Government Access to Mobile Phone Data for Contact Tracing

Page created by Dwight West

Buildings

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Government Access
to Mobile Phone Data
for Contact Tracing
A Statutory Primer
By Harsha Panduranga and Laura Hecht-Felella with Raya Koreh               PUBLISHED MAY 21, 2020

I
    n an effort to contain the coronavirus, companies           but constraints on other entities that collect similar infor-
    and governments across the globe are developing             mation are markedly weaker. Aggregate data that does
    technological tools to trace its spread. Many of these      not explicitly divulge individuals’ locations, identities, or
tools seek to monitor individuals and groups in order to        associations is subject to even fewer limitations, despite
help identify potential carriers of the virus, alert people     evidence that it can sometimes be disaggregated and
who may have been infected, flag places that may be at          de-anonymized.4
high risk, and measure the impact of public health initia-         Moreover, there are few limits on the sharing of loca-
tives such as social distancing directives. While proposals     tion information among government agencies.5 Instead,
run the gamut from analyzing networked thermometer              several laws promote government-wide information shar-
data nationwide to deploying remote heat sensors for            ing.6 For example, location data collected by the U.S.
fever detection,1 in the U.S. attention is focused mostly on    Department of Health and Human Services (HHS) for the
using location or proximity data produced by cell phones        ostensible purpose of combating the coronavirus might
to track movements and interactions at both the individ-        easily be shared with local governments, other federal
ual and population levels.2                                     agencies, or law enforcement.7
   Many of these tools are being developed by the private          Any effort to use location or proximity tracking must
sector, but the federal government and state governments        compensate for the lack of a regulatory framework that
are clearly interested in influencing their design and          protects Americans’ civil liberties. As the Supreme Court
accessing the data they generate.3 At the same time, the        has repeatedly recognized, location information can
patchwork of laws governing the disclosure of location          reveal intimate details of a person’s life, including visits
data to the government — by cell phone companies,               to a lawyer, psychiatrist, specialized health clinic, or reli-
smartphone application developers, data brokers, indi-          gious site.8 Absent meaningful safeguards, government
viduals, and others — does not adequately protect Amer-         collection of revealing information might infringe on core
icans’ privacy. Cell phone carriers are fairly heavily          civil liberties such as freedom of association and freedom
regulated when it comes to individually identifiable data,      of expression, especially if the data is misappropriated.

1                                  Brennan Center for Justice at New York University School of Law

The government’s use of location or proximity data also      ises not to disclose particular types of data. But it can only
raises equity concerns. In the United States, one out of        be enforced by the federal government itself, which is
every five adults does not own a smartphone — with older        unlikely to happen where it is the federal government
and low-income Americans representing a disproportion-          seeking the data (see sidebar on p. 5). The main types and
ate share of those without such a device.9 Using location       sources of location and proximity data, as well as the rele-
data to inform a government response to the coronavirus         vant governing statutes, are outlined in the appendices to
will be less effective and less successful due to these gaps.   this report.
On the flip side, inequities might also be manifested if           Whether each statute prohibits the disclosure of loca-
measures of aggregate foot traffic generated by cell phone      tion or proximity data to the government depends on a
location data are used to calibrate the enforcement of          number of factors. There are a number of key
social distancing measures. Communities where people            considerations:
move around more because they must commute to a job,
need to travel farther to buy groceries, or are looking for      Have people opted into an application or other program
shelter may become targets of outsize policing.10                 through which they know data may be shared with the
                                                                  government for the purpose of combating the
                                                                  coronavirus?

Statutory Overview                                               If not, does a company with this data have its custom-
There is no comprehensive data privacy law in the United          ers’ consent to disclose it?
States; instead, a piecemeal statutory structure protects
certain types of personal data.11 The Stored Communica-          In what capacity was a wireless carrier, a developer of
tions Act (SCA) and the Telecommunications Act are most           a smartphone application or platform, a data broker or
relevant to the question of when private companies may            analytics provider, or another source acting while
voluntarily disclose location data (revealing where a             collecting the data? For example, was the entity provid-
person is) or proximity data (revealing how close a person        ing messaging, data storage, or data processing
is to another) to the government. Together, these two laws        services?
limit companies providing certain services to the public
from voluntarily revealing an individual’s personally iden-      Is the data aggregated in a fashion that makes it impos-
tifiable location or proximity information to the govern-         sible to connect to individuals?
ment, whether it originates from cell tower data, GPS,
Bluetooth, Wi-Fi, a combination of these sources, or some        Has the data been sufficiently de-identified? That is,
other source entirely.                                            have individual data points been stripped of details —
   Specifically, the SCA prohibits entities that provide          such as a name, phone number, or address — that
phone, messaging, data storage, or data processing                would make them immediately linkable to a given
services to the public from voluntarily disclosing to the         person?
government the content of communications they carry
or maintain, or their customer’s records.12 Whether loca-          Gaps in this regulatory framework permit workarounds
tion or proximity data might be categorized as “content”        for governments seeking people’s location or proximity
or a “record” within the meaning of the SCA is a fact-spe-      data without their knowledge or consent. For example,
cific question that depends in part on the purpose for          while the government could not get an individual’s loca-
which it is logged or transmitted, as described in further      tion information from a cell service provider, such as
detail below.13 The Telecommunications Act prohibits            AT&T or Verizon, without a warrant,15 it may be able to
phone carriers from disclosing their customers’ personally      buy it from a data broker who is legally able to purchase
identifiable call location information to any entity, includ-   similar information from a smartphone application devel-
ing the government and data brokers.14                          oper who collects it. Constitutional arguments, not
   The Federal Trade Commission (FTC) Act might also            discussed here, may provide fodder for additional
protect Americans where companies have violated prom-           constraints.16

2 Brennan Center for Justice                                     Government Access to Mobile Phone Data for Contact Tracing

Tracking Initiatives

P
      roposals to mitigate the spread of the coronavirus through phone location or
      proximity data have emerged from a range of sources, including academic
      institutions, for-profit companies, and governments. This primer divides
discussion of these proposals into two categories: individualized and aggregate data.17

