Ask the Experts: Covid-19 Exposure notification, Privacy, and Security

On June 9, the Center for Social and Behavioral Science and Interdisciplinary Health Sciences Institute hosted the first session in our Ask the Experts Series on Covid-19 Exposure notification, Privacy, and Security. Our faculty experts discussed the promising potential, uncertainty, and associated privacy risks with using exposure notification technologies to manage the spread of Covid-19. Our conversation also narrowed in on the development of the Illinois App.

To access the video, please click on the video image below. You can find a list of all the questions that we covered in the conversation along with the corresponding point of discussion in the video.

Questions

1. [14:28] The Covid-19 pandemic has accelerated the use of technology. What have we learned about the impact these changes had on privacy and access? 

2. [17:28] What kind of legal issues are we now confronting with track and trace technologies? Is there a federal privacy law, such as HIPPA, that protects personally identifiable information gathered for Covid-19 contact tracing?

3. [23:30] What is contact tracing and exposure notification? Specifically, how is the Illinois app using track and trace technology to manage Covid-19 cases?

4. [29:25] I’m concerned about privacy. Will personal data be stored and/or shared from the COVID-19 portion of the app?

5. [38:20] How are you going to handle human uptake? Without adoption by a significant number of community members, how effective can an app expect to be? 

6. [40:20] Why should people use the Illinois app? What are the benefits of using the app, and what concerns does the app present?

7. [47:35] How does the Urbana-Champaign community get involved? How are we going to handle privacy issues leading to a general distrust in state and federal entities?

8. [52:19] What campus unit is controlling sensitive user data? How can the Illinois app protect users’ data?

Post-webinar Q&A

The United States Department of Health and Human Services (HHS) released changes in privacy rules early this year. How will these changes impact privacy and accessibility?

During the COVID-19 public health crisis, the HHS Department Law Office of Civil Rights has suspended its penalties and enforcement, and so there will be questions about when we return to normal. Other kinds of accelerations of technology from covid-19 are expected–from online retailing to mobile ordering, and to workplace cybersecurity. Another big consideration will be next-generation graphical databases to track relationships and ask complex questions across computer data. This can expand internationally to track not only what is happening in our country, but also in many countries around the world.

There are likely to be litigation issues with privacy terms of use, litigation over General Data Protection Regulation (GDPR), and the California Consumer Protection Act. Since we do not have a federal all-encompassing privacy law, some states have stepped up, such as California and it’s Consumer Protection Act. All 50 states have some sort of privacy law, but gaps in the law vary from state to state. All in all, the law is really specific to the individual state where you live, so it’s important to start there. Issues of use, storage, retention and sale to 3rd parties of personally identifiable information is going to become increasingly important. People want to know what companies have, what they’re using, what the keeping the data for, and that means that there will be contact issues, employment law issues, and many challenges we haven’t contemplated yet.

– Faye Jones, Director, Albert E. Jenner, Jr. Memorial Law Library & Clinical Professor of Law

 

The Covid-19 pandemic has accelerated the use of technology. What have we learned about the impact these changes had in privacy and access?

Many kinds of accelerations of technology from Covid-19 are expected. This includes changes in mobile ordering, online retailing, and use chatbots and robots to answer user questions. If there is a recurrence of Covid-19 or if it takes a long time for a vaccine to be developed, we will see an emerging need for extra cyber security protections at home for remote workers, because many do not have the kind of coverage they normally would have at the workplace. Another big consideration will be next-generation graphical databases to track relationships and ask complex questions across computer data. This can expand internationally to track not only what is happening in our country, but also in many countries around the world.
– Faye Jones, Director, Albert E. Jenner, Jr. Memorial Law Library & Clinical Professor of Law

What privacy guarantees can be offered, and how will they be enforced?

