RELEASE: New CAP Report Outlines How State Governments Can Enable Privacy-Protective Digital Contact Tracing To Contain the Coronavirus Spread

CAP report provides recommendations to governors, mayors, and other local elected officials to protect both public health and consumer privacy under the adoption of digital contact tracing.

Washington, D.C. — Rapid, voluntary digital contact tracing is under close examination as a potential tool to protect public health and stem the spread of the novel coronavirus, and in early April, Apple and Google made a rare joint announcement of a partnership to enable interoperability between Android and iOS devices that would allow public health authorities to build digital contact tracing apps. A new report from the Center for American Progress outlines recommendations to governors, mayors, and other local elected officials for utilizing digital contact tracing while protecting Americans’ privacy and civil liberties. CAP’s report stresses that digital contact tracing should be considered as an additional method through which the general public can participate to assist the efforts to contain the virus, which can in turn help public health authorities focus manual resources on key investigations and better communicate timely information and instructions to residents.

“No digital approach is going to end this crisis tomorrow, and indeed, potential exists to make things worse. Mass testing, manual contact tracing, and real social and financial support for all who need it are essential,” said Erin Simpson, associate director of Technology Policy at CAP and co-author of the report. “But in addition, voluntary public health programs that use distributed, privacy-by-design digital contact tracing and involve real civil liberties oversight could play a role in curbing future outbreaks.”

“In this pandemic, there are no silver-bullet solutions, and there are certainly no silver app solutions. However, we find hope in the idea that it is possible for states to build digital contact tracing applications to fight the coronavirus in a maximally privacy-protective way,” said Adam Conner, vice president of Technology Policy at CAP and co-author of the report. “However, privacy-protecting digital contact tracing apps must be part of a larger plan that includes the availability of sufficient testing and an increase in resources to public health departments, both of which this administration has failed to provide.”

CAP’s report outlines recommendations for states and localities that meet the need for rapid contact tracing while taking into consideration the important technical, implementation, and civil liberties challenges ahead. Ideally, states will take these recommendations into account in coordination with a public health nonprofit organization such as the Association of State and Territorial Health Officials (ASTHO) and state partners in order to collaborate at the regional level on a shared state-level digital contact tracing roadmap.

CAP’s recommendations include:

  • Embrace distributed technology by default. To achieve effective, rapid contact tracing without building a mass surveillance system, choose technical decentralization through data localization—the process of retaining data and processing locally on users’ devices rather than centrally. The best practice is to build tools that enable distributed, secure, local contact tracing systems.
  • Voluntary systems are more ethical, more useful, and more likely to be downloaded. With digital proximity tracing systems, the most important system requirement is trust. Building and operating a trustworthy system is essential to encouraging use, driving sufficient adoption, and achieving public health aims.
  • Minimize data for secure and trustworthy systems. Building a system that minimizes data collection is not only a good way to protect civil liberties, it’s also a practical approach to building during a crisis. With investment in initial design of a secure, data-minimizing system, states can build lean systems with fewer short- and long-term security risks and improved usability.
  • Build trust by limiting scope creep. Avoiding legal and technical scope creep from day one is good for technical development, good for civil liberties, and ultimately, good for building sufficient trust with residents to make widespread adoption possible. In parallel to achieving data and purpose limitation through data-minimized design, an accompanying legal framework should put appropriate safeguards on the use and purpose of any digital contact tracing system.
  • Lead and partner with transparency. Committing to transparency from the start can support quality development and productive collaboration while safeguarding civil liberties. States and localities should plan for transparency on technical and administrative levels.
  • Design with public health workers and residents to provide clear benefits for both. Successful civic and technical systems are those designed in close coordination with, or led by, the people who will use and be affected by those systems—in this case, public health workers and state or local residents. To succeed, a digital contact tracing system will need to be designed with and provide benefits to both public health workers and residents. Given the current strain on existing front-line workers, policymakers should consider also utilizing recently retired and former public health workers to provide some of this needed input and guidance.
  • States should appoint an independent privacy and civil rights advisory board. This board should include elected officials, public health officials, technical and legal experts, and key communities and stakeholders as full members of the board. These stakeholders should include representatives from communities that are already over-surveilled, including people of color; communities that are particularly affected by the biases of the existing health care system; communities that are being left out in other aspects of COVID-19 response, including the disability community; communities that are being targeted because of the federal government’s racism around COVID-19, including the Asian American and Pacific Islander community; communities with preexisting or chronic health conditions; and communities that face additional danger due to existing COVID-19 response policies, including survivors of domestic violence and front-line workers providing essential services.
  • Governors must be at the helm. It is far too easy for technical projects of this scope to get lost in a bureaucracy at the best of times and even easier to imagine amid this crisis. If a state decides to move forward with a technological solution to contact tracing, the team will require both an experienced technical lead and an experienced bureaucracy hacker. This project must report directly to the governor or within one reporting line to the governor. It must have regular visibility, protection from other interests, and the ability to coordinate input from a bureaucracy without being overwhelmed by it.
  • Pursue regional collaboration and national standards. Without interstate interoperability, digital contact tracing systems will be severely limited in their ability to track chains of infection across state lines. CAP previously recommended that state systems be nationally coordinated by a nonprofit entity such as ASTHO to ensure that they can easily collaborate, learn from one another, and set data standards to allow states to securely share anonymous proximity data for persons traveling across state lines.

Click here to read “Digital Contact Tracing To Contain the Coronavirus: Recommendations for States” by Erin Simpson and Adam Conner.

For more information or to speak with an expert, contact Allison Preiss at .

To find the latest CAP resources on the coronavirus, visit our coronavirus resource page.