Digital Contact Tracing, Privacy, and Public Health

Abstract Digital contact tracing, in combination with widespread testing, has been a focal point for many plans to “reopen” economies while containing the spread of Covid‐19. Most digital contact tracing projects in the United States and Europe have prioritized privacy protections in the form of local storage of data on smartphones and the deidentification of information. However, in the prioritization of privacy in this narrow form, there is not sufficient attention given to weighing ethical trade‐offs within the context of a public health pandemic or to the need to evaluate safety and effectiveness of software‐based technology applied to public health.

U sing mobile technology for contact tracing efforts is emphasized in many plans to "reopen" countries and states because of the need to rapidly identify the possible contacts of a person diagnosed with Covid-19, many of whom the infected individual might not know personally. 1 These digital tracing projects prioritize privacy protections that emphasize local storage of data on phones and deidentified information. What these projects fail to recognize, however, is that standard ethical frameworks for biomedical research-developed to guide how to weigh values such as autonomy, justice, beneficence, and nonmaleficence-are not necessarily appropriate in the context of a pandemic. These projects also highlight the inadequacy of current regulatory frameworks to evaluate safety and ef-fectiveness of software-based technology applied to public health.
Technologists in the United States and Europe have been racing to build digital systems for contact tracing to contain Covid-19. The general concept behind these projects is to use Bluetooth technology in smartphones to register proximity between the phones of people diagnosed with Covid-19 and other smartphone users; if a user reaches a predetermined threshold for risk of SARS-CoV-2 transmission, a digital "token" (such as a contact number) is generated and stored locally on the user's phone. If the user is diagnosed with Covid-19, then the app is triggered to send notices to other smartphones to alert users that they were in contact with someone diagnosed with the illness. 2 The contact data is deleted after about fourteen days. Google and Apple, in particular, teamed up to develop Bluetoothoriented tools for an "exposure notification system" on their operating systems, through which other developers can cre- ate apps in coordination with public health authorities. 3 Disseminating information about Covid-19 status presents possible risks to users, including stigma and impact on employment. Most of the groups developing contact tracing apps hold that "decentralization" is necessary to make the app acceptable, given concerns about government or corporate surveillance of citizens. In this context, decentralization generally means that data will not be stored on a central server, that the system will depend on users' opting in voluntarily, and that data that would identify users will not be collected. 4 Most digital contact tracing projects in the United States and Europe have taken this approach. 5 But however well the risks of contact tracing apps are minimized, no risks are justified if they are not balanced by benefits. Theoretically, much as vaccines benefit both individuals and societies, contact tracing apps could benefit not only individual app users who are notified of possible exposure to the virus but also communities, including people who are not using the app. Yet there is no established process or metric for evaluating the likelihood that the apps will achieve their intended benefits. The scientific consensus is that a combination of extensive testing capability and effective contact tracing is necessary in order to allow the easing of shelter-in-place and social-distancing orders while containing the spread of Covid-19. For digital contact tracing methods to be effective in keeping a virus's reproduction low enough to contain the pandemic, it is estimated that 60 percent of the population would need to use the app and adhere to scientific recommendations to isolate and contain cases. 6 That goal will be hard to reach. Around 81 percent of the U.S. population owns smartphones, 7 and some older smartphone models do not have the features necessary for these digital tools to work (in the United States, about 88 percent of smartphones do). 8 The voluntariness may also be a problem. Singapore's contact tracing app has depended on voluntary usage, and only 12 percent of its population downloaded it. 9 A contact tracing model that maximizes user adoption of the app and ease of use is critical.
The apps would also have to gather some personal information. Public health authorities would use the apps to facilitate traditional contact tracing efforts, 10 and to do that, they would need some personal information about the person diagnosed and their contacts.
By focusing, in product design, on the privacy needs of individual app users, developers may be overlooking the needs of public health officials in terms of what information they require and how an app best fits into the overall contact tracing workflow. Privacy needs to be addressed not in isolation but in terms of trade-offs with other ethical values and interests. In most U.S. states and most countries around the world, people have been subject to social-distancing policies for public health reasons, which means a short-term restriction on the liberty interest of individuals in order to enhance the long-term liberty interests of communities. Similarly, the collection of personal information for effective contact tracing, which is a condition for safely lifting these restrictions, necessitates weighing the trade-offs with individual liberty interests beyond just protection of informational privacy. This is not to say that individual data protection is not needed but, rather, that how data is collected and protected must be evaluated within a broader public health framework. The traditional protections of human subjects in biomedical research balance risks to individuals with benefits to society in a way that prioritizes individual interests, but in a public health emergency, that calculus is not appropriate.
Many of the digital contact tracing models in development assume that people will be more likely to use apps that incorporate these privacy protections. However, whether people are more likely to adopt and use a contact tracing app that prioritizes these types of privacy protections is one of several empirical questions that must be assessed before a choice among digital tools is settled. There are indications that people may be more willing to share some personal information if it is for the benefit of public health. 11 Similarly, there is a need to investigate whether an opt-in approach can achieve the needed 60 percent use and, if not, to assess public support for mandatory measures.
