Armed Conflict Cybersecurity & Tech

COVID-19 Contact Tracing We Can Live With: A Roadmap and Recommendations

Robert Chesney
Tuesday, April 14, 2020, 12:29 PM

Reopening the economy without medical breakthroughs will require, among other things, enhanced contact tracing. Here’s your road map to the issues, and recommendations should there be “app” legislation.

A member of the Colorado national guard and a volunteer nurse perform a wellness check to a resident at a motel. (Source: U.S. Air National Guard photo)

Published by The Lawfare Institute
in Cooperation With
Brookings

Pressure is mounting to replace community-wide shelter-in-place rules with a more flexible “test-and-trace” system imposing quarantine obligations as much as possible only on people who are infected with the novel coronavirus and those in recent contact with them. To make that switch, though, we need at least two things we currently lack: testing that is ubiquitous, recurring and reliable, and contact tracing that is comprehensive and scalable. Both present a challenge, but I will focus here on enhanced contact tracing. Is there a path forward that will do the job without leaving us with a legacy of lost privacy that we will come to regret?

Don’t We Have a Contact-Tracing System Already?

Yes, but it probably is not scalable and comprehensive enough for the extraordinary challenge presented by COVID-19, the respiratory disease caused by the novel coronavirus.

Contact tracing always plays an important role in public health responses to infectious disease. In particular, public health officials acting as “field investigators” conduct voluntary interviews with infected persons to identify both where they have been during the relevant period and who else might have been in close contact with them. These professionals do amazing (and often unappreciated) work, and they should be celebrated for it. However satisfactory this model may be in conventional infectious disease scenarios, though, it probably is not adequate for COVID-19 at the current time for two reasons.

First, there is a scale issue: Given the current size of the infection pool, we do not have remotely enough field investigators to implement the traditional approach (interviewing relevant persons) with sufficient timeliness and comprehensiveness, nor are we likely to hire and train enough field investigators to close that gap in sufficient time to make enough difference.

Second, it would be unwise to rely exclusively on the voluntary-interview model even if we had enough field investigators to implement it at scale. There are inherent weaknesses with this model, ones that may be tolerable in ordinary settings but that seem awfully risky if we want to rely on contact tracing to help justify widespread relaxation of shelter-in-place rules. As an initial matter, not every infected person will be willing to cooperate fully and in good faith; for some, certain important details may be embarrassing or worse, leading to critical omissions. Even if everyone did their best to be forthcoming, moreover, the fact remains that memories are fallible. And in any event we cannot expect people to be able to identify the strangers who may have been next to them in the grocery store line last week, nor can we expect to reach those strangers effectively by somehow spreading the word in a generalized way about how an infected person was at some particular location around such and such time and date.

To be sure, interviews conducted by field investigators should continue to play a major role in contact tracing, even if other tools are brought to bear as well. But we cannot and should not expect interviews to carry all of the load, at least not if our plan is to roll the dice by reopening the economy before medical breakthroughs have occurred.

The Lure—and the Danger—of Comprehensive Tracing

Before turning to the options for doing more, let’s pause to consider what the ideal outcome might be if we cared about nothing other than enabling a system of scalable and comprehensive contact tracing. And then let’s note the dangers such a system would entail.

The ultimate goal of contact tracing is to identify the complete set of persons at genuine risk of infection due to having been close enough to an infected person (or to having touched a hard surface an infected person touched) during the relevant window of time. Setting aside all competing interests (such as privacy) just for a moment, this suggests that the ideal system would be one that yielded a comprehensive, time-stamped and spatially precise record of everyone’s movements, sustained at least on a rolling basis for a window of time long enough to encompass all reasonable risk of transmission. That is, an ideal system that took account of no offsetting concerns would attempt to assemble a massive “haystack” of location-and-time data, making it possible for someone to quickly yield a comprehensive contact chain stretching back into the past.

But, of course, we cannot and should not simply set aside all competing interests.

