(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)
As governments start easing lockdown restrictions, developing an effective contact tracing strategy has become a top priority to prevent a new surge of COVID-19 outbreaks. A key part of this strategy will almost certainly involve a mobile contact-tracing application that automatically identifies people whom users have encountered. Unfortunately, the COVID-19 Consumer Data Protection Act, legislation newly introduced by four Republican members of the Senate Commerce Committee, would require any contact tracing apps made by the private sector to obtain “affirmative express consent” from consumers before collecting, processing, or transferring data. Leaving it up to individual users to choose to opt in to such an app would be a mistake—the only way this type of mobile app will reach a critical mass is if it is enabled by default.
Mobile contact tracing is emerging as a priority because public health agencies simply do not have the capacity to do this work manually, with one study from Johns Hopkins estimating the country needs to hire and train 100,000 contact tracers. Moreover, manual methods rely on fallible human memories—many people are not going to remember everywhere they went in the past week—not to mention they simply will not know everyone they may have encountered at a grocery store or on a subway car. Mobile contact tracing would supplement manual methods by automating the process of identifying and notifying individuals who may be at risk of infection.
There are two main ways this might work. One method already applied by North Dakota, South Dakota, and Utah is to use an app to track the location of users’ smartphones throughout the day. When individuals test positive for COVID-19, then public health officials use their location history to alert other people who were at the same locations at the same times. Another method uses Bluetooth technology to continuously broadcast anonymous identifiers from users’ smartphones and record the identifiers of other nearby devices. When people test positive for COVID-19, public health authorities would then automatically alert people who may have encountered these individuals on the next steps they should take. This is method Apple and Google are using to create a common-platform that public health authorities around the world can use to build contact tracing apps.
Whether mobile contact tracing is effective remains to be seen. There will likely be a lot of false positives, and location-based tracking will only be as good as the location data. While some newer phones may use Wi-Fi signals to calculate users’ locations to 3 to 10 feet, GPS-enabled phones are only accurate to about 16 feet, and accuracy rates can decline substantially indoors. Similarly, Bluetooth tracking is imperfect—for example, it is not easy to distinguish between two people sitting together versus two people separated by a wall, yet tech companies are working hard to solve these problems.
The biggest issue for mobile contact tracing applications is likely to be reaching the adoption levels needed to be most effective. A study from Oxford University found that nearly 60 percent of the population should use a contact tracing app to suppress an outbreak, yet getting to this threshold in the United States is a challenge. To start with, only 81 percent of American adults own a smart phone. Second, only about half of users enable Bluetooth, often because they are concerned about preserving battery life. Third, recent polls show that Americans are evenly divided over whether they would use a mobile contact tracing app, in part because of privacy concerns.
Any contact tracing app will need to handle questions about privacy. Indeed, one of the reasons that the Bluetooth method has gained traction is that it does not rely on centrally tracking or storing information about where people go. But while any contact tracing app should be designed to be as minimally intrusive as possible and only be used for public health purposes, some privacy advocates take it too far and demand that policymakers only allow mobile contact tracing apps “used with the explicit consent of the user.” Indeed, the current initiatives are opt-in-only because doing otherwise would risk a backlash from privacy activists. Requiring users to affirmatively opt in for using these apps would significantly slow uptake, risking lives and hurting Americans’ livelihoods.
Mandating that Americans use an app would raise immediate legal objections, but there is no reason to not enable them by default like so many other critical mobile phone updates. Tipping the scales in favor of participation would help such tools reach a critical mass. The government has had to take unprecedented actions during the pandemic—issuing stay-at-home and social distancing orders and mandating that people wear masks—and while mobile contact tracing is not a silver bullet, it is a reasonable imposition to prevent another outbreak of hotspots from emerging. Congress should not create data protection laws that would make it even harder to do mobile contact tracing. Instead, it should pass comprehensive data protection legislation that streamlines regulation, preempts state laws, establishes basic consumer data rights, and minimizes the impact on innovation—including by creating allowances for covered entities to process data, without the consent of individuals, for public interest, national security and public health purposes.