Rep. Anna Eshoo (D-Calif.) recalls crisscrossing the country in 2004 and seeing copies of The 9/11 Commission Report in the hands of fellow travelers everywhere. In a recent interview with Fortune, the longtime lawmaker recalls being touched by how ordinary Americans clamored to read about an event that changed the country—and predicts that, in the future, Congress will prepare a similar account of the current coronavirus pandemic.
If Congress writes that report, Eshoo says she hopes it will include not just lessons about the virus itself, but sections about data collection and privacy too. And she is hardly the only one who is thinking about the privacy implications of the pandemic.
Activists and media outlets also warn that, like 9/11 before it, the outbreak could lead the government to demand new data-gathering powers—powers that could become entrenched even after the crisis passes.
While the pandemic has indeed set off a scramble by governments to gather health data in the U.S., these efforts—for now at least—are limited. The potential long-term implications could, however, pose privacy risks and also strengthen the case for those calling for a new federal law to protect data.
Google, the government, and surveillance
Google recently introduced a COVID-19 tracker, which relies on the location data of Android phone users, to measure how people are heeding social distancing instructions. Meanwhile, Facebook is also gathering and sharing data about users’ movements, and encouraging them to report symptoms to help researchers understand the disease. And on Tuesday, Apple launched a similar project that draws on Apple Maps data.
Privacy advocates are concerned about such initiatives. In the case of Google, this has included U.S. senators sending a letter to CEO Sundar Pichai, asking him to ensure his company’s tracking project doesn’t impinge personal privacy.
Major media outlets have also raised the alarm about a potential privacy crisis. This includes a New York Times article on March 23, near the onset of the crisis, titled “As Coronavirus Escalates, Personal Privacy Plummets” and a Forbes piece the same day, “Coronavirus Could Infect Privacy and Civil Liberties Forever.” Implicit in these articles, and in subsequent news reports, is that the outbreak will be a privacy catastrophe as well as a medical one.
However, it’s unlikely any of this will happen in the near future.
In the case of the Google and Facebook initiatives, the companies are only collecting data when people explicitly opt-in and, even then, in a way that doesn’t make the identity of participants easily available. Ironically, these efforts may be more open and transparent than many of the companies’ other data gathering activities.
And for now, most of the COVID-19-related data tracking in the U.S. is nowhere near as invasive as what dozens of location marketing companies have long been doing in the name of advertising.
Some medical experts, meanwhile, say there is no appetite at the moment in the U.S. for tracking specific individuals as part of the campaign to curb COVID-19. “We don’t have time to track what people think we’re going to track,” says James Hodge, director of the Center for Public Health Law and Policy at Arizona State University. “There’s no systemic effort at any level of government to track movement of specific individuals until they give us reason to be concerned.”
Concern over “specific individuals,” Hodge explains, would only extend to symptomatic individuals who flout orders to stay inside. He adds that, even then, tracking them would likely require a court order.
Courtney Bowman, who leads a privacy and civil liberties team at the big data firm Palantir Technologies, likewise believes some of the recent outcry over privacy is misplaced. “Some of the discussion is over-indexing on the dystopian China scenario without acknowledging the differences that a federated society like the U.S. creates,” he says, referring to the fact that most power in the country resides with individual states rather than the national government.
Like Hodge, Bowman also believes tracking specific individuals is not practical or desirable—especially since the window for containing the pandemic has long passed. He does, though, acknowledge that government officials are inclined to ask for new sources of data in the hopes they will provide a quick solution. But he adds officials gradually become aware that “A.I. and magic solutions” can’t solve all problems, and that Palantir discourages them from collecting unnecessary data. (Skeptics, however, may point to a recently discontinued anti-terror program that collected phone records for years at a cost of $100 million, but which led to only one significant investigation).
Palantir, though, has long been a bugbear for civil libertarians and liberal groups that criticize the work it does parsing data for federal agencies like Immigration and Customs Enforcement. And some fear Palantir’s work with the federal government in the present crisis could be a new threat to privacy. Meanwhile, in the UK, some politicians have expressed alarm over reports that Palantir is compiling datasets from the country’s National Health Service.
Bowman, however, notes that Palantir’s current work in the U.S. is focused on how to track the country’s supply of personal protective equipment (PPE) and ventilators rather than monitoring individuals. He also points out that Palantir has been working with the Centers for Disease Control and Prevention and Health and Human Services for years on issues like food-borne illness, and that many at the company want to help solve the crisis. “I don’t want to sound self-serving but I think there’s a lot of commentary that presumes malicious intent as a starting point,” he says. “The world is in a really crazy place. Many of us operating on this are part of the world too, and are equally concerned.”
