Ryan M. Yonk / April Liu
The COVID-19 pandemic is the first truly global pandemic where personal phones and devices are “smart” enough to make mass surveillance of the population possible. This technological reality led to the rapid recognition by governments around the world that these devices could be used to identify and track case trends of the disease. As the pandemic grew, the most common public policy approach to controlling its spread was to mandate health status reporting and limit personal movement. As a result, throughout the developed world, rapid increases in the use of these technologies led to the evolution from manual contact tracing to Digital Contact Tracing (DCT), in the form of voluntary apps.
Apple and Google (“Gapple”) collaborated to design the first wave of DCT systems in the spring of 2020. Their technology, announced on April 10, 2020, “promised to scale to cover entire populations automatically rather than just small disease clusters – a distinct advantage for tracking a fast-spreading disease.” Over a year later, the so-called “Gapple” system was adopted by the vast majority of US States and EU members. Shortly after, a group of 300 international scientists published a joint statement arguing for a decentralized data storage approach (DP-3T) to DCT systems, publicly endorsing “Gapple’s” decentralized Exposure Notification system. By May 2020, only about ten percent of the total US population had voluntarily opted into DCT technologies. Later, in September 2020, Apple released a system update that automatically installed DCT into users’ phones, allowing them to opt in or out.
The mass governmental adoption of DCT systems prompted concern amongst privacy experts and consumers. Not only was DCT largely ineffective, it also reinforced citizens’ existing lack of trust toward government, big tech companies, and public health organizations. The lack of transparency in DCT app implementation and deployment reinforced the view that consumer data is seen as a commodity in the US, and that privacy concerns are at best secondary considerations when digital technologies are used.
DCT App Implementation and Digital Health Privacy
The implementation of COVID-19 DCT apps provides a useful case study of today’s digital health tracking-centered landscape. One of the realities consumers are concerned with when they engage with the digital world is the question of privacy. While there are other factors that impact technology use, privacy concerns are the most dominant of these factors and consistently impact consumers’ willingness to use digital products, as was the case with contact tracing apps. A June 2020 survey found that 71 percent of respondents said they wouldn’t use contact tracing apps, citing privacy as the primary reason.
To overcome those concerns, consumers would have to view the risk to privacy as lower than the risk of failing to download an app they perceived to be released by the government. That’s a difficult standard in any time, but doubly so when that government is implementing lockdown and isolation measures.
Citizens have to engage in a Privacy Calculus, deciding between the tradeoffs of providing access to their personal data and losing out on benefits from using the technology. In this instance, that calculus led to uptake rates that varied heavily across states. Arizona and North Dakota saw uptake rates of 1.2 percent and 1.4 percent, respectively, while Connecticut and Hawaii saw uptake rates of 37.8 percent and 45.7 percent.
To convince citizens to download the DCT apps, the government would have to take the right steps to maximize trust. This would include complete transparency regarding how apps would be implemented, consistency, interoperability of apps, and data minimization, little of which occurred.
This more centralized attempt to develop a single DCT by “Gapple” not only led to resistance by individuals, but also gave birth to a set of alternatives that all attempted to enter the market place. A overwhelming number of DCT apps were circulating in different institutions, such as private and public universities, and these were often developed to mandate or encourage DCT among a constituent population. For example, California implemented its own state app, CA Notify, whilst the UC public institutions created a UC App Consortium. Columbia University also piloted its own campus-based app in partnership with Tech:NYS despite the state of New York’s releasing its NYS ENX app. The University of Pennsylvania introduced its PennOpenPass COVID-19 symptom tracker, while the state of Pennsylvania implemented its COVID Alert PA app (which has since been deleted as of July 27, 2022). These are only a few examples of attempts to create hyper-localized DCT Apps.
The privacy concerns of these apps mirrored, or in some cases exceeded, those of the “Gapple” app. UCSF reportedly donated location data and health history through the Eureka app. DCT apps like MassNotify were simply downloaded into individuals’ phones and turned on without prior notice. This new innovation, called Exposure Notification Express (ENX), reportedly “made it much faster for states to spin up apps, and… invited millions of iPhone users to avoid downloading anything at all” by simply giving them the option to activate notifications by flipping a switch in their phone settings. States that effectively implemented ENX saw a huge boost in participation rates, notwithstanding whether this was voluntary. Hawaii, for example, saw its users more than double following ENX execution.
DCT apps and their deployment reinforced Americans’ lack of trust towards the government. In a 2021 survey by the Harvard T.H. Chan School of Public Health, only 52 percent of Americans expressed high levels of trust in the CDC. Similarly, a Washington Post and University of Maryland survey conducted after the DCT app announcement showed that 56 percent of Americans didn’t trust big tech companies on data privacy. The lack of trust and reluctance to provide information are evident in the results of both manual and digital contact tracing. In 2020, over 50 percent of Americans who tested positive in some parts of the US gave no details for close contacts when asked.
Gaining Trust is Easier Said Than Done
An October 2019 report by the Johns Hopkins Center for Global Health Security and the Nuclear Threat Initiative concluded that the US was the country best prepared to handle a pandemic. In reality, 23 percent of the world’s recorded COVID cases have occurred among Americans, despite the US accounting for just over 4 percent of the world’s population.
The US’ faulty response and poorly implemented technological “solutions” to COVID-19 is not a surprise. The competing incentives faced by elected and public officials leave open many opportunities for misinterpreting how citizens view their digital privacy, as a result failing in their overall policy goals. Policy makers like the NIH and CDC, and a host of elected and appointed officials, viewed tracking COVID-19 spread as the primary policy goal, and focused on that goal to the exclusion of virtually everything else, forgetting the privacy concerns of citizens. As a result, responses to those concerns were stilted, haphazard, and condescending. Consumer trust isn’t gained by simply saying, as Apple did, that “what happens on your iPhone, stays on your iPhone.” Instead, government officials and big tech alike should take seriously that with the rise of big data comes a corresponding concern about privacy and transparency. Both would do well to remember President Ronald Reagan’s admonition about the nine most terrifying words in the English language. “I’m from the Government, and I’m here to help.”