Individualized data is linked to a specific person who is        can achieve the levels of adoption necessary to be effec-
sometimes identified by details such as name, phone              tive, or whether compulsory approaches that do not
number, or specific smartphone. For instance, location           require user knowledge or consent are better suited to
data revealing the path of an individual diagnosed with          combat the virus.
the coronavirus over the past 14 days, which might be               One category of voluntary proposals — location-based
used to determine whom she could have infected, is a type        programs — would use GPS and Bluetooth technologies
of individualized data.                                          to create and store an encrypted, time-stamped log of
   In contrast, aggregate data collects, combines, and           where a user has been over the past month.20 People who
communicates information in terms of totals, summaries,          test positive for the coronavirus can choose to share this
or statistics, rather than in reference to a specific individ-   log with health officials, who may then use it to help
ual.18 The percentage decrease of people at a waterfront         patients jog their memory about where they had been and
park after implementation of social distancing protocols         with whom they may have come in contact. Some plat-
is an example of aggregate data.                                 forms, such as MIT’s Private Kit: Safe Paths, use “over-
                                                                 lapped GPS and Bluetooth trails” to allow healthy app
                                                                 users to check — against location data logged locally on

Individualized Data                                              their phones — if they may have crossed paths with some-
                                                                 one who has tested positive for the disease and chosen
Proposals deploying individualized location or proximity         to share their data with public health officials for dissem-
data to fight the coronavirus aim to use the information         ination in an “anonymized, redacted, and blurred” form.21
for a range of purposes: to track the paths of people who        Without further details, however, it is unclear whether
are infected with the virus in order to identify those might     patients could be re-identified with relative ease.22 Accord-
have been exposed to it (a process known as contact trac-        ing to a spokesperson for MIT’s Private Kit, three local
ing or exposure notification), to pinpoint disease hot           governments in the U.S. plan to use the app, and 17 more
spots, to model infection rates and spread, or to inform         are considering doing so.23 Utah and North Dakota have
public health decisions.19 Many such proposals would use         confirmed rollouts of apps that incorporate loca-
location data that reveals where an identified person was        tion-based functionalities similar to those described here,
or is at a given point in time. Some contact tracing propos-     though it is unclear whether they are built on Private Kit
als would track proximity rather than location, using Blue-      or the extent to which they are decentralized.24
tooth technology to determine when two people have                  Another category of voluntary proposals would use
been close enough to each other for enough time to               individual data for proximity tracking. Apple and Google
enable transmission. This information might be stored            recently announced a joint effort to allow applications on
on a central server or decentralized on local devices. The       Apple’s iOS and Google’s Android platforms — whether
proximity-based proposals that are gaining traction in the       created by governments or private companies associated
United States are designed to be anonymous: they would           with public health authorities — to use Bluetooth tech-
make it difficult to link a person’s identity with their prox-   nology for exposure notification.25 These applications
imity history or diagnosis, and they would rely on a decen-      would enable phones close to each other for a period of
tralized process to match contacts.                              time to log that contact by exchanging anonymous iden-
   As a general matter, both location-based and proximi-         tifier keys, sent directly from phone to phone in a decen-
ty-based proposals in the United States contemplate              tralized model. A user who later tested positive for the
asking people to voluntarily download smartphone appli-          coronavirus could enter a code that would upload 14 days’
cations that would solicit user consent for information          worth of proximity keys to a cloud server. The server
sharing and take some steps to protect user privacy. These       would then push those keys to other app users’ phones,
apps vary with respect to their features, mechanics, and         which would check to see if there was a match.26 Since
privacy measures. Many are or will be run by governments,        the transmitted keys would be randomized and change
but they need not be. Nonetheless, there is a debate both        intermittently, and because they would be generated at
in the U.S. and overseas about whether a voluntary system        great volume, it would be difficult to associate a key with

3 Brennan Center for Justice                                      Government Access to Mobile Phone Data for Contact Tracing

a particular phone. Some contact tracing apps that use           Prevention Act, which allows health officials to use phone
location-based data, such as Care19, an application devel-       location information with the permission of law enforce-
oped by the North Dakota Department of Health in part-           ment and other government stakeholders.34 The program
nership with ProudCrowd, also incorporate this                   relies on phone GPS data, along with sources like credit
proximity-based technology.27                                    card records, to map the paths of confirmed cases,
   So far, it appears that Apple and Google would require        making these routes public or accessible to those in the
that developers decentralize matches, meaning matches            region at a level of detail that has been sufficient to iden-
would be confirmed on an individual’s phone rather than          tify the infected person.35 This has resulted in the harass-
on a central server.28 Other Bluetooth proximity-tracking        ment and stigmatization of some of those identified as
applications have varying levels of privacy protections.         positive for the virus.36
For example, Singapore’s TraceTogether permits author-
ities to know user identities and makes matches of poten-
tial contacts centrally, and the UK’s National Health
Service plans to implement a similar program.29
                                                                 Aggregate Data
                                                                 Some virus response efforts contemplate drawing aggre-
                                                                 gate location data from a large number of cell phones,
   Further Uses of Location Information                          with the goal of discerning population-level trends rather
                                                                 than the movement of any particular individual. This
   Some of the apps described here would use location            information can help policymakers assess compliance
   information collected with users’ consent for purposes        with social distancing orders and map the spread of the
   other than direct contact tracing. For example, North         disease. News reports indicate that mobile advertising
   Dakota’s app says the data will help identify places with     companies are sharing such data with the U.S. Centers
   clusters of people who test positive for the coronavirus so   for Disease Control and Prevention (CDC), as well as with
   it can “more proactively act to reduce the rate of spread,”   state and local governments, to display the degree to
   as well as model infection rates and health-care demand.30    which people are congregating in public places, going
                                                                 shopping, or moving from one place to another.37
                                                                    The federal government has also reportedly been in
   Programs in Israel and South Korea are more coercive.         discussions with large tech companies, including Google
In March, Israel’s Health Ministry began using individual,       and Facebook, on how it can use aggregated location data
identifiable cell phone location data, initially funneled        for these purposes.38 For example, Google is using aggre-
from wireless carriers to a counterterrorism database, to        gated data culled from users who have enabled the loca-
map where people known to have the coronavirus had               tion history setting on their Google account to track
been over the previous two weeks and ascertain with              movement trends.39 This project, called COVID-19
whom they might have crossed paths.31 Those who could            Community Mobility Reports, is intended to help public
have been exposed were sent a text and told to self-iso-         health officials make decisions about transportation to
late.32 The monitoring was done without securing                 certain high-volume destinations, business hours, and
customer consent. At the end of April, Israel’s Supreme          guidance regarding essential trips and deliveries. The
Court ruled that if the government wanted to continue            mobility reports display a percentage point increase or
tracking people’s phones, it had to bring the program            decrease in the number of visits to a location but not the
under legislation within the coming weeks.33                     absolute number of visits. Apple has announced it is doing
   A similar effort in South Korea operates under the            something similar with Apple Maps data.40
authority of the country’s Infectious Disease Control and

