An unprecedented wave of personal data could be heading to federal agencies
The response to the coronavirus pandemic has put tech and telecom companies in a position where they can disclose, without individuals’ consent, large amounts of data about them to the federal government — a fact that has privacy experts on high alert.
The Stored Communications Act and other parts of federal law include emergency exceptions permitting companies’ release of personal data for government experimentation. This comes at a time when the White House is asking for more data to track the spread of COVID-19, a national emergency.
“We’ve never had a system on the backend to limit what the government does to it,” Gidari said during an Information Technology & Innovation Foundation webinar on Wednesday.
The government has no way under existing law to compel Google or Facebook to disclose location information to fight a pandemic, but the public is left to trust that if the companies do so voluntarily, they do so responsibly. It’s unclear exactly how much the major Silicon Valley companies and telecom giants are sharing. Geolocation and health data are the primary types at issue, and the government has a number of public-private partnerships with telecom, application and data storage providers it can use to leverage that information to map physical distancing and predict future hotspots.
Depending on the provider, that data can be “extremely precise,” Gidari said.
“The challenge is it seems to be a little all over the place, and there’s a lack of transparency as to the data sources,” Heather Federman, vice president of privacy and policy at BigID, told FedScoop.
Initially there were rumors the government wanted to leverage Facebook and Google’s location data to map the spread of COVID-19, but it turned out the Centers for Disease Control and Prevention were tracking people’s anonymized movements working with third-party ad companies, Federman said.
Such companies have troubled privacy advocates for years, but they largely went ignored when they were simply targeting health ads to gym-goers, she said. Now they’re potentially working with the government.
‘A bad party guest’
The massive relief package signed into law March 27 gives the CDC $500 million for a coronavirus “surveillance and data collection system,” but there’s no mention of privacy guidelines — only a requirement to report back to Congress in a month. Will the CDC be expected to relinquish that authority when the pandemic ends?
“We are very concerned that governments are apt to find any excuse they can to get their foot into the door of the massive stores of data that the private sector holds and use that data for all sorts of law enforcement purposes,” said Peter Micek, general counsel at Access Now. “Surveillance is a bad party guest that stays much longer than you welcome it for.”
Public health experts should be leading the discussion on what data is absolutely necessary to mitigate the pandemic and crafting written agreements that limit data sharing and retention, Micek added.
The historical precedent for the government seeking more data, only to use it for other purposes, is 9/11. “Massive” data collection programs painted as essential to fighting terrorism brought in more information than agencies could even use, said Rachel Levinson-Waldman, senior counsel for the Liberty and National Security Program at the Brennan Center for Justice.
The National Security Entry-Exit Registration System interviewed men from Arab countries, which was “obviously discriminatory on its face,” without producing any prosecutions, Levinson-Waldman said.
Some of the Patriot Act’s surveillance programs persist today.
“When you’re talking about agencies getting this information that have the power to prosecute, the power to surveil, the power to detain and deport, you want there to be a high bar,” she said. “Is this administration likely to pay close attention to concerns about privacy and downstream use? No.”
States could potentially step in and address such concerns given that they’re doing much of the initial data collection, Levinson-Waldman said.
But several states have also floated coronavirus legislation that would require people identified as needing to quarantine to download an app reporting their location — raising more privacy concerns, Gidari said. Alternatively, New York City is having residents self-report coronavirus conditions for public health use exclusively.
A European approach to data privacy, akin to the General Data Protection Regulation, is needed in the U.S., privacy advocates say, but federal regulators and legislators haven’t acted. Privacy definitions in current laws are too general and easily circumvented to be meaningful, Gidari said.
“If you really want to unleash innovation in the tech sector to address problems like pandemics on that scale, you need to eliminate the fear of the long tail of the data,” he said. “And so if you could do anything by rule — [Department of Health and Human Services], [Federal Communications Commission] — they could immediately solve this problem of the fear by prohibiting any secondary use of the data outside the public health administration.”
Multiple pieces of oversight
Unfortunately, the U.S. approach to privacy is sector-specific, meaning multiple rules would need to be issued, Federman said.
The FCC handles broadband and location data from the telecom industry, while the Federal Trade Commission has more jurisdiction over Google, Facebook and the third-party ad tech companies peddling different kinds of location data. HHS could address health data privacy, and there’s also the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act and the Gramm-Leach-Bliley Act covering financial privacy to contend with.
“I’m hoping that this may prove that we do need to get a federal privacy law on the books, now more than ever, because in some ways Europe was more prepared to handle this,” Federman said. “Their law, the General Data Protection Regulation, has actual language about a public health crisis and what personal data processing rights apply. We don’t have that here.”