A week ago the headlines of major press reported that a number of countries, like China, Israel, Singapore, and South Korea, were using surveillance to track COVID-19 in their countries.  The surveillance efforts being used depended on the country.  Surveillance techniques included everything from drones, cameras, smartphone location data, apps (e.g., the “TraceTogether” application being used in Israel), and tracking devices (e.g., wristbands linked to a smartphone app are being used in HongKong) to ensure that people were not violating quarantine orders.

Meanwhile, there was a general feeling among many in the United States that such surveillance techniques would be “un-American” and would not fly in this country.

Now, a week later, the Government has announced that it is using location data from millions of cell phones in the United States to better understand the movements of Americans during the coronavirus pandemic.  The federal government (through the CDC) and state and local governments have started to receive data from the mobile advertising industry, with the goal of creating a portal comprising data from as many as 500 U.S. cities, for government officials at all levels to use to help plan the epidemic response.

Is this legal?

It depends.  It depends on what the data shows, if the data may legally be shared, and what it is being used for.  If the data is truly anonymized, may legally be shared, and it is being used solely to show trends and locations where people are gathering (without connecting individuals to those locations), then it could very well be legal under current U.S. privacy laws and the privacy laws of most states.  But there are several hiccups.

First, is it possible to truly anonymize the data?

A report published on March 25, 2013 called “Unique in the Crowd: The privacy bounds of human mobility” in Scientific Reports, and authored by Yves-Alexandre de Montjoye, Cesar A. Hdalgo, Michel Verleysen and Vincent D. Blondel (https://www.nature.com/articles/srep01376), while dated,  is on-point.  In this study, the researchers looked at fifteen months of human mobility data for one and a half million individuals and found that human mobility traces are so highly unique that, using outside information, one can link anonymized location data back up to individuals (i.e., re-identification).

Another issue with anonymization is that, as technologies continue to improve (consider, for example, the development of quantum computers), what it takes to truly anonymize data gets more and more difficult.  Thus, data that is sufficiently anonymized today may be re-identifiable in ten years.

The limitations in the degree to which location data can be anonymized can be mitigated in other ways.  For example, privacy concerns can be greatly reduced (or eliminated?) if the location data is aggregated in such a manner where an individuals’ data cannot reasonably be separated from the aggregated data.

Second, are there are other legal requirements or restrictions in place regarding that data? These requirements or restrictions could come from several sources, such as federal or state legislation, a company’s privacy policy, or contractual terms.  For example, a statute may require user consent (opt-in) to share location data.  A privacy policy or contract may guarantee that location data will never be shared unless certain safeguards are in place.  A user may have requested deletion of their person information, and thus, the entity sharing the information should not even have the data (let alone be sharing it).

Third, there is the question of what the data is being used for.  In a number of countries, surveillance and location data is being used to “police” specific individuals to determine if they are violating quarantine orders.  So far the United States appears to be using the data for a more general purpose—i.e., to assess trends and whether there are gatherings of people at specific locations.  The implication, at least so far, is that nobody is going to go after the individuals who are gathering.  Instead, the data is being aggregated and used merely to help inform orders and for health-planning purposes.

But the question on many people’s minds is not what the data is being used for now, but rather, what the data will be used for down the road.  For example, currently the government does not have access to location data maintained by third parties, like cell providers, ad tech companies, and social media operators.  And in order for the government to obtain that data, it needs a warrant.  See Carpenter v. U.S., 138 S. Ct. 2206 (2018) (holding that the Court Amendment of the U.S. Constitution protects privacy interests and expectations of privacy in one’s time-stamped cell-cite location information (CSLI), notwithstanding that the information has been shared with a third party (i.e., one’s cellular provider), and thus, for government to acquire such information, it must obtain a search warrant supported by probable cause).  Is this going to change once the coronavirus pandemic is over, at least with respect to the location data to which the government has already been provided access?  What requires the government to delete the information later?  Or to not use the data for other purposes?  Presumably there are contracts in place between the government and the third party companies that are sharing their location data – where are these contracts and who has a right to see them?  Are we all third party beneficiaries of those contracts, in that we all stand to benefit from the coronavirus response efforts that result?  And if so, to the extent those contracts limit the government’s ability to use the shared data for other purposes, should individuals have a right to later enforce those limitations (as third party beneficiaries)?