Members of Congress to unveil bipartisan bill to regulate contact-tracing apps, fearing potential privacy abuses

By:  Tony Romm
Source: The Washington Post

Senate lawmakers plan to unveil a bipartisan bill on Monday that would regulate contact-tracing and exposure-notification apps, seeking to ensure new digital tools meant to combat the coronavirus don’t come at the expense of users’ privacy.

The proposal, called the “Exposure Notification Privacy Act,” would erect federal guardrails around Silicon Valley’s nascent efforts to track people’s movements and alert them whenever they come in close contact with someone who has tested positive for covid-19. Democrats and Republicans led by Sen. Maria Cantwell (D-Wash.) say the legislation is necessary to ensure tracking isn’t forced on those who don’t want it — and to ensure any data that’s collected isn’t put to commercial use.

“The important thing we wanted to get done, as people started to look at this, is make sure the privacy protections are in place,” said Cantwell, the top Democrat on the Senate Commerce Committee, which oversees tech issues.

Cantwell added she’s personally disinclined to use contact-tracing technologies herself in the absence of strong regulations. “We’re all irritated our browser history might be sold a thousand times over,” she said, “but when its your healthcare history it’s a whole new realm.”

A wide array of tech giants, app developers and private employers have pursued contact-tracing and exposure notification tools in recent months, hoping to arrest the spread of a deadly pandemic that’s already killed more than 100,000 in the United States. Their efforts have raised thorny, urgent questions about the balance between safeguarding privacy and protecting public-health in the midst of an historic pandemic.

Apple and Google, for example, rolled out a notification system in May that allows people with a confirmed coronavirus diagnosis to notify people who have previously been in their close proximity. The system doesn’t reveal anyone’s name or location, relying on a setup that heavily obscures people’s personal information while controversially limiting how much local authorities actually can see about who might have been infected.

Other apps have posed more immediate challenges: An app commissioned by authorities in North Dakota, for example, transmitted some data to Foursquare, a major commercial broker of location information, the Washington Post previously found. Officials maintain the data never was used for advertising purposes, but privacy experts at the time bristled at the fact that such sharing occurred without users’ permission.

Democrats and Republicans pointed to the potential for similar, serious missteps — and Silicon Valley’s long list of past scandals — in calling on Congress to pass a new law. Absent strong protections, some policymakers said Americans simply would never grow comfortable adopting contact-tracing and notification apps at the scale that’s necessary to combat the coronavirus.

“I think if you ask most people, ‘Do you trust Google to respect your privacy?’ . . . they don’t trust Google,” said Republican Sen. Bill Cassidy (La.), one of the bill’s sponsors.

"This is a matter of perception. It's not an indictment of Google," added Cassidy, a doctor by background before arriving in the Senate. "We're making sure people are comfortable with this."

Apple and Google did not immediately respond to requests for comment.

The scramble to adopt new privacy protections governing a novel class of public-health apps underscores a familiar struggle in Washington: Regulators have failed to keep pace with an industry that has churned out new devices, sites and services faster than the U.S. government can monitor them for potential abuse.

Lawmakers over the past decade have failed to adopt a single consumer privacy law, despite major privacy scandals on the part of tech giants including Facebook and Google. New hope emerged last year, as Democrats and Republicans offered fresh proposals out of concern that Silicon Valley largely eschewed federal punishment for its misdeeds, But those bills, like countless others preceding them, quickly stalled amid partisan squabbling.

With the coronavirus, some lawmakers see a fresh opportunity to make up for their own past shortcomings and regulate a new technology before it becomes widespread. Public confidence in these public-health tools is low, as half of Americans say they are unlikely to use the infection-alert apps adopted by Apple and Google, according to a poll conducted by the Post and the University of Maryland in April. The success of the system, however, relies in part on a large number of people using it, making early efforts to assuage privacy conscious Americans critical.

“There’s this patchwork of laws that may cover some of this data in some instances, and that’s just not enough to really get at the use cases and the data combinations we’re seeing being proposed,” said Sara Collins, policy counsel at the consumer group Public Knowledge.

Most Americans are not willing or able to use an app tracking coronavirus infections.

The bill by Cantwell and her peers requires companies developing contact-tracing applications to do so in collaboration with public-health authorities. These tools must also obtain consent before they can begin tracking a user’s location to determine the spread of the coronavirus.

The permission required under the bill helps to combat concerns that workers may be forced into installing tracking software by their employers, Democratic and Republican lawmakers said, adding that businesses would be prohibited from discriminating against people who decline to participate.

Adam Conner, the vice president for Technology Policy at the Center for American Progress, said there is growing concern over what employers “may coerce employees into doing.” With apps they develop, “there’s a real danger of them being so broad, or snake-oil and ineffective, that there isn’t a public health check,” he said.

Employer-driven technology is already beginning to come to market: The accounting firm PricewaterhouseCoopers, for example, is offering its own contact-tracing app that aims to help businesses “access precise proximity information” and “receive near real-time information about whether your people may be at risk of exposure,” the company says. PwC did not immediately respond to a request for comment.

Under the proposed, bipartisan legislation, any data collected as part of coronavirus monitoring technology could not be used for commercial purposes, and users could request at any time to delete it. App makers and other companies behind contact-tracing tools further would have to notify users in the event of a breach, and the U.S. government would gain new powers to penalize privacy and security abuses, the bill prescribes.

Other lawmakers have offered their own bills targeting contact tracing in recent weeks, including a proposal led by Republican Sen. Roger Wicker (Miss.), the chairman of the tech-minded Commerce Committee. The bill, however, has troubled some privacy advocates and Democratic lawmakers, who charge it suffers from significant loopholes -- such as exempting employers from new data-protection rules.

A spokesman for Wicker did not respond to a request for comment.

The looming disagreements threaten to scuttle contact-tracing legislation much as it has past efforts on Capitol Hill to regulate online privacy. Cantwell said lawmakers would push to add it to the next coronavirus relief legislation, even as she acknowledged she is “not confident it’s going to move swiftly.”

“I’m confident if you don’t say what a good notification system looks like,” she added, “that people are going to be out there abusing it and doing things we don’t want to see done.”