As anyone reading this blog assuredly knows, the world is in the grip of a deadly pandemic. One way to contain it is contact-tracing: finding those who have been near infected people, and getting them to self-quarantine. Some experts think that because of how rapidly newly infected individuals themselve become contagious, we need some sort of automated scheme. That is, traditional contact tracing is labor-intensive and time-consuming, time we don’t have here. The only solution, they say, is to automate it, probably by using the cell phones we all carry.
Naturally, privacy advocates (and I’m one) are concerned. Others, though point out that we’ve been sharing our location with advertisers; why would we not do it to save lives? Part of the answer, I think, is that people know they’ve been misled, so they’re more suspicious now.
As Joel Reidenberg and his colleagues have pointed out, privacy policies are ambiguous, perhaps deliberately so. One policy they analyzed said
“May”? Do you collect it or not? "As necessary"? “To administer”? What do those mean?
- “Depending on how you choose to interact with the Barnes & Noble enterprise, we may collect personal information from you…”
- “We may collect personal information and other information about you from business partners, contractors and other third parties.”
- “We collect your personal information in an effort to provide you with a superior customer experience and, as necessary, to administer our business”
The same lack of clarity is true of location privacy policies. The New York Times showed that some apps that legitimately need location data are actually selling it, without making that clear:
Society is paying the price now. The lack of trust built up by 25 years of opaque web privacy policies is coming home to roost. People are suspicious of what else will be done with their data, however important the initial collection is.
Can this be salvaged? I don’t know; trust, once forfeited, is awfully hard to regain. At a minimum, there need to be strong statutory guarantees:
- The information collected will only be used for contact tracing;
- It will not be available to anyone else, including law enforcement, for any reason whatsoever;
- There are both criminal and civil penalties for unauthorized collection or use of such data, e.g., by a store;
- There is a private right of action as well as city, state, and Federal enforcement;
- That class action suits to enforce this are permitted, regardless of terms and conditions requiring arbitration.
I don’t know if even this will suffice—as I said, it’s hard to regain trust. But passing a strong Federal privacy law might make things easier when the next pandemic hits—and from what I’ve read, that’s only a matter of time.
(There’s a lot more to be said on this topic, e.g., should a tracking app be voluntary or mandatory? The privacy advocate in me says yes; the little knowledge I have of epidemiology makes me think that very high uptake is necessary to gain the benefits.)