Computers, Privacy & the Constitution

Contact Tracing Privacy Concerns

-- By SophiaHan - 08 Mar 2022 (revised April 23, 2022)


Since its emergence in late 2019, COVID-19 has usurped many facets of our everyday living. From mask mandates to stay-at-home orders, old norms of daily living were quickly replaced by the harsh reality of living in a public health crisis. Amidst these changing norms, concerns about privacy arose as governments across the world implemented various tracking utilities to monitor and fight the spread of the virus.

Most notably, contact tracing apps have been heralded by many governments as a novel way of curbing the spread of COVID-19. However, the effectiveness of these apps is balanced by the level of privacy measures in place.

COVID-19: Contact Tracing Apps

On October 1, 2021, New York released an app that can notify people if they have come into contact with someone who tested positive for COVID-19. Called “COVID Alert NY,” the app is one of several in the United States based on Apple and Google’s surprising joint contact tracing system. Apple and Google’s contact tracing system uses Bluetooth to enable exposure notification, and is opt-in and anonymous to assuage some of the privacy concerns. Effectiveness is measured by how accurately these apps trace and monitor COVID-19, aiding public health authorities take appropriate measures to curb its spread. Despite these features, contact tracing apps in the United States have undoubtedly been a huge failure.

A key reason for this failure was the lack of trust among Americans in the tech companies and the government. One survey reported that 71% of reported smartphone users would not use the app because of privacy concerns. The effectiveness of contact tracing apps, however, largely depends on the installation rate among a population. Researchers estimate that it would take roughly 60% of a population to participate in a voluntary contact tracing program for it to be effective without any other severe measures (e.g., lockdowns).

Other countries worldwide have had mixed success with similar contact tracing apps. In South Korea, for example, contact tracing apps were relatively effective in curbing the spread of the virus, but at a significant cost to people’s privacy. The South Korean government used phone logs, card transaction records, and surveillance camera footage to monitor infected people’s locations and close contacts. China fared slightly better than South Korea in terms of user effectiveness because of its mandatory use and centralized government monitoring. But, of course, this was met with a troublesome cost to user privacy.

In considering improvements to maximize effectiveness for contact tracing apps, a few characteristics stand out. First, a decentralized architecture increases user privacy compared to a centralized approach. Second, close-proximity tracking, such as the one designed by Apple and Google, may not be enough to provide reliable information and curb the spread of a rapidly growing virus. Indeed, contact tracing alone, as it stands, is insufficient to effectively halt the spread of a virus like COVID-19; it must still be implemented alongside other preventative public health measures. Lastly, building trust among users is arguably one of the most crucial steps to be taken, and we can do so by establishing better privacy laws that increase transparency.

Insufficient Privacy Protections

Considering the breadth of influence technology has over our lives, it is surprising to find how few protections privacy laws afford us today. As it stands, the United States has no baseline data protection law that would protect sensitive data obtained from contact tracing apps. While there are privacy laws that protect certain data in certain market sectors, they don’t necessarily require that data acquired from COVID-19 tracing apps be securely stored and disposed, or used only for tracking the virus. It would be fairly easy for the data to be given to insurance companies, employers, creditors or the like. We see limitations in privacy protections in other areas as well. The Health Insurance Portability and Accountability Act (HIPAA), for instance, protects medical information but only for data collected and used by a “covered entity” or “business associate,” such as a hospital or insurance provider.

The Federal Trade Commission Act allows the FTC to have limited enforcement authority for privacy intrusions related to consumer protection. Specifically, it permits the FTC to challenge “unfair or deceptive acts or practices” in commerce, such as misrepresentations about data privacy or data practices that cause substantial consumer injury. While the FTCA may arguably be the broadest federal law when it comes to privacy, it is insufficient to meet the specific privacy needs that arise from COVID-19. The Act fails to regulate how data from COVID-19 tracing apps can be used, stored, or shared. It generally leaves these crucial decisions up to the companies themselves.

Some state laws attempt to narrow the gap left by federal privacy legislation. Perhaps one of the most robust privacy legislation, the California Consumer Privacy Act (“CCPA”) gives individuals more control over their personal information that businesses collect, such as the right to delete some personal information, the right to opt-out of the sale of their personal information, and the right to know about the personal information a business collects. But even this statute is limited, as it does not pertain to government agencies and would hardly cover the nationwide scale of contact tracing apps.


The COVID-19 pandemic revealed how sorely ill-prepared the United States is in handling a global public health crisis. Contact tracing apps have the potential to be effective, but only to the extent that the public is willing to use them. An obvious hurdle to this is getting more Americans to trust major tech companies and the government. This can be achieved if we had better privacy protections in place to regulate government control of our personal data. Naturally, people who are truly concerned about their digital privacy will most likely opt out of contact tracing programs or not possess the infrastructure to implement such a program. But for a majority of the population, who will continue to rely on smartphones, greater trust in privacy protections among these contact tracing apps is crucial to their increased usage.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r4 - 29 Apr 2022 - 20:12:11 - SophiaHan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM