For those of you who don鈥檛, or don鈥檛 want to, or hadn鈥檛 even been born yet, let me take you back to the 90s when then-president Bill Clinton signed HIPAA into law. HIPAA was 鈥渄esigned to provide privacy standards to protect patients鈥 medical records and other health information provided to health plans, doctors, hospitals and other health care providers.鈥
HIPAA was a behemoth and complex collection of legislation and created entirely new layers of bureaucracy all the way from the federal government down to the single-practitioner doctor鈥檚 office in the middle of nowhere.
A major component of HIPAA was the privacy rule, which established a set of national standards for the protection of individual鈥檚 health information. According to the U.S. Department of Health & Human Services, 鈥渢he Privacy Rule protects all 鈥榠ndividually identifiable health information鈥 held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.鈥
One of the major purposes of HIPAA was to protect your health information and your privacy.
It seems that the COVID-19 pandemic is another watershed moment in history in which we will have to weigh individual privacy against public health concerns.
Fast forward to 2020 and a world gripped in the throes of a global pandemic and a major health crisis and our privacy is going to be pulled apart at the seams in ways we haven鈥檛 even imagined yet.
For example, last month Apple and Google announced a joint effort to develop a contact-tracing system for tracing the spread of COVID-19, the disease caused by the novel Coronavirus (SARS-CoV-2).
鈥淐ontact-tracing鈥 is the process of identifying people who may have come into contact with an infected person and testing those contacts for infection. It is a time-consuming and imperfect process that has been used by public health workers to try and stop the spread of infectious diseases such as tuberculosis and HIV.
According to Google鈥檚 press release regarding the Apple/Google joint contact-tracing effort, 鈥淪ince COVID-19 can be transmitted through close proximity to affected individuals, public health organizations have identified contact-tracing as a valuable tool to help contain its spread. A number of leading public health authorities, universities, and NGOs around the world have been doing important work to develop opt-in contact tracing technology. To further this cause, Apple and Google will be launching a comprehensive solution that includes application programming interfaces (APIs) and operating system-level technology to assist in enabling contact-tracing. Given the urgent need, the plan is to implement this solution in two steps while maintaining strong protections around user privacy.鈥
Whenever privacy protection is highlighted by a technology company, that鈥檚 a red flag that you鈥檙e going to have to surrender some privacy in order for the new gadget or system to work effectively. If we haven鈥檛 learned this lesson already with the rise of social networking apps, then we never will.
What the Apple/Google partnership鈥攍et鈥檚 just refer to them as 鈥淕oople鈥濃攑lans to build and release is an Application Programming Interface (API) that enables cross-platform interoperability between Android and iOS apps provided by public health authorities. These apps will be available to users via Google Play Store and the App Store.
Android is Google鈥檚 mobile operating system that runs on 52 percent of the world鈥檚 smartphones. iOS is Apple鈥檚 mobile operating system that runs on the remaining 48 percent of the world鈥檚 smartphones. Goople owns the underlying operating system of the world鈥檚 3.5 billion smartphones.
Following the build and release of an API, Goople further announced that they would build 鈥渁 broader ecosystem of apps for government health authorities鈥 that uses Bluetooth to establish an 鈥渙pt-in鈥 contact-tracing network that retains extensive data on phones that have been in close proximity to one another.
According to a white paper on the proposed system, the Bluetooth contact-tracing feature 鈥渨ill only be used for contact-tracing by public health authorities for COVID-19 pandemic management鈥. Goople also states that no personally identifiable information or user location data will be collected and that the 鈥渓ist of people you鈥檝e been in contact with never leaves your phone.鈥 Lastly, they state that 鈥渆xplicit user consent is required.鈥
In other words, the contact-tracing system being developed by Goople will be an 鈥渙pt-in鈥 system.
The problem with an 鈥渙pt-in鈥 system for contact-tracing is the same problem you would have with voluntary shelter-in-place and social distancing efforts. Not everyone鈥檚 going to choose to do that. And if the majority of your population isn鈥檛 practicing social distancing and staying home except for essential activities like buying groceries, then your effort to flatten the curve of a pandemic will be unsuccessful.
This is why some states, including Oregon and California, have mandated shelter-in-place and social distancing with executive orders issued by the governor and enacted fines of up to $1200 for violation of those orders.
Goople鈥檚 contact-tracing system will be rolled out as an 鈥渙pt-in鈥 but will likely prove only partially effective because there will be a large user base that does not download the apps and opt-in.
If that is the case, and I think it will be, then lawmakers will be tasked with determining if public health concerns outweigh consumers鈥 privacy concerns. If that is determined to be the case, then the initial opt-in will become mandatory via legislation and contact-tracing will not be an app you can choose to install or not install on your phone鈥攊t will be integrated into the underlying operating system of your smartphone.
We have already surrendered so much of our privacy in the modern digital age, the rapid erosion of which can be traced back to the September 11, 2001 terrorist attacks on the World Trade Center and the Pentagon. It seems that the COVID-19 pandemic is another watershed moment in history in which we will have to weigh individual privacy against public health concerns. As we have learned with 9/11 and the ensuing Patriot Act, once you give up a piece of your privacy, you never get it back.
Regardless of what the Goopleplex tells us, I can鈥檛 imagine a contact-tracing system being effective without making it mandatory and providing personally identifiable information and location data to public health organizations. This is how contact-tracing has always worked. You have to know who is infected, where they went, and whom they interacted with.
COVID-19 is not the first pandemic we鈥檝e had nor will it be the last. Must privacy die to save the world from these sorts of pandemics through a contact-tracing system that will need to trace our movements and interactions in order to limit the spread of disease? I suspect it might. Brace yourself not just for another pandemic, but an upcoming privacy fight.