NEW YORK — The American Civil Liberties Union today released a set of technology principles against which developers, policymakers, and the public can judge any technology-assisted contact-tracing apps and proposals for COVID-19. Together with the ACLU of Massachusetts, the ACLU is also today demanding the Department of Health and Human Services and Centers for Disease Control and Prevention turn over records concerning its conversations with the tech industry and plans for using location tracking technology to address the COVID-19 crisis.
“In the coming weeks and months, we will see a real push to reopen the economy, a push that will rely heavily on public health measures that include contact tracing,” said Daniel Kahn Gillmor, ACLU senior staff technologist, in a white paper published today. “While some technology-assisted contact-tracing systems may offer public health benefits, they may also cause significant risks to privacy, civil rights, and civil liberties. We need a sober consideration of the risks and tradeoffs of such a system so that it protects not only the fundamental right to health, but also our rights of privacy and free association.”
Today’s paper follows a white paper issued last week on the significant practical limits of location tracking technology.
The principles the ACLU identifies in today’s paper for evaluating any technology-assisted contact tracing app include:
- Voluntariness — Whenever possible, a person testing positive must consent to any data sharing by the app. The decision to use a tracking app should be voluntary and uncoerced.
- Non-punitive — Any app or protocol must not be used for punitive measures such as criminal prosecution, immigration enforcement, or even quarantine enforcement.
- Built with public health professionals — A protocol built by technologists alone, without open consultation with public health professionals, is bound to fail.
- Privacy-preserving — Any app should be private by design. Good data minimization, no data leakage, regular data deletion, and minimal reliance on central authorities are critical.
- Non-discriminatory — Any proposal that is worth considering should attempt to account for and mitigate risks of further entrenching existing social inequities.
- Measurable impact — People must have a way to know whether it is working or not.
- Have an exit strategy — Policies must be in place to ensure tracking does not outlive the effort against COVID-19.
- Narrowly-tailored to target a specific epidemic — The data should not be used for purposes other than public health or otherwise unrelated to its collection; not for advertising.
- Auditable and fixable — Users and communities need clear signals that the software involved is trustworthy and does what it intends to do.
- Transparency — If the government obtains any data, it must be fully transparent about what data it is acquiring, from where, and how it is using that data.
"While many previously unacceptable practices may be adopted temporarily in emergencies, details matter,” said Kade Crockford, Director of the Technology for Liberty Program at the ACLU of Massachusetts. “The public must have a window into the government’s discussions with the tech industry and plans for sensitive data sharing so it can ensure the government is acting effectively, responsibly, and in manners justified by science. Private companies with potential financial interest can’t be the only ones privy to this critical information.”
The records request filed by the ACLU and ACLU of Massachusetts today demands HHS and CDC turn over documents and materials pertaining to, among other items, possible uses of location data and government access to or receipt of data from commercial databases containing cell phone location information; communications with tech companies about using or accessing location information; policies and procedures for possible use of, access to, and sources of location data; and the HHS decision, announced on April 2, 2020, to waive enforcement of certain privacy requirements under HIPAA.
A blog post on today’s announcements is here: https://www.aclu.org/news/privacy-technology/apple-and-google-announced-a-coronavirus-tracking-system-how-worried-should-we-be.
The white paper is here: https://www.aclu.org/report/aclu-white-paper-principles-technology-assisted-contact-tracing.
The FOIA request is here: https://www.aclu.org/foia-request-concerning-location-data-covid-19-crisis-response.