4 Brennan Center for Justice                                      Government Access to Mobile Phone Data for Contact Tracing

Applicable Statutes

T
      his section evaluates the degree to which relevant statutes — namely, the Stored
      Communications Act (SCA) and the Telecommunications Act — limit
      companies’ voluntary disclosure of individualized location or proximity data to
the government.41 Though the statutory landscape is rapidly evolving — for example,
two Covid-19-related data privacy bills were introduced in the Senate in May42 — it does
not seem that the SCA or the Telecommunications Act significantly constrain any of
the U.S. proposals in their current form, for two reasons.
First, current proposals to use individualized data involve             users who volunteer to share their diagnosis keys would
people granting permission to the government to collect                 be agreeing to share this information with the govern-
and use their information, against which there is no legal              ment.47 Since proximity keys would be stored locally, on
bar.43 A conceivable scenario down the road, though, is                 individual phones rather than in a central database, there
one in which a privately administered app — using the                   would be little else of value for the government to collect.
Private Kit template, for example — gives location or                      Second, with respect to the proposals to use aggregate
proximity information it has logged to the government                   data, there are few legal limitations on private companies’
without authorization from its users.44 If this information             voluntarily disclosing aggregate cell phone location data to
— arguably protected as “content” or a “record or other                 the government. For example, the Telecommunications Act
information” under the SCA45 — is stored or processed                   affirmatively allows wireless carriers, such as Verizon and
remotely by the application, the SCA may restrict disclo-               AT&T, to disclose aggregate customer information when
sure.46 In contrast, the decentralized Apple/Google                     “individual customer identities and characteristics have
proposal is restricted to use by public health authorities;             been removed.”48 While the SCA prohibits companies such

  The Federal Trade Commission Act

  The Federal Trade Commission (FTC) Act applies to companies           recently announced that Facebook would pay a $5 billion
  that collect or maintain location data, such as Google, Apple,        penalty and agree to a 20-year settlement order to resolve
  Facebook, Twitter, and Uber, and to data brokers that compile         allegations that the company deceived users about their ability
  consumers’ personal information and resell or share that              to control their personal information using Facebook’s privacy
  information with others.49 It also applies to the privacy practices   settings.55
  of phone providers, such as Verizon, AT&T, and T-Mobile, though          As seen in the Facebook example, the act might facilitate
  its jurisdiction over these common carriers is much more              meaningful privacy protections for individuals’ data. However,
  limited.50 The FTC does not, however, have jurisdiction over          companies that collect or maintain location data — including
  most nonprofit organizations, including many universities,            operating systems like Google’s Android and Apple’s iOS, phone
  which have been proposed as trusted organizations through             applications like Facebook and Twitter, and data brokers — tend
  which to run contact tracing programs.                                to have privacy policies that distinguish between identifiable
      Unlike the SCA and the Telecommunications Act, the FTC Act        and nonidentifiable data. Their policies generally explicitly
  does not impose additional regulations on companies’                  permit disclosure of nonidentifiable data to third parties,56 so
  disclosure of customer information. Rather, the act holds             the FTC is unlikely to provide a barrier to the disclosure of
  companies to the privacy commitments they have made to                anonymized, aggregated data.
  their customers. Under Section 5 of the act, the FTC can                 Moreover, the FTC Act has no private right of action, meaning
  investigate and bring enforcement actions to hold companies           that individuals cannot seek a remedy under it; instead, the
  accountable for misleading privacy policies,51 including those        federal government would have to enforce any violation of the
  pertaining to location data, which it has recognized as sensitive     act. Where the federal government is the one seeking disclosure
  information that implicates significant privacy concerns.52           in a time of crisis, it is unlikely to turn to the act to halt its own
  Notably, some of the companies reportedly in discussion with          data-solicitation practices. However, the act could perhaps be a
  government entities regarding sharing of location information,        tool to deter organizations administering digital coronavirus
  such as Google and Facebook,53 are already under consent              containment programs from selling the data they collect to
  decrees with the FTC for privacy lapses.54 For example, the FTC       private actors or disclosing it to state and local governments.

5 Brennan Center for Justice                                             Government Access to Mobile Phone Data for Contact Tracing

as Facebook, Gmail, and YouTube, in the course of provid-        tions Act.66 The enforcement notice highlighted how
ing public messaging, data storage, or data processing           the wireless carriers had failed to safeguard customers’
services,57 from voluntarily disclosing their customer           information as it was transmitted to aggregators that
records to the government, it does not explicitly address        sent it to companies providing location-based services
aggregate data. Notably, the Department of Justice has           — navigation, local weather, or fraud prevention, for
interpreted the act to permit the disclosure of aggregate        example. The carriers were alleged to be responsible
records as long as they do not “identify or otherwise            for the downstream unauthorized disclosure of custom-
provide information about a particular subscriber or             ers’ location data to a state sheriff’s office. It is also
customer.”58                                                     possible that the SCA would prohibit a wireless phone
   For more coercive contact tracing initiatives that use        company or other entity providing a covered service
individualized, identifiable data without explicit consent,      from selling location data directly to an aggregator or
such as those from Israel and South Korea, the legal             broker with the knowledge that the government would
framework is largely dependent upon the type of service          eventually get it, though this has not been tested in
a company provides to the public:59                              court.67

 Wireless carriers. The SCA and the Telecommunica-              As described above, user consent and voluntary adop-
  tions Act prohibit wireless carriers like Verizon, AT&T,    tion are key components of the proposals currently being
  or Sprint from disclosing individualized call location      considered in the United States. Both the SCA and the
  data to the government without a warrant or other           Telecommunications Act contain user-consent excep-
  legal authorization.60                                      tions to their prohibitions on the disclosure of identifiable
                                                              information. More coercive proposals, in which compa-
 Smartphone app developers and platforms. Whether            nies would voluntarily disclose identifiable data without
  the SCA covers developers of smartphone applications        user consent, might implicate the statutes’ emergency
  that collect location data depends on whether they          exceptions.
  collect that data in the course of providing messaging,
  data storage, or data processing services. Social media
  services like Facebook or Twitter and email clients like
  Gmail have been found to be covered when they serve
                                                              Consent
  primarily to allow people to exchange and store messag-     The SCA and the Telecommunications Act, as well as FCC
  es.61 Services that mainly let users upload and store or    regulations implementing the Telecommunications Act,
  process content, such as YouTube or DropBox, may also       explicitly require customers to consent to the disclosure
  be covered.62 So too may services that exist for the        of identifiable data.68 Without specific customer consent
  purpose of logging a person’s location — for example,       for the disclosure of location or proximity data, or a
  Google’s Location History function.63 The same rules        privacy policy permitting the practice, it is unlikely that
  apply to built-in functionalities of smartphone operat-     courts would find that people have legally consented to
  ing systems, such as iMessage or iCloud in Apple’s iOS.64   the disclosure of this data to the government in order to
                                                              operationalize a location-based contact tracing proposal
 Data brokers. If the U.S. government were looking to        mapping out individuals’ travels, akin to South Korea’s.69
  implement a tracking initiative like Israel’s or South      We reviewed privacy policies and terms-of-service agree-
  Korea’s, it might approach firms that buy or otherwise      ments governing customer-provider relationships from
  obtain location data to aggregate and resell it to other    some major companies, including wireless carriers (Veri-
  parties, to provide analytics to optimize advertising or    zon and AT&T), a social media company (Facebook), and
  other functions, or for some other reason. The SCA          tech companies (Apple and Google).70 Notably, none
  does not prohibit these companies from disclosing           could reasonably be read to permit the blanket disclosure
  their data to the government.65                             of user data to the government, though it is unclear to
                                                              what degree that finding is generalizable to the industry
  This is not a complete workaround, though. Wireless         as a whole.71
  carriers and other companies that collect location data
  may be held accountable in other ways for the down-
  stream consequences of selling or sharing the data with
  third-party data brokers. For example, in February 2020
                                                              Emergencies
  the Federal Communications Commission (FCC)                 The emergency exception of the SCA could conceivably
  formally proposed fining AT&T, Sprint, T-Mobile, and        be invoked in support of coronavirus containment
  Verizon more than $200 million for disclosing customer      measures involving contact tracing. Under the SCA, a
  location data through a chain of third-party brokers to     provider using the exception needs to believe in good faith
  law enforcement in violation of the Telecommunica-          (1) that there is an emergency involving danger of death

6 Brennan Center for Justice                                   Government Access to Mobile Phone Data for Contact Tracing

or serious physical injury to any person, (2) that it requires   members when an individual is in a “situation that
disclosure of information without delay, and (3) that the        involves the risk of death or serious physical harm.”73
information relates to the emergency. Historical uses have       Although these exceptions have not been used in the past
included locating a missing person thought to be immi-           to permit something like widespread contact tracing, they
nently at risk of harm and tracking a suspect fleeing a          could be invoked now if the government asks companies
crime who is believed to pose an imminent danger to              to provide location data voluntarily in light of the severity
others.72 The Telecommunications Act’s emergency excep-          of the public health crisis and the exponentially increasing
tion is narrower, focusing on facilitating 911 services and      costs of delaying action.74
permitting the disclosure of information to family

Conclusion

P
       roposals that would map individuals’ movements for disease-tracking purposes
       in the U.S. — in contrast to many other countries — have so far envisioned
       voluntary rather than compulsory participation. If individuals decide to share
their data, the information can be used in accordance with the terms of that disclosure.
However, digital contact tracing or exposure notification        users given the significant gaps in the statutory frame-
needs a high rate of nationwide buy-in to work, and poli-        work, particularly regarding the disclosure of information
cymakers looking to avoid the continuation of broad lock-        to third parties and the disclosure of aggregate data. This
downs will be looking for ways to increase participation         crisis has made clear the need for strong, reliable protec-
and data collection as the coronavirus pandemic contin-          tions for the privacy and security of personal data, espe-
ues. The statutory law outlined in this primer will be most      cially the highly sensitive health and location information
applicable in such scenarios. As proposals are developed,        resulting from testing and contact tracing.
it is essential that they include privacy protections for

7 Brennan Center for Justice                                      Government Access to Mobile Phone Data for Contact Tracing

Appendix 1

                                  SOURCES OF LOCATION AND PROXIMITY DATA

                          Cell phones connect to nearby cell towers several times a minute when they are turned on. Each
                          connection generates a time-stamped record containing the identity of the phone and location
 Cell towers              of the cell tower. This data, which can be used to determine a cell phone’s approximate location,
                          is called cell-site location information (CSLI) and is stored by some phone providers for up to five
                          years.75

                          Some cell phones contain a GPS chip, which generates location information by calculating its
 Global Positioning
                          distance from four or more of the GPS satellites orbiting Earth.76 This data may be stored locally
 System (GPS)
                          on a device or transmitted to a central database.

                          Some cell phones contain a Bluetooth chip, which continuously broadcasts probe signals using
                          short-range radio when it is turned on. As these signals are received by nearby Bluetooth devices,
 Bluetooth
                          they can be used to generate proximity information. Signals received by fixed Bluetooth beacons
                          can also be used to generate location information.77

                          It is possible to approximate the location of a cell phone by tracking its unique hardware identifier,
 Wi-Fi
                          called a Media Access Control (MAC) address, as it connects to nearby Wi-Fi networks.78

8 Brennan Center for Justice                                      Government Access to Mobile Phone Data for Contact Tracing

Appendix 2

               STATUTES GOVERNING DISCLOSURE OF LOCATION AND PROXIMITY INFORMATION

                  Stored Communications Act              Telecommunica-           Federal Trade           Health Insurance
                             (SCA)                           tions Act             Commission                Portability
                       (18 U.S.C. § 2702)                (47 U.S.C. § 222)          (FTC) Act            and Accountability
                                                                                 (15 U.S.C. § 45)           Act (HIPAA)
                                                                                                            Privacy Rule
                                                                                                          (45 C.F.R. §§ 160
                                                                                                              and 164)

