Security news that informs and inspires

Senators Plan COVID-19 Data Protection Bill

As technology companies are developing plans for contact tracing apps and methods for mining data to identify infection trends for COVID-19, a group of Republican senators are planning to introduce a bill that would impose new restrictions on how companies handle consumer health data, what they’re allowed to do with it, and requirements for enabling people to request the deletion of their data.

The new bill would include several separate provisions to regulate the collection, storage, usage, transfer, and deletion of health and location data specifically related to virus infection tracing. There have been several different contact tracing proposals forwarded in the last few weeks, with the most prominent one being the collaboration between Apple and Google. The two companies published a framework for a system that would use Bluetooth on mobile devices to enable people to broadcast and listen for a beacon. The app would use Bluetooth signal strength to measure the distance between given devices and if the devices are in close proximity for more than a set amount of time, the app would record the event. If one of those people later becomes infected, she could choose to report the diagnosis and the system could then notify the owners of devices who were in close contact with her during the contagious period.

There are myriad privacy considerations involved with this approach, a fact that is not lost on Google and Apple engineers. The companies have laid out a comprehensive scheme for ensuring anonymity and confidentiality, including rotating the identifiers that a device broadcasts every fifteen minutes and not storing contact information in a central database. The system is still in the early stages, but Apple and Google this week released the first version of the API for it to developers.

“Privacy, transparency and consent are of utmost importance in this effort, and we look forward to building this functionality in consultation with interested stakeholders,” Google and Apple said in a joint statement about the system, which was published in mid-April.

The COVID-19 Consumer Data Protection Act is sponsored by Sens. John Thune (R-S.D.), Roger Wicker (R-Miss), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.), and it would require any company regulated by the Federal Trade Commission “to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.”

"“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important."

State attorneys general would have the authority to enforce the measure. Which also includes requirements for companies to notify consumers at any point of data collection how that information will be used, stored, and transferred, and how long it will be stored.

“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important,” said Thunel. “This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”

The bill lands in an environment that has little in the way of precedent in terms of public health and no precedent at all in terms of the volume and variety of data collection. Privacy advocates have expressed concerns about the potential for what seems like a temporary diminution of privacy to become a permanent one if tracking and tracing becomes the norm.

“Thus proximity app developers must be sure they are developing a technology that will preserve the privacy and liberty we all cherish, so we do not sacrifice fundamental rights in an emergency. Providing sufficient safeguards will help mitigate this risk. Full transparency about how the apps and the APIs operate, including open source code, is necessary for people to understand, and give their informed consent to, the risks,” the Electronic Frontier Foundation said in a post.

In addition to the notice, consent, and other requirements, the proposed bill also would direct companies to give people the ability to opt out of any collection, storing, or transfer of their health, location, and proximity data.