A system that does what I just described would be far more dangerous, from a civil liberties perspective, than the intensely controversial (and recently expired) telephone metadata program that the U.S. government established after 9/11 for counterterrorism purposes. Such a system would have extraordinary potential for abuse, whether by those with authorized access to it or by those who might gain access to it in an unauthorized way. The fact that someone went somewhere, or did something, or was with someone else (or just that they plausibly appeared to have done so) could, in theory, be abused to compromise, embarrass, extort or otherwise cause harm. Absent extraordinary safeguards, even the mere existence of such comprehensive life-tracking might have a chilling effect on lawful activities.

With all that kept firmly in mind, let’s turn now to a survey of options for enhancing COVID-19 contact tracing.

What Are the Options for Enhancing Contact Tracing?

Making Interviews Compulsory

As an initial matter, contact-tracing interviews could be made compulsory. Indeed, they can be made subject to perjury penalties, with civil or even criminal sanctions for those shown to have made material misstatements or omissions. This would do nothing to solve the scalability problem noted above, however, nor would it overcome the practical limits of memory and knowledge. If something more than the status quo is truly needed, making interviews compulsory will not be sufficient.

Accessing Existing Sources of Data Held by Third Parties

Some amount of location-relevant information already exists in the hands of various third parties. Examples include cell-site location information held by telecom companies, location data collected by any number of apps that may be on a person’s phone, credit card usage data held by card providers, purchase data held by banks and so forth (parents of teenagers might pause here to think about the data held by Life360). Again, however, scalability is a problem. Even assuming that authorities are willing to employ some combination of warrants, subpoenas or the like, the amount of time and paperwork needed to activate those mechanisms and to compile and correlate the results would be daunting. Insofar as government agents attempt to rely on authorities other than warrants for this purpose, moreover, they may encounter Carpenter-based claims that the Fourth Amendment requires the use of a warrant (see here for a discussion of this point from Alan Rozenshtein). Litigation on that point would likely outlast the period within which the information is most needed.

There’s an App for That: Voluntary Logging of Contacts

In recent days the headlines have been filled with stories about apps being custom built to enable people, voluntarily, to generate records of their close-proximity contacts. Most of these stories concern efforts to exploit Bluetooth for this purpose. Our devices typically are chirping at one another to identify Bluetooth connections anyway, after all, and the effective range is (relatively) limited and thus could serve as a decent-if-imperfect proxy for the degree of proximity to an infected person that might justify concern. News from Apple and Google last Friday underscored that this approach has considerable momentum: The companies are cooperating to facilitate it in a variety of ways, including increased interoperability and plans to pave the way toward a “broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms.” (See here for more details.)

The general idea with “app models” for enhancing contact tracing is that everyone’s phones (not some central government register) will carry the requisite history of unique contacts identified by Bluetooth. Then, with a proper certification of infection by a medical authority (for we don’t want people to have the ability to self-select such status, lest we empower them to make false claims and thereby trigger quarantines unnecessarily), those other contacts could be sent some form of notification and, perhaps, a corresponding request (or even a directive) that they self-quarantine for two weeks.

The virtue of this approach is that it depends on voluntary consent, thus eliminating legal concerns and reducing privacy objections (though some objections might linger, especially if measures to secure the resulting data are weak). But can this approach actually deliver the goods? There are at least a few obstacles.

The first problem is uptake. For this approach to work, a large proportion of the population must download the app and then make sure to keep their phones on their person whenever moving about. That’s not an impossible goal, but it’s no sure thing either. For starters, not everyone has a phone capable of running such an app. Among those who do, not everyone will download the app. Among those who do, not everyone will carry their phone with them everywhere. Obtaining the requisite density to allow such a system to have a major impact, in short, might prove extremely difficult to achieve on a purely voluntary basis.

The second problem is that this approach is both overinclusive and underinclusive. It is overinclusive insofar as it tends to snare “contacts” in situations that, if the details were only known, would not warrant inclusion. Most notably, the app would have no way to know that the other person at the relevant time was wearing personal protective equipment sufficient to eliminate serious risk of infection. This would not be a problem if the upshot of their app-connection is just a notification (with relevant information about the day and time) rather than a binding directive to self-quarantine, at least so long as the information provided is sufficient for the person who receives the notice to recall that he or she was wearing protective equipment at the relevant time. If the information is too sparse to enable that judgment, however, or if the passage of time makes it too hard for that person to recall the circumstances, the result still might be an unnecessary round of self-quarantine.

