As government agencies and technology companies move to track the spread of COVID-19, other organizations are asking for rules that govern the collection of personal data in those efforts.
Several privacy groups have published guidelines for the collection of personal data and location data as organizations track COVID-19. On April 20, Microsoft issued its own set of recommendations in a blog post.
“Tracking individuals who are infected, tracing those with whom they have recently come into physical contact, and making testing available to those contacts may play an important role in managing the next phase of COVID-19 around the world,” wrote Julie Brill, Microsoft’s corporate vice president for global privacy and regulatory affairs, and Peter Lee, Microsoft’s corporate vice president for research and incubation. “This requires special care, as sensitive data about our location and health status may be involved.”
Microsoft’s blog post, outlining seven privacy principles for COVID-19 data collection, came days after competitors Apple and Google announced plans to partner on contact-tracking technology. The Apple and Google plan uses Bluetooth technology to help governments and health agencies track the spread of COVID-19 and “reduce the spread of the virus, with user privacy and security central to the design,” the companies said in a joint statement.
Microsoft’s recommendations called on companies to obtain consumer consent before collecting health data, to gather the data only for public health purposes, and to collect a minimal amount of data. Organizations collecting COVID-19 data from people should not share the data without consent, Microsoft said.
“When notifying individuals that they may have been in physical contact with an infected person, only share the minimum amount of data necessary to protect against inferences about the identity of the infected person,” Brill and Lee wrote.
While several privacy groups, including Access Now, Privacy International, and her own Center for Democracy and Technology, have made their privacy recommendations related to COVID-19 data collection, it’s helpful to have companies such as Microsoft also join the conversation, said Michelle Richardson, director of the Data and Privacy Project at the Center for Democracy and Technology.
Companies such as Microsoft are the platforms on which the contact-tracing data resides, and it’s beneficial for Microsoft to set the rules for developers who are building the apps to be used, she said.
The guidelines also help “create an expectation that the apps and tools will be built in a way that protects privacy,” Richardson said. With the guidelines in place, developers can’t use the common excuse, “I didn’t know; we’re making this up as we go along,” she added.
The Microsoft recommendations create a “useful starting point” for the tracking, tracing, and testing needed to fight the pandemic, added Steve Durbin, managing director of the Information Security Forum, a cybersecurity research organization.
“The fundamental issues for me that need to be addressed are transparency and building in privacy to any technology solution or approach from the outset — privacy by design, in other words,” he said. “The notion of only storing data for as long as you need it and protecting it at all stages of the information life cycle will strike a chord with information security professionals worldwide who, for many years, have been adopting this mantra to safeguard confidential data.”
The Microsoft guidelines don’t contain new concepts for information security professionals, but they should prove helpful for “governments and legislators struggling to come to terms with how to manage this challenge,” he added.
In some ways, basic privacy rules are long overdue, Durbin added. “Would we not all have hoped that these basic guidelines would have been well enshrined by now?” he said. “Unfortunately, privacy and security have for so long been seen as a cost of compliance rather than a core component in the gathering and use of personal information that guidelines such as these and their adoption, most importantly, are long overdue at a federal level.”
The Microsoft blog post called for a federal consumer privacy law, but efforts to pass one seemed to be stalled in Congress as lawmakers focus on the effect of COVID-19 on the economy. Richardson said it might be challenging to get a privacy law passed this year, with the pandemic and the fall elections on the horizon. Still, lawmakers may have an opportunity to act if new privacy controversies come to light.
