Apple and Google’s ambitious Covid-19 contact tracing plan creates a tempting target for cybercriminals looking for sensitive health data to find out who’s been infected with the coronavirus.
The companies have acknowledged the security risk in a tracking system potentially involving the personal data of millions of people. They’re building in a range of security measures, including anonymous identifiers and encryption keys that change every 15 minutes.
Still, beleaguered public health agencies in the program, without the tech giants’ resources and know-how, could violate common law standards and face costly litigation if they’re not careful about their data protection measures, privacy attorneys and former U.S. officials say.
Health agencies are “understaffed and under-resourced because they are fighting a pandemic,” said Joe Stuntz, who served on President
Cybercriminals might be able to tie the anonymized private data back to specific individuals, including corporate and government officials, according to academics, attorneys, and former FTC officials. That could be a problem for health agencies which could face claims for being negligent in security protection or breaching contracts with users who uploaded their Covid-19 data.
“Let’s be conscientious of the potential for hacking to generate lists of people with Covid,” said James Hodge Jr., a health law professor at Arizona State University’s Sandra Day O’Connor College of Law. “We have that with public health data surveillance.”
Sometimes anonymized data isn’t a “silver bullet” to guard information, because it can be combined with data on social media and other online records, said Stuntz, director of federal and platform at encryption company Virtru Inc.
To be sure, the risk may be worth it to slow the pandemic that’s killed at least 129,000 people globally and caused millions of U.S. job losses. Contact tracing, along with widespread testing and effective quarantine measures, is seen as critical to slow the virus and reopen schools and businesses.
The effort by Apple Inc. and Alphabet Inc.'s Google is just the most high-profile of several tracking systems that emerged to fight the virus.
North Dakota repurposed an app called The Bison Tracker, originally designed to help football fans follow their team, to let users who test positive for the virus upload their location information to the state’s health department.
Massachusetts has teamed up with nonprofit Partners in Health to create a community tracing program to help track the contacts of Covid-19 positive patients. Developers in the U.K., Germany, and other countries also are working on apps to track people exposed to Covid-19.
Apple and Google plan to set up their tracing system in two phases. The companies will first create by mid-May an application programming interface for public health authorities’ apps to allow anonymous virus information sharing between iPhones and Android devices.
The system taps into Bluetooth technology so Apple and Android devices can anonymously communicate with each other. Two people coming into close contact would have their phones share anonymous identifiers with each other to log that encounter.
If one of the people gets a positive Covid-19 diagnosis, he or she would enter the results into a public health agency application. With consent, a log of other mobile devices the person came in close contact with are stored on a server for 14 days. The other person’s phone would then check the server periodically to see if they have been in close contact with someone with Covid-19 and send an alert about how to self-isolate.
Apple and Google also plan to build contact tracing capability directly into their phone operating systems to help users detect when they are physically near someone who has tested positive.
The companies say they plan strong privacy protections for the system and will update security practices with feedback from institutions, organizations, and the private sector. They say they won’t combine contact tracing information with other data sets and that they won’t see the information that public health authorities collect.
Public health authorities could increase their exposure by collecting more data than needed or beyond their technical capacity. That could create a lucrative data set for cybercriminals that could combine coronavirus data with other sensitive personal information.
A public health authority “can collect any information it chooses to—as it will just be an app that the CDC or whoever builds for the users to download,” said Ashkan Soltani, former FTC chief technologist during the Obama administration.
Anyone “can link the proposed contact tracing beacons laid out in the Google/Apple framework to external information, such as photos/videos or other signals one could collect while the individual is in possession of their phone,” Soltani said.
Common law claims are the biggest risk to public health authorities after a data breach. Authorities can face lawsuits that allege their negligence led to a data breach. They can also face breach of contract suits for not upholding security protections promised in privacy policies, attorneys said.
Public health authorities are bound by any “promises they make in their contact tracing applications’ terms and conditions,” Mark McCreary, co-chair of Fox Rothschild’s privacy and data security practice, said.
Public health authorities will also have to grapple with data security questions in developing their apps.
“The main thing I would be thinking about if I was a public health agency is not specifically ‘Is there a specific law I’m going to violate?’” Kirk Nahra, co-chair of Wilmer Cutler Pickering Hale and Dorr LLP’s privacy and cybersecurity group, said. “It’s ‘Am I ready to handle this information in a way that isn’t going to create other problems for me or these people?’”
Wide Legal Risks
Companies whose data is breached could also face lawsuits under state consumer protection laws for not having reasonable security. Data breach suits allege negligence and breach of contract claims.
People suing for contact tracing data breach would have a tough time winning cases as they must prove specific harm. But litigation expenses and reputation damage alone makes it a costly consequence for companies if something goes wrong.
“People file lawsuits all the time,” Nahra said. “If there’s not a way to allege an actual injury, those lawsuits typically fail.”
The FTC Act and some state laws require companies to use reasonable security to protect data. Businesses also have to uphold promises they make in their privacy policies.
Companies’ conduct can’t be “inconsistent with their privacy policies,” said Alysa Hutnik, chair of Kelley Drye & Warren LLP’s privacy and information security practice.
Storing data that can be potentially linked to an individual can bring liability if it is inadvertently disclosed, said Joseph Facciponti, privacy and cybersecurity counsel at Murphy & McGonigle.
Apple and Google could also face federal and state regulatory scrutiny if data is breached and is not properly de-identified, attorneys and former officials said.
Limiting themselves initially to offering an API for health authorities doesn’t “totally absolve Google and Apple,” said Justin Brookman, director of consumer privacy and technology policy at Consumer Reports and a former Federal Trade Commission policy director.
The companies’ security protocols for the system “could invite scrutiny” if they say “one thing but the behavior is something else,” Brookman said.
—With assistance from Alexis Kramer
For additional legal resources, visit Bloomberg Law In Focus: Coronavirus (Bloomberg Law Subscription)