 Summary         The SCA prohibits entities that        The Telecommunica-     The FTC Act               The HIPAA Privacy
                 provide phone, messaging, data         tions Act prohibits    prohibits companies       Rule provides
                 storage, or data processing            phone carriers from    that collect or           national standards
                 services to the public from            disclosing their       compile customer          that define and
                 voluntarily disclosing the             customers’ personal-   data, such as social      restrict the ability of
                 content of communications they         ly identifiable call   media sites, online       health-care provid-
                 carry or maintain, as well as cus-     location information   stores, or data           ers and their
                 tomer records or information in        to any entity,         brokers, from             associates to save,
                 connection with their provision        including the          deceiving or mislead-     access, and share
                 of those services.                     government or data     ing consumers about       individuals’ medical
                     Disclosure of proximity or         brokers.82 The         their privacy policies.   records and other
                 location information to any third      degree to which it     The FTC enforces          individually identifi-
                 party, whether to the govern-          prohibits the          this provision by         able health informa-
                 ment or to a private data broker       disclosure of          investigating and         tion.87 The HIPAA
                 from which the government can          de-identified          bringing enforce-         Privacy Rule does
                 buy it, may be prohibited if it is     information dis-       ment actions against      not meaningfully
                 considered the “content” of a          closed in bulk is      companies that have       restrict disclosure of
                 communication under the SCA.           unclear.83             misrepresented their      aggregate data,
                 If it is a “record or other informa-                          privacy policies.84       de-identified data, or
                 tion” connected to a customer,                                The FTC Act has           non-health informa-
                 disclosure to the government is                               been enforced             tion.88
                 barred but the data may be                                    against companies
                 shared with other third parties.79                            for improperly
                     Whether location information                              disclosing custom-
                 is categorized as “content” or a                              ers’ location data.85
                 “record” is a fact-specific                                   There is no reason to
                 question that depends in part on                              think the unautho-
                 the purpose for which it is                                   rized disclosure of
                 collected or transmitted.80                                   proximity data would
                 The SCA probably restricts the                                be treated differently
                 disclosure of de-identified data                              than that of any
                 tied to discrete individuals, even                            other customer
                 if it is transmitted in bulk.81                               data.86
                 Court decisions bearing on the
                 SCA’s application to the
                 proposals of concern to this
                 primer have considered location
                 — as opposed to proximity
                 — information.

9 Brennan Center for Justice                                       Government Access to Mobile Phone Data for Contact Tracing

Stored Communications Act           Telecommunica-           Federal Trade          Health Insurance
                             (SCA)                        tions Act             Commission               Portability
                       (18 U.S.C. § 2702)             (47 U.S.C. § 222)          (FTC) Act           and Accountability
                                                                              (15 U.S.C. § 45)          Act (HIPAA)
                                                                                                        Privacy Rule
                                                                                                      (45 C.F.R. §§ 160
                                                                                                          and 164)

  Covered        The SCA’s coverage89 has been       The act applies to     The act gives the        HIPAA’s coverage
  entities or    found to include                    wireless carriers,     FTC the authority to     includes health
  activities                                         such as Verizon,       regulate most            plans, health-care
                  Verizon, Sprint, AT&T,            Sprint, AT&T, and      “persons, partner-       clearinghouses,
                    T-Mobile, and other phone        T-Mobile, and any      ships, or corpora-       most health-care
                    carriers;90                      other providers of     tions,”96 including      providers, and
                                                     telecommunications                              business associates
                  Facebook, Dropbox, Gmail,         services.95             companies that         and subcontractors
                    and other companies when                                   collect or            of those entities that
                    providing social media                                     maintain location     create, receive, main-
                    messaging, storage, or email                               data, such as         tain, or transmit
                    services;91 and                                            Google, Apple,        protected health
                                                                               Facebook, Twitter,    information.100
                  YouTube and other compa-                                    other cell phone      Business associates
                    nies when providing services                               applications, and     of covered entities
                    that permit users to upload                                online stores; and    can include medical
                    content.92                                                                       billing agencies,
                                                                             data brokers that      accountants, and IT
                 The SCA may apply to cell                                     compile consum-       consultants, as well
                 phone operating systems, such                                 ers’ personal         as tech firms that
                 as Apple’s iOS and Google’s                                   information and       help hospitals
                 Android, to the extent they                                   resell or share       manage and analyze
                 provide messaging, data                                       that information      patient data.
                 processing, or data storage                                   with others.97
                 services.93
                    The SCA likely does not apply                           The FTC has limited
                 in cases where the primary                                 jurisdiction over
                 purpose of a service at issue is                           “common carriers”
                 not best characterized as                                  like Verizon, AT&T,
                 storage, processing, or messag-                            and T-Mobile, though
                 ing. For example, where                                    the FTC can regulate
                 companies like eBay or Amazon                              their privacy
                 provide such features in a                                 practices.98 It cannot
                 manner incidental to their retail                          enforce the FTC Act
                 or auctioneering functions, the                            against most
                 SCA has been found not to                                  nonprofit organiza-
                 apply.94                                                   tions.99

10 Brennan Center for Justice                                   Government Access to Mobile Phone Data for Contact Tracing

Stored Communications Act             Telecommunica-            Federal Trade          Health Insurance
                             (SCA)                          tions Act              Commission               Portability
                       (18 U.S.C. § 2702)               (47 U.S.C. § 222)           (FTC) Act           and Accountability
                                                                                 (15 U.S.C. § 45)          Act (HIPAA)
                                                                                                           Privacy Rule
                                                                                                         (45 C.F.R. §§ 160
                                                                                                             and 164)

  Covered        Companies providing covered           Covered companies       Covered companies        The HIPAA Privacy
  data           services are generally prohibited     are generally           are prohibited from      Rule covers “protect-
                 from voluntarily disclosing a         prohibited from         engaging in “unfair or   ed health informa-
                 customer’s “record or other           disclosing customer     deceptive acts or        tion” — patients’
                 information” to the govern-           proprietary network     practices,”105 which     medical records and
                 ment.101 There is no definition of    information (CPNI),     would include false      other individually
                 “record” in the statute, but          which explicitly        or misleading privacy    identifiable health
                 courts have interpreted the term      includes a custom-      policies pertaining to   information — in
                 to include some data revealing a      er’s location           location or proximity    paper and electronic
                 customer’s location, most             information logged in   data.106                 formats.107
                 notably cell-site location data.102   connection with
                    Location data may also be          making or receiving a
                 considered the “content” of a         call.104
                 communication, especially if the
                 purpose of a service is to record
                 or communicate it. For instance,
                 Google has argued that its
                 Location History feature acts as
                 a journal logging a person’s
                 whereabouts, with the retained
                 data therefore being the
                 “content” of an entry.103
                 Disclosure to any third party is
                 prohibited when location data is
                 “content.”