Sophisticated tech design does not negate the need for regulatory protections of contact tracing data. South Korea, which leads the world in smartphone ownership, 12 uses digital contact tracing as part of efforts that are generally viewed as successful at limiting the spread of Covid-19. In South Korea's approach, participation is mandatory, and public health personnel draw personal data for diagnosed individuals from a range of public and corporate digital databases. There is also strict transparency about where the data are drawn from, public scrutiny of the process, and strong legislative protections against misuse. 13 In the United States, appropriate privacy protection for a contact tracing system should include legislation that prohibits the data from being merged with data for non-Covid-19 purposes or used for commercial purposes, as well as limits for how long the By focusing, in product design, on the privacy needs of individual users, developers of contact tracing apps may be overlooking the needs of public health officials. data can be stored and sunset provisions for the use of the technology. 14 In the interests of transparency, information should be provided to users at a sixth-grade reading level and include how the app works, what information is collected, how data is stored and for how long, what the risks of reidentification are, and how to interpret notification or lack of notification from the app.
The development of a digital contact tracing app must also establish the app's safety and effectiveness. This step in evaluation would be a departure from the usual method of app testing, but these apps are proposed as public health interventions and carry much higher stakes than the typical consumer smartphone app does. Research (even if it must be done in an accelerated time frame) is needed to evaluate the effectiveness of an app for contact tracing purposes and allow for appropriate weighing of the risks and benefits in relation to its public health value. It is not clear how effective the Bluetooth approach is "in the wild," and the system may be susceptible to hacking or trolling. 15 Evidence about whether the average person will be able to follow the instructions for using the apps and whether people are likely even to download them needs to be part of the process for selecting which app public health authorities will use. Will marginalized groups or the elderly face challenges in using the app effectively? If a user receives a series of texts indicating Covid-19 contact, will they start to ignore them, succumbing to the well-known phenomenon of alert fatigue? If a digital contact tracing app that has not established its effectiveness is released, it could give a false impression to users that they have not been in proximity with anyone who has Covid-19.
In response to privacy concerns, Google and Apple have already made adjustments to their proposals, such as requiring that the tools be used only by public health authorities and shutting down the tools when the pandemic ends. At the same time, there has been wider concern about allowing giant tech companies, rather than national and state public health leaders, to drive the development of essential public health tools. Will this orientation give adequate attention, for example, to such questions as when the pandemic "ends"? Who should make that decision? Google's forays into health and public domains have shown the potential benefits of applying its technical expertise to health but have also revealed disconnects between how tech and medical domains approach ethical health research. For example, Google's flu tracking project, which was widely viewed as a disappointment, demonstrated the limits of big data and Google's algorithms, the need for transparency and accountability, and the utility of integrating with traditional data collection approaches. 16 The current pandemic requires a rapid response, but it also requires ethical frameworks that prioritize public health. Digital contact tracing efforts must employ ethical frameworks that put privacy in a broader ethical context and address the trade-offs between respecting individual liberties and protecting society that are inherent in supporting public health.
Vaccine Rationing and the Urgency of Social Justice in the Covid-19 Response by HARALD SCHMIDT T he Covid-19 pandemic needs to be considered from two perspectives simultaneously. First, there are questions about which policies are most effective and fair in the here and now, as the pandemic unfolds. These polices concern, for example, who should receive priority in being tested, how to implement contact tracing, or how to decide who should get ventilators or vaccines when not all can. Second, it is imperative to anticipate the medium-and longer-term consequences that these policies have. The case of vaccine rationing is particularly instructive. Ethical, epidemiological, and economic reasons demand that rationing approaches give priority to groups that have been structurally and historically disadvantaged, even if this means that overall life years gained may be lower.
As social-distancing measures were implemented across the country in recent months, people differed in their responses. New York City is the nation's single largest hotspot. It can serve as a useful case study, as it magnifies countless of the dynamics at work in implementing our collective Covid-19 response. As the pandemic unfolded, many affluent people moved to their vacation homes. But many people needed to stay put because their work (whether in formal or informal employment) could not be done remotely or they could not afford not to work. Analyses of transit data at the end of March showed that subway ridership in New York City was significantly reduced, albeit unequally in geo-graphic terms. In Manhattan, which has the highest median household income of the five boroughs at $80,000, morning commute ridership fell by around 75 percent. But in the Bronx, which has the lowest median income at $38,000 and the highest poverty rate of all boroughs, there was only a 55 percent drop. 1 These differences are plausibly explained by differences in people's ability to prioritize protecting their health over income opportunities. 2 Lower-wage workers are more likely to be exposed to environmental risks associated with more affordable mass transit, and their risk of exposure is oftentimes compounded by less-safe housing and the nature of their formal or informal employment.
Similar disparities can be observed in more directly healthrelated measures. At the end of April, Covid-19-related deaths were almost twice as high in the Bronx, compared to Manhattan (224 versus 122 per 100,000 residents). 3 Deaths also differed across racial groups. Twice as many Black/ African American residents died when compared to white New Yorkers, and Hispanic/Latino people fared almost as badly (127 versus 114 versus 63 per 100,000). 4 When it comes to testing, preliminary analyses suggest that access is the inverse: the vast majority of the thirty ZIP codes that had the highest rates of testing (per capita) were whiter and wealthier (or both), compared to city averages. 5 Along with other data at the national level indicating that low-income communities and communities of color are at higher risk of serious illness if infected, 6 these disparities bear out that historically and structurally disadvantaged populations incur a far larger share of the morbidity and mortality burden while being far less able to absorb financial and other costs.