Boy in mask using mobile showing the proposed U.S. Exposure Notification Privacy Act that could control the potential misuse of contact tracing apps

U.S Draft Privacy Act on Contact Tracing Apps Offers Hope While Raising Concerns Over Longevity

A group of U.S. Senators from both sides of the political aisle are seeking to introduce a new piece of legislation which aims to see contact tracing apps and exposure notification apps face sterner regulation. In essence, the “Exposure Notification Privacy Act”, announced on June 1, would give consumers a measure of control over what data is collected from them. The proposal comes as the latest in a line of two pieces of similar bills which together have sparked optimism over the prospect of bipartisan legislation in support of data security in the U.S.

With the outbreak of COVID-19 prompting an increasingly widespread use of contact tracing apps to monitor the spread of the disease, new legislation such as the Exposure Notification Privacy Act has been put forward as a way to control their potential for misuse.

The Act’s announcement comes just days after Silicon Valley giants Apple and Google went live with their joint adaption of iOS and Android systems to include an application programming interface (API) that makes use of Bluetooth technology to facilitate the use of contact tracing apps.

Using this method, the contact tracing apps would be able to detect how close a person’s smartphone is to other nearby smartphones, as well as for how long their owners had been in contact with one another. Should a user catch COVID-19, the contact tracing apps would be able to map out who they had come into contact with, in theory making it easier to control the spread of the coronavirus.

However, the bipartisan bill—championed by the likes of Democratic Senator Maria Cantwell from Washington and Republican Senator Bill Cassidy from Louisiana—could put the brakes on the scope of the data collected by contact tracing and exposure notification apps.

Draft privacy act offers promise

By ensuring that consumers are afforded control over their personal data is used in commercial online exposure notification systems, the Exposure Notification Privacy Act would place a firm limit on the type of data that contact tracing apps can be collect, as well as how it can be used.

In addition, the new privacy act would likely make significant headway in building consumer trust for third-party applications.

A noteworthy protection offered by the proposed privacy act is an assurance that only data that is needed in the first place is collected. By requiring exposure notification service operators to collaborate with public health authorities, the legislation would ensure that only data that is relevant to the diagnosis of an infectious disease is gathered by contact tracing technologies.

In addition, the bill also provides a narrower definition of consent than previous attempts to regulate tracing apps. According to the bill, users would need to enroll in an automated exposure notification service—a way of closely monitoring affirmative express consent.

“Public health needs to be in charge of any notification system so we protect people’s privacy and help them know when there is a warning that they might have been exposed to COVID-19,” Cantwell said in a June 1 statement about the proposal more broadly.

Cantwell’s statement was mirrored by Democratic Senator Amy Klobuchar of Minnesota, who asserted that privacy should remain of the utmost importance, especially during times of crisis. “As we continue to confront the coronavirus pandemic, Americans should not have to worry about the privacy and security of their personal health data,” she said.

“While contact tracing can play a critical role in helping prevent the spread of the coronavirus, this crucial innovation cannot come at the expense of consumers’ privacy,” added Klobuchar.

Contact tracing apps require a long-term fix

Since its announcement earlier this month, the Exposure Notification Privacy Act has been widely embraced. Privacy advocates—ever weary of the new challenges posed to data protection in the wake of COVID-19—have commended the legislation as a noteworthy step in amassing bipartisan support for privacy issues, as well as in rousing debate more generally.

According to Ed Holmes, chief executive at the cloud-based security firm FairWarning, if passed, the legislation would be a major step for privacy risks relating to contact tracing apps. “The introduction of the Exposure Notification Privacy Act brings the major privacy risks surrounding contact tracing apps to the forefront of public discussion—going beyond what the tech community has been doing to actively tackle it over the last few weeks,” he said.

However, according to Holmes, caution is still needed when it comes to creating legislation with an eye toward the future, rather than exclusively with an eye toward abating the crisis in the short-term. “On the other hand, we can’t debate the details for so long that we’re unable to act in a timely manner,” noted Holmes.

Because the Exposure Notification Privacy Act is designed to facilitate collaboration with public health officials, according to Holmes, the longevity of the legislation’s focus remains necessary. “The trick is to identify the data that’s most critical to share for saving the broader population that doesn’t put patient privacy at risk. That’s the easy part though. Having trust that the tech world won’t share the data in other ways is the hard part, but these companies are looking at ways they can keep the data anonymous,” explained Holmes.

“The key will be to find a balance between protecting a patient’s health and maintaining their privacy, while also protecting the health of the larger population,” he said, adding that “we can have all three and not compromise on the solution.”