Cartoon of contact tracing for COVID-19.

The Constitutionality of Technology-Assisted Contact Tracing

By

The COVID-19 pandemic has posed an impossible set of choices for governments, forcing them to weigh the competing interests of protecting public health, ending social isolation, and safeguarding privacy and civil rights. Each of these ends offer distinct societal benefits, but without a vaccine or effective COVID treatment, governments can only accomplish two of the three at one time. South Korea provides an interesting example of the tradeoffs countries have made in pursuit of these competing objectives. The country is widely regarded as a model for successfully managing the pandemic, averaging approximately 77 new cases a day since April—roughly the equivalent of 480 cases a day in U.S. population terms. South Korea’s story is especially impressive given that, in March, the country was considered one of the biggest infection hot spots outside of China. Comparing these statistics with the actual infection rate in the U.S. illustrates the success of the South Korean approach: on November 23, 2020, the CDC reported 147,840 new cases, for a total of 12,175,921 known infections in the U.S. since the pandemic began.

  1. South Korea’s Pandemic Infrastructure

What did South Korea do differently? It implemented an aggressive—and often invasive—form of contact tracing to track infections, test and quarantine exposed individuals, and reduce the spread of the virus. South Korea’s contact tracing program includes emergency texts from national health officials notifying residents of nearby cases, a government-mandated GPS-tracking app aimed to deter people from breaking government-mandated quarantine, and detailed reports tracking infected individuals’ movements. Under South Korea’s Infectious Disease Control and Prevention Act (IDCPA), passed after the 2015 Middle East Respiratory Syndrome (MERS) outbreak (during which the South Korean government was accused of withholding critical information to curb transmissions), all of these actions are legal. In fact, under the Act, which applies to all forms of infectious disease, the government is required to publish detailed personal information regarding infected individuals, including their travel routes—down to the specific seats they have occupied on public transportation—and the medical institutions treating them. Further, local governments are free to publish any additional information deemed relevant for contact tracing, as long as they do not reveal the identities of infected individuals. However, there have been instances where officials have released sufficient information to make COVID-19 patients publicly identifiable without releasing their names. These revelations have not only led to doxing and online harassment, but also raised deeper questions about privacy in the age of COVID-19. While South Korea is one of the few countries in the world with a criminal statute that specifically addresses doxing, the psychological damage of releasing that information (especially in the case of COVID patients who have to deal with the additional stress of fighting this life-threatening disease) would already been done.

The IDCPA offers some guidance for navigating the line between public safety and personal privacy. Article 76-2(2) grants South Korea’s Minister of Health the legal authority to collect private data, without a warrant, from both confirmed and suspected patients. In fact, the article expressly mandates that private telecommunication companies and the National Police Agency share GPS location information for confirmed and suspected patients upon request. Article 75-2(1) further empowers the Health Minister and director of South Korea’s Centers for Disease Control to obtain private medical information from medical institutions, pharmacies, corporations, organizations, or other individuals. Under the authority granted by these provisions, the South Korean government can obtain surveillance footage, credit card histories, and geolocation data for both confirmed and suspected patients without a warrant. There is no legal standard for how to identify suspected patients—the only requirement under South Korean law is that each person under surveillance must be ultimately notified of the surveillance and that the collected data must be destroyed when the “relevant tasks have been completed.”

In addition to allowing the government to develop its own infrastructure to send emergency texts to the general public regarding patient movements, Articles 6 and 34-2, the public’s “right to know” provisions, have allowed private developers to aggregate available data and develop coronavirus tracking apps, which push notifications to users who come within 100 meters of a confirmed patient or a place an infected individual has visited. The government also has the authority, under Articles 47(1) and 49(2), to close contaminated locations and restrict or prohibit performances, assemblies, religious ceremonies or other gatherings. Finally, the IDCPA imposes criminal penalties on suspected positive cases who refuse to get tested or break quarantine.