11 Brennan Center for Justice                                      Government Access to Mobile Phone Data for Contact Tracing

Stored Communications Act            Telecommunica-            Federal Trade          Health Insurance
                             (SCA)                         tions Act              Commission               Portability
                       (18 U.S.C. § 2702)              (47 U.S.C. § 222)           (FTC) Act           and Accountability
                                                                                (15 U.S.C. § 45)          Act (HIPAA)
                                                                                                          Privacy Rule
                                                                                                        (45 C.F.R. §§ 160
                                                                                                            and 164)

  Prohibitions   As described above, entities         Covered companies       Companies that          In general, protected
  on             may be barred from voluntarily       are barred from         engage in “unfair and   health information
  disclosure     sharing customer location data       disclosing CPNI to      deceptive acts,”        may be used or
                 obtained in the course of            any other entity        including data          disclosed as
                 providing phone, messaging,          unless an exception     collection, use, and    necessary without
                 data storage, or data processing     applies, such as        sharing practices       patient consent for
                 services, unless an exception        customer consent or     that contradict the     the purposes of
                 applies, such as customer            an emergency.110        commitments they        delivering treat-
                 consent or an emergency.                Companies can        have made to their      ment,112 seeking
                    Absent consent given for a        disclose aggregate      customers, may          payment, or running
                 discrete purpose, courts may         customer informa-       become the target of    health-care opera-
                 look to privacy policies and         tion, defined as data   FTC investigations or   tions only.
                 terms-of-service contracts to        that relates to a       enforcement actions.       Aside from those
                 determine whether a disclosure       group of customers                              purposes, entities
                 was authorized. The emergency        and from which                                  are barred from
                 exception applies if the provider    individual identities                           voluntarily sharing
                 believes in good faith (1) that      and characteristics                             protected informa-
                 there is an emergency involving      have been re-                                   tion unless an
                 danger of death or serious           moved.111                                       exception applies,
                 physical injury to any person, (2)                                                   such as to prevent or
                 that it requires disclosure of                                                       control disease113 or
                 information without delay, and                                                       to prevent or lessen
                 (3) that the information relates                                                     a serious and
                 to the emergency.108                                                                 imminent threat to
                    The SCA does not specifically                                                     the health and safety
                 address the disclosure of                                                            of a person or the
                 de-identified or aggregate data.                                                     public.114
                 However, the U.S. Department of                                                         During the
                 Justice has interpreted the act                                                      Covid-19 emergency,
                 to permit companies to                                                               business associates
                 voluntarily disclose to the                                                          of covered entities
                 government aggregated data                                                           — such as billing
                 “that does not identify or                                                           agencies or IT
                 otherwise provide information                                                        consultants — can
                 about a particular subscriber or                                                     make good-faith use
                 customer.”109                                                                        of and disclose
                                                                                                      protected health
                                                                                                      information for
                                                                                                      public health
                                                                                                      activities without
                                                                                                      penalty.115

12 Brennan Center for Justice                                     Government Access to Mobile Phone Data for Contact Tracing

