A New Normal: What Contact Tracing COVID-19 Means for Privacy
"I've stopped using the words 'going back to normal' because I don't think we're going back to whatever it was before," said Heather Federman, the vice president of privacy and policy for BigID.
May 14, 2020 at 01:00 AM
6 minute read
The original version of this story was published on The Recorder
Back in January, if a tech giant asked consumers if they wanted to share their location data and health status with strangers, or an employer asked workers to take daily temperatures, many folks probably would've told them to shove off. But as the U.S. death toll from the coronavirus pandemic passes 80,000, more Americans might prioritize public health and put aside a distrust of Big Tech and everyday privacy intrusions.
Heather Federman, the vice president of privacy and policy for BigID, which uses machine learning to help companies protect their customer and employee data, says it's unclear how long these pandemic-era privacy incursions will remain in place.
"I've stopped using the words 'going back to normal,' because I don't think we're going back to whatever it was before," she said.
Federman, a lawyer by training who began her career at the Future of Privacy Forum as a legal and privacy fellow, and led privacy teams at Macy's and American Express, shared her thoughts on the legal and privacy implications of contact-tracing apps and other data-centric initiatives used to flatten the curve.
Answers have been edited for length and clarity.
What are your thoughts on Apple and Google's proposal for a contact-tracing app?
I have mixed feelings about it. On one hand, these companies feel like they have to do something. On the other hand, there's still a lot of questions as to how this will work. One interesting positive is that this is the first time you've had two major competitors coming together to create a system that is interoperable. That's something we're seeing pop up in various data protection laws—the ability to import your data into another system. This happens to be an interesting example of that actually happening. It does seem that they're trying to do their best to make this as privacy preserving as possible. We're using Bluetooth technology, they're trying to collect as limited information as possible. It's decentralized, so rather than it being on a central server, it is on your device. So while there are some governments taking issue with that, that is a step in the right direction.
I think the other question is yes, you're able to consent to this, but how likely is it that you're actually going to have enough users adopt this? And from what I'm seeing, you need at least 60% of the population to adopt it.
|For more on the future of law, sign up for What's Next.
What are you most concerned about with these contact-tracing apps from a privacy perspective?
I think my biggest concern is I've been doing a lot of comparison to the Patriot Act after Sept. 11. We had something that was a limited provision, because we were all freaked out, and understandably so. But [for] something that was supposed to be sunsetted back in 2005, it's still up for renewal. That's my concern for something like this. Apple and Google have said they want the data to be destroyed, but at what point is it actually destroyed? Is it once we're all vaccinated?
One challenge these contact-tracing apps encounter is how to responsibly reuse data from a privacy perspective. What are the major hurdles with this?
I think the reuse of data has always been an issue in the privacy world. This pandemic has exacerbated that issue because it's really front and center when we're dealing with location and health data. And the answer is unfortunately it's not clear, which brings us back to the trust issue. If it's not mandated that we do this, what's going to allow me to trust you that you're not going to use this for a secondary purpose. If you want me to be part of that 60% that's opting in, then I better know that you're using this for a limited purpose and you're only going to be using it for a limited amount of time. And I don't have those assurances yet. And that's the part that scares me, and I think scares a lot of people.
Do you anticipate any litigation stemming from these apps?
Probably. We're a litigation-happy country. Hypothetically, it could come into play if we're dealing with a false positive because Bluetooth has certain limitations. So, let's say you get a false positive that you were notified you might have COVID-19, and you need to stay at home, but it turns out you didn't have it. You could sue for losing pay for that period because you had to stay at home. I'm not quite sure how you prevent the liability issue. They're working with public health officials, so they could potentially tell those officials, "It's up to you to be the face of this and if someone is suing you, they're not suing Apple or Google as the third-party provider. They're suing you, the public health officials."
What are you hearing when it comes to contact tracing in the workplace and other measures that could get employees back to work but potentially infringe privacy?
I'm on group chains with different privacy practitioners, and they're all asking, "How do we do this in a way that we can allow people safely back in the office without totally going overboard." I think that's also very unclear at this moment. Temperature checks seem to be popular right now, but the problem with that is you can be asymptomatic, so I think that's going to be a concern. The concern is how much is too much. The temperature check is one thing. But what happens if they start monitoring your web-browsing activity to see if you're googling "Do I have COVID?" I don't know if we're crossing into that territory, but most employers when you get onboarded say that we can monitor any of your work devices. We're already seeing stuff around employee monitoring.
I'm also seeing a daily survey that employees have to complete before they go in. And it's not just about the employee, but the people they have close relationships with. That's not just implicating you, but your family. One way to handle that data is to segregate that information in a separate database, versus your regular HR data, and only touch that data when necessary.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 2Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 3NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 4A Meta DIG and Its Nvidia Implications
- 5Deception or Coercion? California Supreme Court Grants Review in Jailhouse Confession Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250