Watching the watchers: More accountability needed to ensure responsible COVID-19 tracing tech
As governments and employers around the world embrace new technological tools to aid COVID-19 contact-tracing, Congress should look beyond traditional law enforcement tools to protect citizens’ privacy and civil liberties.
If responsible steps to rein in the pandemic require dramatic changes in how much information people share about their health and movements, Congress has a duty to assure the public that there will be meaningful accountability in how their data are being used.
Smartphone apps offer promising tools for collecting data about users’ movements and sharing that information with public health authorities. The more detailed these tools are, the more useful they are — and the greater the privacy and civil liberties risks. The International Digital Accountability Council (IDAC) — of which I am the president — recently conducted an analysis of 108 COVID apps in 41 countries and found that while many of them employed laudable privacy and security measures, some developers and governments failed to follow best practices with respect to transparency, security, requests for permissions, and third-party data-sharing.
Past crises such as 9/11 have shown that once our privacy is surrendered, it can be hard to reclaim. Altering the delicate set of protections against excessive surveillance by government and private sector partners is something that should only be done after careful consideration and balancing, with meaningful accountability protections in place. Unfortunately, discussion of legislative solutions in the beltway debate has so far remained deadlocked along partisan lines relating to preemption and private rights of action.
New thinking about measures to assure accountability could help break the deadlock.
Law enforcement and consumer protection agencies are adept at launching investigations and enforcement actions against the worst actors when legal violations are clear cut and egregious. This is essential to ensure compliance with the law and should be a central piece of any response.
But it is naïve to believe that law enforcement oversight alone can ensure accountability with complex new rules under novel circumstances and intense time pressure. Rather than rely exclusively on law enforcement, Congress should empower nonprofit watchdogs to monitor data use practices in real time and identify risks and harms to data protection and privacy before they become full-fledged public policy and law enforcement problems.
Some privacy and security shortcomings deserve a robust law enforcement response. Moreover, the threat of law enforcement actions can create a powerful incentive for developers to follow best practices and make truthful representations. However, as IDAC’s study shows, when developers roll out new tools quickly, there is often room for improvement that falls short of a law enforcement problem. Because trust is critical to ensuring public cooperation with the pandemic response, nimble mechanisms for improving privacy and security practices can play an important role in shoring up the privacy and security practices of app developers. In many cases, our investigation has shown that friendly taps on the shoulder can have an immediate impact.
It is unreasonable to expect Congress to iron out all the rules in advance. Instead, there should be robust partnerships between government, technologists, public health authorities, researchers, and civil society to develop a novel set of tools for contact tracing that protects public health and respects privacy and civil liberties. There should be detailed new rules for how data are collected, handled, shared, and retained by a wide variety of actors. Developers, technologists, and public health authorities will need to be trained and certified on what is permitted and prohibited and should play a key role in fleshing out these rules.
And there must be accountability that does not rely only on lengthy legal processes that tend to focus only on the clearest violations of established legal norms. Working closely with app developers, tech platforms, and other key players in the digital ecosystem, watchdogs should raise the bar on data practices, resolving concerns in real time and referring the most troubling cases to law enforcement.
Clawing our way out of the COVID-19 pandemic will require innovation from every sector. As it considers the next steps on contact tracing and privacy, Congress should think creatively about how to ensure accountability for new technologically-enabled strategies for containing the pandemic and re-opening the economy.
Quentin Palfrey is the President of the International Digital Accountability Council. During the Obama administration, he served as senior advisor for jobs & competitiveness in the White House Office of Science & Technology Policy and as deputy general counsel for strategic initiatives at the U.S. Department of Commerce. He previously served as the first chief of the Healthcare Division in the Massachusetts Attorney General’s Office.