Americans have encountered numerous new experiences during COVID-19, but contact tracing isn’t one of them.
Long used to track diseases such as tuberculosis, contact tracing is described by experts as a “tried and true” public health tool. But as the scale of the tracing has ballooned during the pandemic, so has the distrust of the method.
In the United States in particular, government agencies have had a tough sell when asking citizens to comply with tracing, experts say. When a call from a health department comes in alerting a resident to potential virus exposure, it often goes unanswered or unreturned for several days.
While the resistance is partially attributable to some citizens’ belief that the virus does not pose a serious threat to their health, there’s another factor at play: privacy. Americans are often uncomfortable with the idea of the government tracking them or using their data, experts say, so they don’t engage in contact tracing efforts.
But according to data privacy lawyers, when handled appropriately, contact tracing is both a legal and a helpful tool to combat the public health crisis. The key, though, is how governments or third-parties handle the data they collect in their efforts.
“I think it’s OK,” Fred Cate, of the Indiana University Center for Applied Cybersecurity Research, said of contact tracing. “And I think the thing that makes it OK is that we’re doing it for this purpose (COVID-19) and none other.”
Two main contact tracing techniques have emerged during the novel coronavirus pandemic. Often, government agencies employ workers to call or text potentially infected individuals, urging them to isolate and warn those they’ve had contact with. Alternatively, third-part tech vendors have developed apps and software to automate the process.
In Indiana, the Department of Health has contracted with Virginia-based Maximus Inc. to handle the state’s contact tracing efforts. Trained workers will reach out to Hoosiers via email or text, asking them to call in to a centralized call center. Once the resident calls, the trained worker will identify who the patient has encountered and repeat the process. If a resident doesn’t call back, Maximus calls them.
As of June 29, Indiana has reported 45,594 positive cases of COVID-19, with 2,448 deaths and 484,196 tested. Maximus’ plan under the $43 million contract with Indiana was to hire 500 employees to trace these cases across the state.
Maximus declined to answer questions about its privacy practices, referring Indiana Lawyer instead to the state Joint Information Center, which has been handling all COVID-19 information requests. In a statement, the JIC listed security measures including never revealing the name of a client to a close contact without permission, privacy law training for employees, and retaining all gathered information on a secure server.
Other states following a similar model have hit a roadblock in their contact tracing efforts: citizen engagement, or lack thereof. When calls to citizens go unanswered, the process is stopped.
To remedy that issue, lawyers say government agencies must be intentionally transparent about what they’re tracing and why.
“If you look at recent changes in privacy laws, it’s really geared more toward giving individuals more notice of what data is being collected and how that data is being used,” said Brian McGinnis, co-chair of the Data Security and Privacy Law practice group at Barnes & Thornburg in Indianapolis. “It’s about giving more transparency about those things and giving people more control over the use of their data.”
Old dog, new tricks
Concerns over data privacy certainly aren’t new, said Nick Merker, chair of Ice Miller’s Data Security and Privacy Practice. But what is new is how those concerns apply now to widespread, global contact tracing.
“The concerns are the age-old concerns: You’re going to generate new information and it’s going to be held by a private company or the government,” Merker said. “The opportunity for misuse of that information is ripe.”
To prevent the misuse of contact tracing data, Cate — who is also a professor at the Indiana University Maurer School of Law in Bloomington — said governments and third parties must practice “good data hygiene.” That is, contact tracers should secure their data, anonymize it where possible and delete it as soon as it’s no longer needed.
The consequences of not practicing good data hygiene will differ based on who the keeper of the data is, the lawyers said. If it’s a governmental agency, for example, that agency could run the risk of a Fourth Amendment search-and-seizure challenge.
Third-party vendors, however, present a different scenario.
For example, a person who freely downloads a contact tracing app onto their phone would not implicate the same privacy concerns, McGinnis said. Similarly, if an employer asks an employee to download a tracing app and the employee complies, the app cannot be downloaded without consenting to its terms, Merker added.
Even so, employers who require contact tracing need to consider the scope of the information they gather, Merker continued. Tracing inherently goes deeper into an employee’s life than is normal, so employers must know where to draw the line.
Perhaps most notably, tech giants Apple and Google have teamed up to provide contact tracing services, a move some tech professionals say “scares people to death.”
To that end, Indiana Attorney General Curtis Hill joined a coalition of 39 AGs calling on Apple and Google to protect consumer data in three ways: verifying that every contact tracing app is affiliated with a government public health agency; removing unverified applications; and pledging to remove all coronavirus-related data once the public health emergency ends.
“Implementing these limited measures could help protect the personally identifiable information and sensitive health data of millions of consumers,” the AGs wrote.
Though Maximus has secured the state government contract, smaller vendors throughout the Hoosier state also offer contact tracing options. Among those is Safe Hiring Solutions, a Danville-based operation that made its start in electronic background checks.
Among Safe Hiring’s services is a product known as Reflynk. According to founder and CEO Mike McCarty, Reflynk streamlines the reference-check process by using email, rather than getting stuck in a game of phone tag.
Once the pandemic started, Safe Hiring saw an opportunity to translate Reflynk into a contact tracing program. Using Reflynk, tracers could contact infected people via email or text, encouraging those people to input the contact information of others they’ve had contact with.
“It works as a pyramid,” McCarty explained. “It puts them on notice, and they can enter anybody they’ve had contact with. It’s much less surveillance-based than some of the models I’m seeing.”
Though there was initial interest from government agencies in Reflynk, the Maximus contract won out, McCarty said. But he’s already heard from schools who are interested in using the software once the fall semester begins.
One of the benefits of using a program such as Reflynk, McCarty opined, is that it doesn’t require users to input sensitive personally identifiable information. What’s more, he said, Safe Hiring Solutions built its business model around cybersecurity, so it can offer its customers professional data protection.
Offering such protection is an important step toward building trust in the contact tracing process, McGinnis said. If citizens agree to provide their information, he said, they must be able to trust that their government will use it appropriately, then delete it as soon as possible.
As with most everything else related to COVID-19, the lawyers expect to see litigation stemming from contact tracing operations. All three think contact tracers have a valid defense, but only if the information and data collected is used appropriately.
“All of our privacy laws, including HIPAA at the federal level, have exceptions for public health emergencies,” Cate said.•
— The Associated Press and the Indianapolis Business Journal contributed to this report