  1. The Fourth Amendment & Contact Tracing

Most of the highly specific provisions underpinning South Korea’s aggressive contact tracing protocol lack analogues in U.S. law. This disjunction is due, in large part, to the U.S. Constitution’s commitment to civil liberties, privacy protections, and federalism. The Fourth Amendment protects against “unreasonable searches and seizures”—just the type of searches that technology-assisted contact traces may require. In Katz v. United States, the Supreme Court defined an unreasonable search as the government’s warrantless surveillance where there exists a “reasonable expectation of privacy.” Per Katz, the “reasonable expectation of privacy” test is twofold: the object of the search must have an “actual (subjective)” privacy expectation, and this expectation must “be one that society is prepared to recognize as ‘reasonable.’” For instance, using an eavesdropping device on a public payphone and installing a tracking device on a personal vehicle without a warrant both violated a reasonable expectation of privacy under the Katz test. Given this precedent, it is unclear whether technology-assisted contact tracing of the type used in South Korea would be constitutional. For instance, requiring individuals who have tested positive for COVID-19 to download an app that tracks their movements would likely violate their “reasonable expectation of privacy” and thus be unconstitutional under the Fourth Amendment. However, this reasonability analysis may be impacted by the virus’s rapid—and often asymptomatic—transmission. With a disease as infectious and fast-spreading as COVID-19, there may be few other practical options.

In recent years, infectious disease contact tracing in the U.S. has relied on the Fourth Amendment third-party doctrine, which holds that people do not have a “reasonable expectation of privacy” in information they have voluntarily provided to third parties. In today’s world, this allows the government to access a vast array of data without a warrant or even probable cause, including information collected by internet service providers, phone companies, e-mail servers, and banks. The Supreme Court recently limited the third-party doctrine in Carpenter v. United States, which held that the government violated the Fourth Amendment when it accessed historical cell phone location data without a warrant.  The Court found that “[w]hether the Government employs its own surveillance technology . . . or leverages the technology of a wireless carrier . . . an individual maintains a legitimate expectation of privacy in the record of his physical movements” as captured by cell-site location information.

The Carpenter limitation may prove problematic for technology-assisted contact tracing, which often relies on just such geo-location data. Further, given the sheer scale of the pandemic, obtaining individual warrants to access location data would be not only impracticable but perhaps impossible. However, the Carpenter Court explicitly left open the question of whether “other collection techniques involving foreign affairs or national security” would pose similar Fourth Amendment concerns. Arguably, therefore, data collection for the purposes of contact tracing during a global pandemic might still be permissible in the interest of national security.

Another possible option would be to rely on the highly controversial “special needs” doctrine, under which a program of warrantless searches that would fail the Katz test is permissible if its primary purpose is a “special need” independent of the government’s interest in general crime control and the program is applied mechanically, without governmental discretion regarding who is to be searched. If the above preconditions are satisfied, courts must balance the magnitude of the state interest at stake with the personal privacy intrusion occasioned by the search for the doctrine to apply. For example, in Michigan v. Sitz,  the Supreme Court upheld a highway sobriety checkpoint program as permissible under the Fourth Amendment, finding the program both justified by the state’s interest in deterring drunk driving and effective at achieving this goal, and deeming the privacy intrusion for motorists stopped at checkpoints to be minimal. Contact tracing in a global pandemic would arguably meet the conditions of a sanctioned programmatic search: (1) protecting the health of the general public—especially in the context of an unprecedented global pandemic—certainly constitutes a “special need” independent of the government’s interest in crime control; and (2) obtaining personal information for each infected individual would be done solely on the basis of a positive COVID diagnosis, without any discretion on the part of the government officials seeking to obtain the data.

The “special needs” doctrine has limits, however. For example, in Ferguson v. City of Charleston, the Medical University of South Carolina had instituted a program of identifying and drug testing expecting mothers suspected of cocaine use without notification or consent. Patients who tested positive were subsequently charged with criminal child abuse. The lower courts had interpreted the program to be Constitutional under the “special needs” doctrine, finding that mitigating prenatal cocaine exposure was distinct from the state’s general interest in crime control. The Supreme Court, however, reversed, holding that the nonconsensual warrantless patient testing for the propose of “coercing [patients] into drug treatment through the threat of prosecution” violated the Fourth Amendment. Under this precedent, South-Korea-style contact tracing would be unlikely to pass constitutional muster. While both mandatory, nonconsensual surveillance and criminal sanctions are explicitly permitted under South Korean law, similar practices in the U.S.—which has historically relied exclusively on voluntary disclosure—would confront challenges under the Fourth Amendment.

  1. Current Contact Tracing Efforts

Traditionally, contact tracing in the U.S. has relied on skilled workers who interview infected individuals to learn about their activities and identify the people they may have exposed. However, a report from the Johns Hopkins Center for Health Security published last April suggests that a minimum of 100,000 contact tracers may be needed to tackle the COVID-19 pandemic across the nation. Given the rapid increase in cases that the US has experienced since, it is likely that the number of contact tracers needed now is much higher. As the nation remains paralyzed by stay-at-home orders, business closures, and social distancing, a number of states have begun leveraging digital location data to supplement traditional contact tracing efforts. In addition, the federal government is collecting bulk cell phone location data (which has a higher level of generality than the cell site location information the Supreme Court held to require a warrant in Carpenter and, therefore, may be aggregated without judicial authorization) to track “the presence and movement of people in certain areas of geographic interest.” Congress recently appropriated a further $500,000,000 for “public health data surveillance and analytics infrastructure modernization.”

