On Thursday, Democrats from both houses of Congress introduced the Public Health Emergency Privacy Act, legislation that aims to safeguard the kind of health data consumers can share with contact-tracing apps and, hopefully, satisfy privacy concerns that would make many Americans hesitant to download them in the first place.
“This measure sets strict and straightforward privacy protections and promises: Your information will be used to stop the spread of this disease, and no more,” Senator Richard Blumenthal said in a press statement. He along with fellow Senator Mark Warner and Representatives Anna Eshoo, Jan Schakowsky, and Suzan DelBene sponsored the bill.
The Public Health Emergency Privacy Act would impose several guidelines determining how consumer health data is collected and used during a public health emergency. It would mandate “meaningful data security” among tech firms collecting this data, and require them to delete this data once the crisis has ended. Data collected for public health efforts also couldn’t be used by non-health-related government agencies or for commercial purposes such as advertising or e-commerce.
With this legislation, consumers would also not be forced to adopt digital exposure-tracking technology, such as the APIs currently being developed by Apple and Google for use among public health authorities. In particular, the bill outlines that officials can’t make a person’s ability to vote in elections contingent on their use of contact-tracing apps.
While the effectiveness of digital exposure-tracking efforts is largely dependent upon how many people opt-in, requiring that participation remain voluntary could go far in assuaging Americans’ privacy concerns over the use of their health data. A recent joint poll between University of Maryland researchers and the Washington Post found that roughly half of Americans are either unable or unwilling to download this proposed tech for mapping the spread of the coronavirus.
In order to track the virus, apps that employ Apple and Google’s contact-tracing APIs would use random Bluetooth identifiers to exchange information between your phone and other devices that come within Bluetooth range of you within the last two weeks. If a person tests positive for covid-19 and logs that information into the app, it sends a notification to nearby users (within six feet of the person) of their possible contact with an infected individual. These identifiers change every 10-20 minutes, which Apple has said makes it impossible to track, and no information is centralized on a government server.
This contact-tracing technology differs from the kind of apps deployed in India, Russia, and the UK, which have been privacy nightmares. Though that added security built in by Google and Apple means little if people don’t trust Big Tech enough to download the app to begin with.
“It’s our shared belief that swift passage of this legislation would go a long way towards establishing the trust American consumers need – and which Big Tech has squandered, time and again – for digital contact-tracing to be a worthwhile auxiliary to widespread testing and manual contact-tracing,” Schakowsky said in a press statement.