The COVID-19 pandemic is the first truly global pandemic where phones and personal devices are “smart” enough to make mass surveillance of the population possible. This technological reality has led to the rapid recognition by governments around the world that these devices can be used to identify and track disease status trends. As the pandemic has grown, the most common public policy approach to controlling its spread has been to enforce reporting of health status and limit personal movement. As a result, throughout the developed world, rapid increases in the use of these technologies have led to the evolution from manual contact tracing to digital contact tracing (DCT), in the form of voluntary applications.
Apple and Google (“Gapple”) teamed up to design the first wave of DCT systems in the spring of 2020. Announced on April 10, 2020, their technology “promised to automatically scale up entire population groups rather than just small disease groups — a distinct feature of tracking A rapidly spreading disease. More than a year later, the so-called “Gapple” system has been adopted by the vast majority of US and EU member states. Soon after, a group of 300 international scientists published a joint statement calling for a decentralized data storage (DP-3T) approach for DCT systems, and publicly supported the decentralized exposure notification system “Gapple”. By May 2020, only about ten percent of the total US population has voluntarily chosen DCT technologies. Later, in September 2020, Apple released a system update that automatically installed DCT in users’ phones, allowing them to opt in or out.
The massive government adoption of DCT systems has sparked concern among privacy experts and consumers. Not only has the DCT been largely ineffective, it has also reinforced citizens’ current mistrust toward government, big tech companies, and public health institutions. The lack of transparency in the implementation and deployment of the DCT app has reinforced the view that consumer data is viewed as a commodity in the United States, and that privacy concerns are at best secondary considerations when digital technologies are used.
DCT implementation and digital health privacy
The implementation of the COVID-19 DCT applications provides a useful case study of today’s landscape focused on digital health tracking. One of the facts that consumers care about when they interact with the digital world is the issue of privacy. While there are other factors that influence the use of technology, privacy concerns are the most dominant of these factors and consistently influence consumers’ desire to use digital products, as has been the case with contact tracing apps. A June 2020 survey found that 71 percent of respondents said they would not use contact tracing apps, citing privacy as the main reason.
To get around these concerns, consumers will have to view the risks to privacy as less than the risks of failing to download an app that they believe has been released by the government. This is a tough standard at any point in time, but doubles as that government implements lockdown and isolation measures.
Citizens have to engage in a privacy calculus, choosing between the trade-offs of providing access to their personal data and losing out on benefits from using technology. In this case, calculus has resulted in assimilation rates that vary widely across states. Arizona and North Dakota saw absorption rates of 1.2 percent and 1.4 percent, respectively, while Connecticut and Hawaii saw absorption rates of 37.8 percent and 45.7 percent.
To convince citizens to download DCT apps, the government will have to take the right steps to increase trust. This may include complete transparency regarding how applications are implemented, consistency, application interoperability, and data minimization, many of which haven’t happened.
This most central attempt to develop a single DCT by “Gapple” not only led to individual resistance, but also spawned a host of alternatives that all attempted to enter the market. An enormous number of applications of DCT have been circulated in various institutions, such as private and public universities, often developed to enforce or encourage DCT among the constituent population. For example, California implemented its own state application, CA Notify, while UC Public Institutions created the UC Applications Consortium. Columbia University has also piloted its campus-based application in partnership with Tech: NYS though New York State has launched the NYS ENX application. The University of Pennsylvania introduced the PennOpenPass COVID-19 symptom tracker, while Penn State implemented the COVID Alert PA (which has since been deleted as of July 27, 2022). These are just a few examples of attempts to create highly localized DCT applications.
The privacy concerns of these apps mirrored, or in some cases exceeded, those of the “Gapple” app. UCSF has reportedly donated location and health history data through the Eureka app. DCT apps like MassNotify are simply downloaded into people’s phones and run without prior notice. This new innovation, called Exposure Notification Express (ENX), is said to have “made it much faster for countries to rotate apps, and… called on millions of iPhone users to avoid downloading anything at all” by simply giving them the option to activate notifications on By flipping a toggle in their phone’s settings. Countries that have effectively implemented ENX have seen a significant increase in participation rates, regardless of whether this is voluntary. Hawaii, for example, has seen its users more than double after implementing ENX.
DCT’s applications and dissemination have reinforced Americans’ mistrust toward the government. In a survey conducted by the Harvard TH Chan School of Public Health in 2021, only 52 percent of Americans expressed high levels of confidence in the CDC. Likewise, a survey conducted by the Washington Post and the University of Maryland following the announcement of the DCT app found that 56 percent of Americans do not trust big tech companies when it comes to data privacy. The lack of trust and reluctance to provide information is evident in the results of both manual and digital contact tracing. In 2020, more than 50 percent of Americans who tested positive for the virus in some parts of the United States did not provide any details of close contacts when asked.
Gaining confidence is easier said than done
An October 2019 report by the Johns Hopkins Center for Global Health Security and the Nuclear Threat Initiative concluded that the United States is the country best prepared to deal with a pandemic. In fact, 23% of recorded COVID cases in the world have occurred among Americans, even though the United States represents just over 4% of the world’s population.
The erratic US response and poorly implemented technological “solutions” to COVID-19 come as no surprise. The competing incentives that elected officials and the public face leave many opportunities open for misinterpretation of how citizens view their digital privacy, as a result of failures in their public policy goals. Policy makers such as the National Institutes of Health, the CDC, and a host of elected and appointed officials have considered tracking the spread of COVID-19 to be the primary policy goal, and have focused on that goal to almost everything else, ignoring citizens’ privacy concerns. As a result, responses to these concerns have been accommodative, random, and transcendental. Consumer trust isn’t gained just by saying, as Apple did, “What happens on your iPhone, stays on your iPhone.” Instead, government officials and senior technologists alike must take seriously that with the advent of big data comes the corresponding concern about privacy and transparency. Both would do well to remember President Ronald Reagan’s warning about the nine most terrifying words in the English language. “I’m from the government, and I’m here to help.”