Separately, this approach is underinclusive in that the app would not address a distinct but important infection-risk scenario: asynchronous transmission via hard surfaces. For example, imagine that the infected person touches the door to a restaurant with bare hands, and then leaves after picking up some food. Ten minutes later, another person arrives and touches the same surface, also with a bare hand. Their apps would not connect, yet nonetheless there would be a real risk of infection. An app designed to capture contacts, but not locations, would not result in a notification.

There’s Another App for That: Voluntary Logging of Contacts and Also Location

To address the asynchronous transmission-risk scenario, the voluntary app model could be adapted to include location tracking as well. Obviously, however, this would substantially increase the sensitivity of the resulting information, deepening anxieties about how it might be abused and thus likely also reducing voluntary uptake.

There’s an App for That…and You Must Use It: Mandatory and Incentive Models

One could go further, of course. Legislation could mandate the use of a data-collection app, and it could even require good-faith efforts to have a phone with you and powered-on when outside your own home. This would collect the most information, but with the highest risk of offsetting harms.

Notably, it is not clear that such legislation could be enacted at the federal level, as a constitutional matter. It likely would generate a Sebelius-style challenge, with litigants contending that it amounts to the mandatory use of a product akin to the mandatory purchase of health insurance under the Affordable Care Act. The Supreme Court held in Sebelius that Congress cannot rely on its Interstate Commerce authority to command individuals to engage in a commercial purchase when they would otherwise do no such thing, and even rejected the idea that such an authority can be derived from the Necessary and Proper Clause due to the critical role such purchases played in support of the larger, otherwise-constitutional insurance rules established by the statute. Might the same be true here? True, the requirement to download and use an app for public-health data-collection purposes is not in itself necessarily best viewed as a commercial activity. But then again neither was the must-eat-broccoli hypothetical that Chief Justice John Roberts used to illustrate the dangers of empowering Congress to make us take affirmative actions. Sebelius might best be read as a broad rule against federal legislative authority to compel affirmative activity, not just one barring statutory obligations to buy things.

If that’s correct, then Congress might instead draw further insight from Sebelius, relying on its powers to tax and spend for the general welfare in order to create a strong incentive—either a carrot (for example, a tax deduction) or a stick (a tax)—to download a data-collection app. This would shift the app model closer to the voluntary model previously described, at the cost of losing some unpredictable amount of uptake.

States, notably, would not face this same hurdle and could directly mandate use of a data-collection app. Unlike Congress, they possess general legislative powers including the “police power” to legislate for, among other things, public health reasons.

In the Event of Legislation Involving a Data-Collection App, What Safeguards Are Needed?

Let’s assume that authorities at the state or federal level decide to pursue legislation promoting the use of some form of data-aggregating app. It will be critical to take steps to protect against abuse, both because that is important in itself and because a failure to take such steps will reduce compliance and thus undermine the public health goals that would justify any such effort in the first place.

Here are four elements that any such legislation should include:

Sunsets

For starters, any such legislation must have a firm and rapid sunset. If the program is helpful and the threat continues, it is reasonable to expect reenactment. But otherwise no such program should exist. A six-month sunset would be a good place to start. Bonus points for requiring the app be designed to auto-delete itself after a certain period of time, absent renewal.

Data-Deletion Deadlines

Legislation can require that the data collected by the app should be expunged from the host device (I’m assuming here that the data is stored only locally on the device) in an automatic and verifiable way after some specific period of time (say, one month). If the data exists only to support COVID-19 contact tracing, it should exist only for so long as it plausibly is useful toward that specific end.

Access Limits

Further to that last point: If concerns remain about government agencies seeking to exploit contact-tracing data for non-public-health purposes, legislation can simply forbid such efforts altogether.

Not Just “Oversight”: Real-Time Auditing and Public Reporting

Any legislation compelling use of a data-collection app should include a bespoke system of oversight, but not just the routine sort in which some entity is charged in a general way with monitoring and reporting just to Congress or an agency head. Instead, an entity such as an inspector general should be charged with responsibility for auditing the functioning of the system on an ongoing basis, with a requirement of detailed contemporaneous reporting (say, monthly) regarding the results to an array of entities including the director of the Centers for Disease Control and Prevention; Congress; and, most notably, the public.


Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare