In late April, Gov. Andrew Cuomo announced the state’s partnership with Bloomberg Philanthropies for New York’s contact tracing program.
Last week, New York City started recruiting 1,000 workers to conduct contact tracing.
This week, privacy concerns about the initiative have emerged. The focus was not as much on flaws on the tracing program as it was on how little is known about who will get to see the data and how it will be protected.
In a letter sent to the governor last Friday and released to the media on Monday, Public Advocate Jumaane Williams asked Cuomo to address questions about how New York will protect civil liberties and people’s privacy. “We cannot sacrifice protections and civil liberties in the name of speed … To maintain public trust, transparency is key.”
The Public Advocate requested information about the role technology will play in New York’s contact-tracing process and how the state will ensure no third party agency will be able to access data collected through contact tracing.
Williams also asked Cuomo to clarify who will get access to the data, what systems will be used to log and monitor it, and what research will guide how long contact tracing data stays in use.
A new report from the Surveillance Technology Oversight Project released on Thursday explores the risks associated with proximity detection, which relies on Bluetooth signals from cell phones.
New York hasn’t announced any plans to incorporate this technology into its approach.
But S.T.O.P.’s report argues the discussion about privacy concerns and civil liberties cannot wait until the emergency ends.
“History teaches that privacy invasions often outlive the emergency they are intended to combat. To this day, the USA Patriot Act provisions that were supposed to expire in 2005 are being debated for renewal to 2024,” the report reads, referring to the domestic security law passed in the aftermath of the September 11 attacks.)
Through a spokesperson, the governor dismissed Williams’ concerns: “The data resides with the state, not a private foundation and this isn’t happening. There’s enough real problems fighting this pandemic, and we have no time for politicians who create fake ones in a craven attempt to get in the paper.”
Of course, to reach the tremendous scale required for contract tracing to be effective in helping control the spread of the virus, speed is an important factor.
But transparency is a success factor, too. Public health experts have repeatedly talked about how contact tracing cannot operate effectively if people distrust the program.
After all, contact tracing works best when tracers can reach as close as they can get to every single person potentially exposed to the coronavirus. For contact tracers to obtain sensitive information about people’s contacts and whereabouts, New Yorkers will need to feel comfortable speaking with contact tracers and understand how the information they share will be protected.
In his briefing on Monday, Williams highlighted the importance of explaining ahead of time the process for protecting contact tracing data, particularly for helping immigrant communities feel comfortable participating. One would expect that contact tracers would need to be able to explain how the information they collect will be safeguarded. Before the health department contacts anyone through the contact tracing program, more transparency about what New York is doing to prevent this pool of data from falling into the hands of other government agencies like ICE or private groups can help facilitate trust.
“This isn’t a question of privacy versus public health,” says Albert Cahn, executive director of the Surveillance Technology Oversight Project). “You cannot fight this virus [and] help save New Yorkers’ lives unless you have the privacy safeguards. If we try to move forward without that, it’s really just a recipe for disaster.”
Contract tracing isn’t new. But Cahn, who also serves on the New York Immigration Coalition’s Immigrant Leaders Council, says that the health department reaching out to thousands of New Yorkers, collecting their names and routines, creates a larger pool of information. It might not have been worthwhile in the past (due to a combination of legal safeguards and the far fewer number of individuals who’ve had information collected) for an agency like ICE or the NYPD to try to access data from the health department’s work on contact tracing with other diseases, he says. But, the scale of contact tracing planned to address the coronavirus is “orders of magnitude larger than anything we’ve done in our lifetimes,” says Cahn.
In 2017, New York City had to fight in court to be able to destroy personal documents collected through its municipal ID program, IDNYC. The IDNYC program was designed to especially benefit immigrants in the city, but the process for destroying documents became a major sticking point. Cahn fears a repeat of this issue if New York doesn’t develop a protocol that addresses privacy concerns from the start.
Quentin Rhoads-Herrera, a cybersecurity professional at Critical Start says it’s important to be clear about who gets access to the data in the first place because there’s always a risk of a leak originating with someone who had been granted access to the infrastructure storing the sensitive information.
For its part, the health department says it plans robust protections for the data and people’s privacy.
“The NYC Health Department has been protecting patient confidentiality in the course of its contract tracing for diseases like tuberculosis, measles, and HIV for decades. We feel strongly about our responsibility to protect patient health data in all that we do,” Stephanie Buhle, spokesperson for the NYC Department of Health and Mental Hygiene, said in a statement to City Limits. “Patient health information is also protected by various State and City laws, rules and regulations. New Yorkers are never asked about their immigration status.”
Featured in City Limits | May 7, 2020
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.