemic's impact, but poor security, bad actors and potential government misuse all cloud the question of whether or not these technologies are a net positive. In each case, Sanderson and Hamilton both said that it's up to the individual to make their own decision based on the tools, broader circumstances and personal comfort.

For those concerned about a particular COVID-19 app, Sanderson said the first step is in understanding the various methods with which a system is identifying potential cases, and the data management practices it employs.

"The two things to look for are whether the processing of your proximity or location information occurs on your device or if it sends to a third-party server, such as a government server – in other words, whether it's centralized or decentralized," Sanderson said. "The second thing I would look for is whether the app uses geolocation such as GPS and WiFi and cell towers, or if it uses Bluetooth."

In regard to the data processing, an effective decentralized design cuts governments, tech vendors and others out of the loop. Instead, sensitive data remains on the user's device and is anonymized before being shared with other mobile devices or systems.

"That greatly reduces privacy risks, but it also prevents that data from becoming available for the government and public health authorities to use to combat COVID-19," Sanderson said. “That's the trade off, and so some governments have been in favor of a centralized approach."

Location data, meanwhile, is generally more privacy-invasive than Bluetooth, even if it's been anonymized and aggregated before use, Sanderson said. It often isn't very hard to identify someone based on where their device rests or travels, she said, and can betray sensitive information such as "where they like to hang out, where they like to worship, if they go to strip clubs, if they have a mistress."

That isn't to say that Bluetooth designs are off the hook, either. 

“It still carries with it risks, such as the ability to create potential social graphs of everyone a person interacts with, so you can really get to know someone's social network, [and] that's a pretty scary proposition," Sanderson said. "But depending on how Bluetooth-based apps are designed, you can significantly reduce that risk if you include a decentralized design. Some countries have really centralized Bluetooth apps, such as Australia and France, and they have largely struggled with trust and accuracy."

The design of these systems becomes especially relevant in the context of bad actors and potential mission creep, Sanderson said. Here she specified location data data being used to identify the characteristics of Black Lives Matter demonstrators over the summer as an example of such overreach. Although there's work ongoing to propose legislation barring this type of government data purchase and misuse brewing in the Senate, overall the regulatory landscape in this area is "really patchy."

"For instance, some entities like telecommunications carriers are heavily regulated in types of data that they share with government and private entities," she said. "There are others that are perhaps less or under-regulated, which form kind of loopholes in the law." 

Speaking personally, Sanderson said her scales currently tip in favor of sharing the aggregated, de-identified data with public health researchers. Both experts specifically highlighted Apple and Google's work on contact tracing APIs as a promising combination of decentralized design, minimal data collection and public health department involvement.

"There's such a level of anonymity there, that I think the benefits really outweigh the risk," Hamilton said. "I absolutely understand that trust is a huge issue, and that's why the technology was put together in that way. ... I am so concerned about people's health and there's such a high level of risk out there in terms of exposure to disease that I would certainly very strongly suggest that people consider this."

Communication is key

Individuals will be the ones ultimately weighing each of these factors and risks against personal and public health safety, but that's not to say that health groups, leaders and technology companies can't do more to inform the public and ensure these tools are being deployed responsibly.

Hamilton said that public concern in the U.S. likely stems from the wide range of ongoing COVID-19 mitigation efforts, many of which do not have the backing of public health authorities. 

Data and information protection is a primary responsibility of any health department, she said, and that right now it's "critical" to inform the public that health department-operated apps will take those concerns seriously.

"From a public health perspective and your data being used by the health department, their job is to protect your privacy all the time," Hamilton said. "If you are a case, we need to protect your information. If you are a contact of a case, we need to protect your information, and we have been doing that and been stewards of that for many years. And it's important that we continue to be the best stewards of that, because otherwise people won't have the level of trust that we need to provide us the information that we need to do the appropriate control measures."

Sanderson agreed that education and messaging regarding COVID-19 technologies needed to step up, especially when considering the public's varying levels of technical literacy.

"I think of my grandma – when she sees a contact tracing app, she'd have seen that they're all the same, they all have the same risks. And then she sees a headline that says a contact tracing app is an invasion of privacy, and thinks that all contact tracing apps are invasive," she said. "But there's a whole spectrum of different designs."

As for the developers and technologists working on new versions of these tools, Sanderson pointed to guidance from her organization and secure data sharing firm BrightHive that, among other recommendations, stresses the need to collaborate with public health authorities by asking what specific information they need, what formats the data should be in and how long it should be retained.

"[Developers] need to be guided by principles of necessity and proportionality, and follow scientifically-based evidence that's emerging at the moment. That means collection limitations, always looking out to see how effective the app actually is in practice – looking at how many people were actually notified using the app, looking at effectiveness rates, which is only just emerging now about the different types of apps," she said.

"And also, look at whether there are other types of technologies which might be more effective than these apps. If so, shift your attention and resources towards trying to implement those alternative solutions instead."

Building a Solid Foundation for Transformation

This month we are following the efforts of entrepreneurs, doctors, investors and executives as they build a solid foundation for healthcare to move through the decade.

More regional news


The latest news in digital health delivered daily to your inbox.

Thank you for subscribing!
Error! Something went wrong!