Health tracking in the U.S.
If the U.S. adopts a system of tracking individuals to combat the coronavirus, that system—known as contact tracing—is unlikely to resemble what is being put in place in other countries, say politicians, including Eshoo. “We don’t want the federal government to have real-time location data for every citizen,” she says.
Eshoo adds that China is no model for the U.S. as “it has no civil liberties,” but also criticizes measures being deployed in democracies like Israel and South Korea, where authorities have been tracking people by using CCTV, banks cards, and other tools.
Concerns over government tracking are shared not only among Democrats like Eshoo, but among libertarian-minded Republicans like Sen. Mike Lee (R-Utah) and Rand Paul (R-KY), as well as many ordinary Americans. This means that, if the country does adopt any form of contact tracing, it’s likely to be along the lines of what journalist Derek Thompson proposed in The Atlantic this week.
Thompson, noting that measures adopted by Singapore and South Korea are unlikely to fly in the U.S., predicts Americans may adopt a modified system that relies on using anonymous IDs broadcast between smartphones through Bluetooth, a technology standard for sharing data between devices. In practice, this would mean that if someone diagnosed with coronavirus had visited a Starbucks or other place, public health authorities would be able to alert others who had also been in the same place—all while relying on technology that doesn’t reveal the personal identity of the sick person in question.
Such plans for an American version of contact tracing took a step forward on Friday when Apple and Google announced they are partnering to develop an anonymized Bluetooth system to help authorities monitor infections via government apps. While any such technology is months away from being deployed, early reports suggest it would be opt-in and could provide an important public health without compromising individual privacy. (Skeptics, though, warn such a system could be a target for trolls and may be ineffective).
So far, proposals for contact tracing in the U.S. don’t appear to pose an imminent threat to civil liberties. But that doesn’t mean that privacy advocates should let their guard down.
Alex Abdo, a former American Civil Liberties Union director and senior attorney at the Knight First Amendment Institute, points out that many of the “temporary” security measures instituted after 9/11 still persist to this day. And he warns about the impulse—cited by Bowman of Palantir—of government officials in a crisis to ask for as much data as they can, without determining if the data is relevant or necessary.
Meanwhile, health companies are seeking to pool data of coronavirus patients for research purposes, while local governments are sharing addresses of patients with law enforcement in order to protect first responders. In both cases, there is a risk such data could be misused. Indeed, Eshoo recalls how victims of an earlier health crisis—the AIDS epidemic of the 1980s—faced financial and employment stigmatization, and says she wants to ensure this doesn’t happen to those with coronavirus.
These and other concerns led Eshoo, along with Rep. Suzan DelBene (D-Wash.) and Sen. Ron Wyden (D-Ore.) to send a letter to the White House, asking the White House to heed privacy principles while responding to the pandemic. The Trump administration has yet to comment publicly on the letter or address concerns over data privacy during the pandemic.
The larger threat to Americans’ privacy, however, may be rooted less in the current crisis, than in the country’s lack of a comprehensive laws that protect data in the first place, according to Bowman. The U.S., he notes, has a hodgepodge of laws when it comes to health and children’s privacy, which creates many gaps. It’s also unclear what laws apply to which companies. For instance, there’s uncertainty whether the federal health privacy law, HIPAA, applies to the likes of Google while, when it comes to data collection, phone carriers are subject to more stringent rules than tech companies.
The upshot is what the U.S. may need most is not specific measures to prevent misuse of health data during the current outbreak, but federal legislation that creates overarching privacy regulation such as already exists in places like Canada and Europe. Ironically, Congress was negotiating the details of such a law before the pandemic broke out and legislators became consumed with the crisis. Now, champions of the law, including Rep. DelBene, are pushing to ensure the project doesn’t fall between the cracks.
Says Rep. DelBene, who is pushing for privacy even as her home state of Washington faces some of the heaviest toll from the outbreak: “We need to continue to realize what a critical priority this is. Other parts of the world are taking this seriously. We need a federal standard.”
More must-read tech coverage from Fortune:
—How the coronavirus stimulus package would change gig worker benefits
—Zoom meetings keep getting hacked. How to prevent “Zoom bombing”
—Why China’s tech-based fight against the coronavirus may be unpalatable in the U.S.
—Hospitals are running low on the most critical supply of all: oxygen
—Listen to Leadership Next, a Fortune podcast examining the evolving role of CEO
—WATCH: Best earbuds in 2020: Apple AirPods Pro Vs. Sony WF-1000XM3
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.