The idea of technology-assisted contact tracing is enticing. “Instant digital contact tracing” could alleviate the need for long-term mass social distancing and help expedite economic recovery. There is emerging evidence that digital contact tracing offers significant advantages over traditional models—COVID-19 spreads too quickly and often asymptomatically to be effectively controlled through traditional methods of interview and direct contact. Some researchers have even suggested that “instant digital contact tracing” may be necessary to transition out of mass social distancing.

However, given existing technological and testing limitations, it is far from clear that technology-assisted contact tracing is truly the “silver bullet” it has been deemed to be. For instance, although the U.S. has significantly expanded COVID-19 testing since the pandemic’s initial outbreak in March, its per capita testing rates trail those of many other developed countries, including countries that have pioneered technology-assisted contact tracing. Absent the ability to quickly test individuals suspected of exposure, collecting and storing mass location data would result in significant privacy harms without corresponding public health benefits. Similarly, whether geolocation data is sufficiently precise for the purposes of “instant digital contact tracing” is debatable. Current CDC guidelines recommend maintaining a minimum distance of 6 feet to minimize infection. Thus, the ideal “instant digital contact tracing” would need to identify a person’s location with a level of accuracy within 6 feet. However, GPS data, which is significantly more precise than cell tower location data, is usually accurate only to within 16 feet. Bluetooth tracking—an alternative to using GPS data—is more precise, but is likely to be overinclusive, as it can register contacts between devices despite the presence of walls, car doors, or even whole floors in a building.

  1. Contact Tracing and the Private Sector

So far, technology-assisted contact tracing has relied mainly on government action, but such a program may also exist without state action. Fourth Amendment protections only apply to governments and their agents—they do not regulate the conduct of private persons or entities such as corporations. Therefore, employers could decide to utilize contact tracing apps to augment safety procedures without violating the Fourth Amendment. This piecemeal approach would arguably be more limited than a government solution because it would not account for contacts with infected individuals who are not employed by the specific employer (and therefore not required to use the contact tracing app in question). In addition, there are currently no specific federal- or state-level laws that prohibit employers from using or mandating contact tracing apps as a condition of employment. In fact, the Equal Employment Opportunity Commission (EEOC) has stated that the pandemic poses a “direct threat” under the Americans with Disabilities Act (ADA) and could therefore permit employers to make more rigorous medical inquiries than would ordinarily be permissible, provided they maintain the confidentiality of any collected information. However, some state laws, like California’s prohibitions on tracking devices and requests for social media access may limit the extent to which employers can rely on mobile apps.

Finally, several senators have introduced the Exposure Notification Privacy Act, a bipartisan bill which would regulate the use of contact tracing apps by making the use of such systems voluntary and limiting the types of information that can be collected. Two competing partisan bills, the COVID-19 Consumer Data Protection Act (Republican) and the Public Health Emergency Privacy Act (Democrat), have also been introduced as potential legislative responses to this controversy. While both the Republican and the Democrat bills restrict the collection, usage, and disclosure of certain data during COVID-19, the Democrat bill defines covered data more expansively and contains stronger protections for individual rights, such as a private cause of action and a non-preemption clause. Further, unlike its Democrat counterpart, the Republican bill excludes employees, contractors, and visitors (to an employer facility) from the notice and consent requirements for data collection.

Given the significant differences between the three bills, it is not yet clear what the regulatory landscape of private sector contact tracing may look like in the near future. One thing is clear, however: technology-assisted contact tracing presents grave privacy concerns and the potential for future abuse in the absence of significant legislative safeguards. As the ACLU Senior Legislative Counsel Neema Singh Guliani has cautioned, “[i]f we as a country decide to go down the path of tech-assisted contact tracing, our lawmakers must first enact robust safeguards to prevent these tools from exacerbating existing disparities and violating our civil rights and liberties.”

This post was originally published on the COVID-19 and the Law blog.

Dessie Otachliska graduated from Harvard Law School in May 2021.

The Petrie-Flom Center Staff

The Petrie-Flom Center staff often posts updates, announcements, and guests posts on behalf of others.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.