 You have the authority to agree/prohibit what data you want shared. The app offers choices for users to select on a five point scale range from 1) providing the least amount of data and most privacy to 5) highest functionality with more personal data collected. We do it this way to recognize the tradeoff: for the app to have the highest functionality possible, we have to know much about you–for example your credit card information, your location, favorite places. We provide the functionality for if you want to be anonymous. When you move from level 4 to level 3 functionality, we will also delete all additional data collected for level 4. Finally, you can also delete all your data–but if you decide to backtrack on this decision you will need to redo the onboarding process. We take privacy very seriously and we have built in a variety of capacities compliant with the General Data Protection Regulation (GDPR) and ahead of the California Consumer Protection Act. We are interested in people’s input as well. After release in the fall, we are going to pay for an independent forensic audit of the code, saying “these are our values and principals” and then we will publish our benchmarks and where we need to improve, then improve those things.

Additionally, we are supported by Joe Barnes (Chief Privacy and Security Officer for University of Illinois) and the policies of UIUC when it comes to data. We have a set of policies, rules, and regulations that we conform to the University, and those are enforced by these campus authorities.

– William (Bill) Sullivan, Director of the Rokwire project & Professor of Landscape Architecture

I am concerned about privacy. Will personal data be stored/shared? If so, with whom?

 The Illinois app is a homegrown app, and so we have a lot more control on how to safeguard data in comparison to using apps developed by Apple, Google, etc. We have a unique opportunity here to discuss privacy before we deploy the app. Trust, security, and privacy are the main pillars of this exposure notification solution.
Masooda Bashir, Director, Social Sciences in Engineering Research, Grainger College of Engineering & Associate Professor, School of Information Sciences

Technology Services on campus owns the Illinois app and will be managing the data. Technology Services employs the policies that are set by our campus in the system and those are administered and enforced by Joe Barnes (Chief Privacy and Security Officer). We have a structure in place even if Joe leaves, the new person in the position will fulfill protocol and has responsibilities for and the commitment to adhering to these standards and policies
– William (Bill) Sullivan, Director of the Rokwire project & Professor of Landscape Architecture

In designing a smart platform for COVID-19 monitoring community-wide, how will you educate the greater community?

 We are engaging with the Sibel Center for Design to help engage these community members with the Illinois app. We need to make sure that this is something that will be useful and healthy for them, rather than another avenue for them to be surveilled
– William (Bill) Sullivan, Director of the Rokwire project & Professor of Landscape Architecture

One important note is that the Illinois app is an open-source, community-driven platform. As communities all over the world become “smarter” it is really important for a project like Rokwire to keep this “user first” perspective. We will keep having this discussion over and over again.

– Sanjay Patel, Senior Technology Advisor of the Rokwire project & Professor of Electrical and Computer Engineering

Why should people adopt the Illlinois app?

 One of the reasons they should adopt exposure notification is because it allows us to protect one another and engage one another as members of the community. Then, when someone does get diagnosed with the virus, we treat them with love and respect just the way we would treat a family member. One of the reasons to adopt it is to have agency, to take protective action to safeguard our Illinois family.
William (Bill) Sullivan, Director of the Rokwire project & Professor of Landscape Architecture

What methods are going to be employed for forward and backward tracing – critical to ID all pre- post-infected persons contacts?

The technology we are using to notify of exposure keeps records of who you were nearby. Using Bluetooth, we can get an approximation of who was nearby. Through Bluetooth, device A sends an anonymous ID to your device. All users on the Illinois app will also be transferring their anonymous IDs. The app also checks a central database (server). If the owner of Device A tests positive, then the device will post all the other anonymous ids that they emitted over a certain period of time, posted publicly on various servers including the Rokwire server. The app finds all ids that are posted and matches with ids detected in a specified location. Nothing is in a central repository until a user is classified as infected. All ids are kept local. We are using the “MIRRORS” protocol, used by Apple and Google which includes the protocol for how the cartography works, ids generated, Bluetooth protocol works.

Further, one of the perspectives we have taken in the app development is: what would we want as individuals of the campus community? To that end, we will create dashboards. One we are developing right now is a hotspot of where people are gathering and where there is higher risk of contracting COVID-19.