Endnotes
1 See, e.g., Ed Garsten, “Drive-By Heat Sensors Could Help Detect C.F.R. §§ 164.500 to 164.534 (2019). Similarly, HIPAA, which
Vehicle Occupants with COVID-19,” Forbes, April 1, 2020, https://www. establishes the conditions by which a health-care provider or
forbes.com/sites/edgarsten/2020/04/01/drive-by-heat-sensors- associate may disclose individually identifiable health information,
could-help-detect-vehicle-occupants-with-covid- does not meaningfully restrict disclosure of aggregate or de-identi-
19/#455a60b62b0e; “Taking People’s Temperatures Can Help Fight fied data or non-health information. In addition, in light of Covid-19,
the Coronavirus,” Economist, March 26, 2020, https://www. HHS recently released a waiver that significantly curtails the scope of
economist.com/science-and-technology/2020/03/26/taking-peo- HIPAA protections and facilitates information sharing. See Office of
ples-temperatures-can-help-fight-the-coronavirus; and Donald the Secretary, U.S. Department of Health and Human Services,
McNeil Jr., “Can Smart Thermometers Track the Spread of the “Enforcement Discretion Under HIPAA to Allow Uses and Disclosures
Coronavirus?,” New York Times, March 18, 2020, https://www. of Protected Health Information by Business Associates for Public
nytimes.com/2020/03/18/health/coronavirus-fever-thermome- Health and Health Oversight Activities in Response to COVID–19,”
ters.html. Federal Register 85, no. 67 (April 7, 2020), https://www.govinfo.gov/
2 This primer focuses on location data obtained through cell content/pkg/FR-2020-04-07/pdf/2020-07268.pdf.
phones, though such data may also be gleaned from other surveil- 6 For example, the National Counterterrorism Center (NCTC) is
lance technologies, like video, facial recognition, or automated directed by statute to “ensure that agencies . . . have access to and
license plate readers. See, e.g., Caroline Haskins and Ryan Mac, “A US receive all-source intelligence support needed to execute their
Senator Wants to Know Which Federal Authorities Are Using counterterrorism plans or perform independent, alternative analysis”
Clearview AI to Track the Coronavirus,” BuzzFeed News, April 30, and to ensure that such agencies “have access to and receive
2020, https://www.buzzfeednews.com/article/carolinehaskins1/ intelligence needed to accomplish their assigned activities.” 50 U.S.C.
senator-markey-clearview-ai-covid-contact-tracing; and Catherine § 3056 (2020). A recent memorandum written by U.S. Deputy
Crump, You Are Being Tracked: How License Plate Readers Are Being Attorney General Jeffrey Rosen designating the coronavirus as a
Used to Record Americans’ Movements, American Civil Liberties “biological agent” means that information collected by government
Union, July 2013, https://www.aclu.org/issues/privacy-technology/ health officials to counter the coronavirus might be shared with other
location-tracking/you-are-being-tracked. agencies and law enforcement within the NCTC. See Jeffrey Rosen,
3 Elliot Setzer, “Contact-Tracing Apps in the United States,” U.S. Deputy Attorney General, to All Heads of Law Enforcement
Lawfare, May 6, 2020, https://www.lawfareblog.com/contact-trac- Components, Heads of Litigating Divisions, and United States
ing-apps-united-states; Ryan Browne, “How Governments and Big Attorneys, memorandum, March 24, 2020, Department of Justice
Tech Are Looking to Curb the Spread of Coronavirus with Your Enforcement Actions Related to COVID-19, https://www.justice.gov/
Smartphone,” CNBC, April 16, 2020, https://www.cnbc. file/1262771/download.
com/2020/04/16/coronavirus-apple-google-and-governments-us- 7 Within HHS, data sharing practices vary widely. In a 2018 report,
ing-contact-tracing-tech.html; and Enlisting Big Data in the Fight the agency noted: “The Department lacks a consistent, transparent,
Against Coronavirus: Hearing Before the Senate Committee on and standardized framework for sharing restricted and nonpublic
Commerce, Science, and Transportation, 116th Cong. (2020), https:// data among its agencies in a timely and efficient manner. Each
www.commerce.senate.gov/2020/4/enlisting-big-data-in-the-fight- agency, and often agency personnel for each dataset, has the
against-coronavirus. autonomy to interpret the rules for data sharing processes. Data
4 Although aggregate data conveys information about groups sharing processes can range from non-existent and informal, to
rather than individuals, it may be possible to identify individuals, formal and consistent. . . . The data governance rules are not
especially if the data refers to a small geographic area or group, or if it formalized. The sharing of those datasets can be ruled by individual
is combined with publicly available information and examined over relationships and/or staff availability.” Office of the Chief Technology
time. See Sidney Fussell and Will Knight, “The Apple-Google Contact Officer, U.S. Department of Health and Human Services, The State of
Tracing Plan Won’t Stop Covid Alone,” Wired, April 14, 2020, https:// Data Sharing at the U.S. Department of Health and Human Services,
www.wired.com/story/apple-google-contact-tracing-wont-stop- September 2018, https://www.hhs.gov/sites/default/files/HHS_
covid-alone; Ling Yin et al., “Re-Identification Risk versus Data Utility StateofDataSharing_0915.pdf. One significant concern is that
for Aggregated Mobility Research Using Mobile Phone Location location data collected by HHS or another government agency might
Data,” PLoS ONE 10, no. 10 (2015), https://www.ncbi.nlm.nih.gov/ eventually find its way into the hands of law enforcement, which
pmc/articles/PMC4607417; Ed Felten, “Is Aggregate Data Always would ordinarily be required to obtain a warrant or court order before
Private?,” Tech@FTC Blog, Federal Trade Commission, May 21, 2012, obtaining such data. Both the Privacy Act and HIPAA Privacy Rule
https://www.ftc.gov/news-events/blogs/techftc/2012/05/ contain exceptions for disclosures to law enforcement. 5 U.S.C. §
aggregate-data-always-private; and Joseph A. Calandrino et al., “‘You 552a (2020); 45 C.F.R. §§ 164.500 to 164.534.
Might Also Like:’ Privacy Risks of Collaborative Filtering,” IEEE 8 Several recent U.S. Supreme Court decisions regarding Fourth
Symposium on Security and Privacy (May 2011): 231–246, http:// Amendment protections for location data have highlighted the
www.cs.utexas.edu/~shmat/shmat_oak11ymal.pdf. sensitivity of this information. For example, the U.S. Supreme Court
5 Neither the Privacy Act of 1974 nor the Health Insurance noted in Carpenter v. United States that location data reveals a wealth
Portability and Accountability Act (HIPAA) provides sufficient of detail about a person’s “familial, political, professional, religious,
protection against information sharing. The Privacy Act, which and sexual associations.” Carpenter v. United States, 138 S. Ct. 2206,
protects records about individuals retrieved by personal identifiers 2217 (2018). In United States v. Jones, Justice Sotomayor discussed
like name or date of birth, does not apply to aggregate or anonymized that disclosed in location data will be things that are indisputably
location data, or databases that contain personally identifiable private in nature — including “trips to the psychiatrist, the plastic
information but do not retrieve information using that data. surgeon, the abortion clinic, the AIDS treatment center, the strip club,
Moreover, the act contains substantial exceptions, including the criminal defense attorney, the by-the-hour motel, the union meet-
permitting information sharing with law enforcement and disclosures ing, the mosque, synagogue or church, the gay bar and on and on.”
for “routine uses,” which agencies often reserve when giving notice of United States v. Jones, 132 S. Ct. 945, 955 (2012) (Sotomayor, J.,
a data collection proposal. Privacy Act of 1974, 5 U.S.C. § 552a concurring) (quoting People v. Weaver, 12 N.Y.3d 433, 441–442 (N.Y.
(2020); Privacy of Individually Identifiable Health Information, 45 2009)).

13 Brennan Center for Justice Government Access to Mobile Phone Data for Contact Tracing

9 “Mobile Fact Sheet,” Pew Research Center, June 12, 2019, https:// ruling). A 2016 FCC order would have expanded the definition of CPNI
www.pewresearch.org/internet/fact-sheet/mobile. in a manner confirmed to cover location information intermittently
10 Amos Toh, “Big Data Could Undermine the Covid-19 Response,” logged in the course of a phone’s connection to the network, but this
Wired, April 12, 2020, https://www.wired.com/story/big-data-could- order was repealed in 2017. “CPNI,” Electronic Privacy Information
undermine-the-covid-19-response. Center.

11 Zachary S. Heck, “A Litigator’s Primer on European Union and 15 In Carpenter v. United States, the U.S. Supreme Court addressed
American Privacy Laws and Regulations,” Litigation 44, no. 2 (2018): the application of Section 2703 of the SCA to cell phone location
59 (“The United States has a patchwork of laws at both the federal data. The Court held that a warrant was required to obtain seven days
and state levels relating to data protection and information shar- of historical CSLI from a suspect’s wireless carrier. Carpenter, 138 S.
ing.”). Ct. at 2206.

