Big Brother in Public Health? New Contact Tracing Tactic Raises Privacy Concerns

Tech companies’ development of contact tracing apps to assist in efforts to contain the coronavirus outbreak has researchers and lawmakers alike worried about the protection of sensitive personal health information. 

But an analog contact tracing tactic that some state and local governments are deploying—requiring businesses to collect data about their customers and turn it over to health departments if there is a connection to a positive case—is also raising privacy concerns among some public health officials.

The practice of contact tracing, which requires investigators to ask infected individuals to disclose detailed information about their movements, who they came in contact with and personal health information, involves developing trust between the patient and health agency engaged in the effort, said Matt Prior, spokesman for the National Coalition of Sexually Transmitted Disease Directors. Forcing businesses to keep customer logs and turn them over to government agencies could undermine that trust, he said.

“The more data, the more tools in the toolbox of the contact tracer the better, but fundamentally contact tracing is meant to be done in a way that is respectful of people’s freedoms and privacies,” Prior said. “I don’t think this does anything to advance the trust that a marginalized population would have of these authorities.”

Contact tracing has been a key part of STD public health strategy for years and the coalition is assisting in efforts to train new contact tracers who are quickly being hired to help with the coronavirus outbreak.

As state and local governments expand their contact tracing capacity, some have moved to require businesses to keep logs of their customers or are exploring the option. The idea is that when someone tests positive for Covid-19, health officials could swiftly trace their path, obtain customer logs for any businesses they visited, and warn other customers who may have been at risk of infection. With a highly contagious respiratory illness like Covid-19, which some people have spread without even realizing they are infected, public health officials said quickly tracking a person’s movements and notifying any potential contacts is paramount. 

Washington Gov. Jay Inslee this week issued an executive order which requires restaurants to keep a daily log of customers that includes their contact information and the dates and times of their visits. But on Friday, Inslee issued a clarification noting that while restaurants would be required to keep customer logs, customers would not be mandated to provide their personal information.

“If we learn you may have been exposed to Covid-19 during your visit, we will only share this information with public health officials,” said Mike Faulk, a spokesman for the governor. “They will contact you to explain the risk, answer your questions and provide resources.”

Any information collected by restaurants will only be used for contact tracing purposes and customer lists will be destroyed within 30 days if they are not used, Faulk said.

The American Civil Liberties Union pushed back against the original order, calling mandatory logs an invasion of privacy, and wrote to the governor asking him to incorporate additional safeguards instructing businesses on how to protect the private information they collect voluntarily. 

“Business logs cannot be susceptible to disclosure beyond the tightly limited purposes of contact tracing,” the ACLU of Washington wrote. “Without appropriate safeguards, contact information can be disclosed to immigration agents, law enforcement, advertising companies, identity thieves, stalkers, and harassers.” 

Even though voluntary, the new rules “do not address how businesses must protect customers’ private information,” the ACLU said. “The rules refer to businesses keeping logs, but do not specify exactly what information must or may be requested.”

Contact tracing best practices, when used to manage other disease outbreaks, have never recommended this type of third-party disclosure, Prior said. The coalition is supportive of innovation in the field, but rather than put the onus on businesses, which may not be educated in health privacy and confidentiality laws, Prior said local governments might find it more effective to rely on the network of contact tracers trained to collect the information in a responsible manner. 

“Trust is paramount when it comes to anything involving people’s private health information,” he said. 

Washington state is trying to quickly ramp up its force of contact tracers, with Inslee last week saying the state has trained about 1,400 people. 

A federal judge is expected to weigh in soon on the legality of requiring businesses to collect customer data for contact tracing purposes. Health officials in Linn County, Kansas issued an order this month that required businesses ranging from doctor’s offices to restaurants to banks to keep customer logs. 

U.S. District Judge Holly Teeter heard arguments Friday in the case and is considering whether to grant a temporary restraining order that would ban the county’s enforcement of the ordinance.

Attorneys for the county argued the order did not violate Fourth or Fourteenth Amendment protections because the health department would first ask businesses to voluntarily comply and later seek a warrant for the information. 

“A business’ voluntary provision of its records does not offend constitutional rights,” attorneys for the county wrote in a court filing defending the order. “In the event a business elects not to voluntarily comply with a request to provide the customer logs, a judicial warrant can be sought for that information (providing the business with adequate protection of its Fourth and Fourteenth Amendment rights).”

Attorney Kevin Case said during Friday’s hearing that there “has been no effort to date to actually access the data that we have set forth should be compiled by this order.”

A newspaper publisher and restaurant owner challenged the order alleging it permits the “unreasonable, nonconsensual, suspicionless, and warrantless searches or seizures and violates the privacy rights of those required to be listed,” and violates their constitutional rights.

Samuel MacRoberts, a Kansas Justice Institute attorney representing the publisher and restaurant owner, said the county’s legal arguments appeared to be trying to rewrite the intent of the health order.

“There is nothing voluntary about it. It says it will penalize people who do not hand over this information,” MacRoberts said. 

While Case argued compliance with the order was voluntary, Teeter at times appeared skeptical of that assertion. She noted that even if the county only takes action against businesses, and not customers, to enforce the order, customers’ personal information would still be disclosed.

“At this point it’s not voluntary, is that correct?” she said.

Referring to the U.S. Supreme Court ruling in Carpenter v. United States, which established greater digital privacy rights protections, Teeter asked county attorneys to explain why plaintiffs would not have standing to challenge the third-party disclosure of their personal information.  

Case said that when customers enter a public business, their expectation of privacy is diminished.

“You cannot voluntarily enter a place where there are people around and claim it is private,” he said.

MacRoberts countered that protection against warrantless searches still exists in the public space. 

“You don’t give up your rights when you venture out into the public. You still have Fourth Amendment rights,” he said.