Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The Care States Need to Take with Contact Tracing Apps

As COVID-19 cases surge, there could be growing interest in the technology. But states planning to roll them out need to vet them rigorously for privacy protections and cybersecurity vulnerabilities.

When smartphone contact tracing apps were first rolled out to combat COVID-19, many state and federal officials latched onto the idea as a way to protect public health while still allowing states to open back up. Yet ardor for contact tracing apps has cooled significantly since they were first introduced.

In June, Business Insider asked officials in all 50 states if they planned on incorporating the Apple-Google infrastructure into their own contact tracing apps. Of states that responded to the survey, officials from only three confirmed they were planning to use it. Seventeen states said they were not planning on using contact tracing apps at all, and 19 said they had not made a decision.

However, with nearly half of all states now seeing increases in the number of coronavirus cases, state officials who are on the fence about these apps may find their enthusiasm rising when faced with the prospect of rolling back reopening plans. These officials should take note of the contact tracing apps already rolled out and make sure they vet their own apps rigorously for cybersecurity vulnerabilities and privacy safeguards.

It is not surprising that many officials are going back and forth on whether or not to embrace digital contact tracing. Since their introduction, use of contact tracing apps and other forms of technologically facilitated health surveillance has raised alarms among privacy advocates who fear government abuse.

Most of the privacy debate has revolved around what type of data is being gathered — options include location data, which is far more sensitive, and proximity data, which just records if someone had been near other people — and how the data should be stored. Privacy advocates favor a decentralized approach, where sensitive data is stored on users' phones rather than in a centralized government database. When Apple and Google announced that they were collaborating to develop a decentralized infrastructure that states could use to build contact tracing apps, the privacy advocates seemed to be winning the debate over health surveillance.

However, as people living in the Dakotas found out in May, a good privacy policy may not be enough to protect personal data. The Care19 app, which was built by a North Dakota company incorporating the Apple-Google software and is used in that state and South Dakota, violated its own privacy policy when users' location data was shared with an outside company, Foursquare. While Foursquare, which provides location data for marketers, claims it promptly discards the data, the sloppiness of Care19's vetting process — the app was supposed to have been reviewed rigorously by both Apple and state officials — justifiably raised alarm bells.

A recent study by researchers from Cornell University and MIT found that while most Americans are reluctant to support use of contact tracing apps, in general people were considerably more likely to download and use one if there were stronger privacy protection measures in place. Higher rates of app use are crucial to their effectiveness. But privacy violations such as in the case of Care19 will only make Americans more fearful of using them.

Companies like Foursquare may not be the only third parties interested in accessing user data. Hackers and other bad actors have embraced COVID-19 as an opportunity for all sorts of malicious behavior, and contact tracing apps that debut without adequate data protection will be an appealing target. A report by a software company, Guardsquare, found that many of the contact tracing apps released around the world lacked rigorous cybersecurity safeguards. With that in mind, state officials should make sure they can address all of the potential concerns raised by the cybersecurity company Check Point, including making sure important data is encrypted, before rolling out any contact tracing apps.

In today's increasingly digital world, a person's data is a crucial component of that individual's identity. State officials building contact tracing apps owe it to their constituents to be good guardians of their digital health as well as their physical health.

Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.

A research fellow at the R Street Institute
From Our Partners