– Sanjay Patel, Senior Technology Advisor of the Rokwire project & Professor of Electrical and Computer Engineering

 

With whom will data be shared? Will the university work with third-party entities, and what access will then be given?

Technologies Services on campus owns the Illinois app and will be managing the data. Technology Services employs the policies that are set by our campus in the system and those are administered and enforced by Joe Barnes (Chief Privacy and Security Officer). We have a structure in place, so even if Joe leaves, the succeeding person in this position will commit to fulfill protocol to adhering to these standards and policies.

Issac Galvin is the product owner of the Illinois app. His responsibility is to not only make sure that it functions the way it’s supposed to but engages in members of our community.

– William (Bill) Sullivan, Director of the Rokwire project & Professor of Landscape Architecture

 

Right now we are facing a massive outbreak of government violence against its citizens. How do we ask our communities to participate in something that puts their information at risk for more tracking by law enforcement?

 We are engaging with the Sibel Center for Design to help engage these community members with the app. We need to make sure that this is something that will be useful and healthy for them, rather than another avenue for them to be surveilled. Another important aspect is that we need to increase the diversity of the design team. We have made great progress so far. The diversity of our design team will help us reduce the blind spots that are inherent in a more narrow group.

William (Bill) Sullivan, Director of the Rokwire project & Professor of Landscape Architecture

Current Rokwire web pages present this as a platform to develop and support apps that support and engage students, with an aspirational goal of moving toward the future of “smart cities.” Many features highlighted are appropriate to the responsibilities that the University has toward its students (e.g., support for transportation, housing, athletics, and other, using intensive location tracking, AI analysis of student schedules, academic enrollment and performance, lifestyle habits, etc.). That same set of features and analysis may be far less appropriate with respect to the university’s relationship with its faculty and staff employees and could be interpreted as an inappropriate intrusion into personal autonomy and privacy. Can, and will, Rokwire apps be segmented, so that not all users are folded into the same functions and purposes?

You have the authority to agree/prohibit what data you want to be shared. The app offers choices for users to select on a five-point scale range from 1) providing the least amount of data and most privacy to 5) highest functionality with more personal data collected. We do it this way to recognize the tradeoff: for the app to have the highest functionality possible, we have to know much about you–for example your credit card information, your location, favorite places. We provide the functionality for if you want to be anonymous. When you move from level 4 to level 3 functionality, we will also delete all additional data collected for level 4. Finally, you can also delete all your data–but if you decide to backtrack on this decision you will need to redo the onboarding process. We take privacy very seriously and we have built-in a variety of capacities compliant with GDPR and ahead of the California Consumer Protection Act. We are interested in people’s input as well. After the release in the fall, we are going to pay for an independent forensic audit of the code, saying “these are our values and principals” and then we will publish our benchmarks and where we need to improve, then improve those things.

William (Bill) Sullivan, Director of the Rokwire project & Professor of Landscape Architecture

Rokwire is being positioned as supporting the future of “smart cities,” an ambitious goal likely to reorder the daily life experience of every member of the community, and encourage profound changes to the sense of individual rights and autonomy. How are you going to earn public trust?

The Illinois app is approached from a privacy-first standpoint and we privilege privacy over functionality. There are a number of things we decided not to do, because these things would put users’ privacy at some tiny level of risk and we’re really prioritizing privacy.
William (Bill) Sullivan, Director of the Rokwire project & Professor of Landscape Architecture

This is a homegrown app, and so that we have a lot more control on how to safeguard data in comparison to apps developed by apple, google, etc. We have a unique opportunity here to discuss privacy before we deploy the app. Trust, security, and privacy are the main pillars of this exposure notification solution.
Masooda Bashir, Director, Social Sciences in Engineering Research, Grainger College of Engineering & Associate Professor, School of Information Sciences

 

CookieSettings CookieSettings