12 The Stored Communications Act (SCA) prohibits covered 16 See, e.g., Alan Z. Rozenshtein, “Disease Surveillance and the
entities from knowingly divulging to any person or entity the contents Fourth Amendment,” Lawfare, April 7, 2020, https://www.lawfareblog.
of a communication. It also prohibits covered entities from knowingly com/disease-surveillance-and-fourth-amendment.
divulging to any governmental entity customer records or other 17 This primer focuses generally on the federal statutory frame-
information. See Stored Communications Act of 1986, 18 U.S.C. work pertaining to the voluntary disclosure of cell phone location
§ 2702(a) (2020). data to the government by entities that collect or maintain it. It does
13 There is no definition of “record” in the SCA, but courts have not, however, cover specific privacy protections available to children
interpreted the term to include some data revealing a customer’s through the Children’s Online Privacy Protection Act (COPPA).
location, most notably cell-site location data. For example, in Children’s Online Privacy Protection Act of 1998, 15 U.S.C. 6501–
Carpenter v. United States, the U.S. Supreme Court addressed the 6505 (2020). Neither does this primer discuss state law. Some states
application of § 2703 of the SCA to cell phone location data. The might have more rigorous data protections. For example, California’s
Court held that a warrant was required to obtain seven days of Consumer Privacy Act (CCPA) provides consumers with the “right to
historical cell-site location information (CSLI) obtained from a know” information that businesses have collected or sold about
suspect’s wireless carrier, pursuant to an order issued by a federal them, a “right to opt out” of the sale of their personal information,
magistrate judge under the act. Carpenter, 138 S. Ct. at 2213. and the right, in certain cases, to request that a business delete
Location or proximity data may also be considered the “content” of a information collected about them. California Consumer Privacy Act,
communication, especially if the purpose of a service is to record or Cal. Civ. Code §§ 1798.105, 1798.100-1798.120 (2020). Geolocation
communicate such data. For example, Google has argued that its data is included as a category of personal information subject to the
location history feature acts as a journal logging a person’s where- CCPA. Cal. Civ. Code § 1798.140(o)(1)(G). Enforcement of the CCPA
abouts, with the retained data therefore being the “content” of an by the California attorney general is scheduled to begin on July 1,
entry. Brief of Amicus Curiae Google LLC in Support of Neither Party 2020. A coalition of civil liberties and consumer groups have called on
Concerning Defendant’s Motion to Suppress Evidence from a the California Attorney General to investigate Grindr, Tinder, and
“Geofence” General Warrant (ECF No. 29), United States v. Chatrie, other smartphone apps and ad tech companies for CCPA violations
No. 3:19-CR-00130 (E.D. Va.), https://www.nacdl.org/getattach- for sharing location data. ACLU of California et al. to Attorney General
ment/723adf0b-90b1-4254-ab82-e5693c48e951/191220-chatrie- Xavier Becerra, “Re: Norwegian Consumer Council’s Report
google-amicus-brief.pdf. Demonstrates How the Adtech Industry Fails to Respect Consumers
Rights and Preferences,” January 14, 2020, https://www.citizen.org/
14 The Telecommunications Act prohibits covered entities from wp-content/uploads/CA-AG-Out-of-Control-NCC-1.14.20.pdf.
disclosing customer proprietary network information (CPNI) to any
entity, including the government, unless an exception applies. See 18 Jacob Hoffman-Andrews and Andrew Crocker, “How to Protect
Communications Act of 1934, 47 U.S.C. § 222(c)(1) (2020) (“Except Privacy When Aggregating Location Data to Fight COVID-19,”
as required by law or with the approval of the customer, a telecom- Electronic Frontier Foundation, April 6, 2020, https://www.eff.org/
munications carrier that receives or obtains customer proprietary deeplinks/2020/04/how-protect-privacy-when-aggregating-loca-
network information by virtue of its provision of a telecommunication-data-fight-covid-19.
tions service shall only use, disclose, or permit access to individually 19 See, e.g., “COVID-19 Forecasts,” Centers for Disease Control and
identifiable customer proprietary network information in its provision Prevention, updated May 6, 2020, https://www.cdc.gov/coronavi-
of (A) the telecommunications service from which such information rus/2019-ncov/covid-data/forecasting-us.html; David A. Drew et al.,
is derived, or (B) services necessary to, or used in, the provision of “Rapid Implementation of Mobile Technology for Real-Time
such telecommunications service, including the publishing of Epidemiology of COVID-19,” Science, May 6, 2020, https://science.
directories.”). Express prior authorization is required for a customer sciencemag.org/content/early/2020/05/05/science.abc0473/
to approve the disclosure of their call location information. 47 U.S.C. § tab-pdf; “Privacy-Preserving Contact Tracing,” Apple, accessed May 7,
222(f)(1). See also “FCC Proposes Over $200M in Fines for Wireless 2020, https://www.apple.com/covid19/contacttracing; and Steve
Location Data Violations,” Federal Communications Commission, Hendrix and Ruth Eglash, “Israel Is Using Cellphone Surveillance to
February 28, 2020, https://www.fcc.gov/document/fcc-propos- Warn Citizens: You May Already Be Infected,” Washington Post, March
es-over-200m-fines-wireless-location-data-violations. In the course 19, 2020, https://www.washingtonpost.com/world/middle_east/
of bringing this enforcement action, the FCC interpreted CPNI — israel-is-using-cellphone-surveillance-to-warn-citizens-you-may-al-
without binding precedential effect — to broadly encompass ready-be-infected/2020/03/19/68267294-69e7-11ea-b199-
“location information collected by carriers from a mobile device 3a9799c54512_story.html.
during a telephone call and . . . when the device is turned on and 20 See, e.g., Courtney Linder, “This MIT App Tracks the Spread of
available for calls but not engaged in transmitting a voice conversa- Coronavirus While Protecting Your Privacy,” Popular Mechanics,
tion.” In the Matter of AT&T, Inc., Notice of Apparent Liability for March 18, 2020, https://www.popularmechanics.com/technology/
Forfeiture and Admonishment, 35 FCC Rcd. 1743, 2020 WL 1024412, apps/a31742763/coronavirus-app-private-kit-safe-paths; “Care19,”
at *11 (F.C.C. Feb. 28, 2020), https://docs.fcc.gov/public/attach- North Dakota Response, accessed May 4, 2020, https://ndresponse.
ments/FCC-20-26A1.pdf. However, as confirmed in a 2013 FCC gov/coronavirus-resources/care19; and “Healthy Together Beta App,”
declaratory ruling, the clearly established scope of location data accessed May 7, 2020, https://coronavirus.utah.gov/healthy-togeth-
protected as CPNI is limited to location information logged in er-app.
connection with the use of a “telecommunication service” that is,
when making or receiving a call. See “CPNI (Customer Proprietary 21 MIT Media Lab, “Safe Paths: A Privacy-First Approach to Contact
Network Information),” Electronic Privacy Information Center, Tracing,” Massachusetts Institute of Technology News, April 10, 2020,
accessed May 5, 2020, https://epic.org/privacy/cpni (citing 2013 http://news.mit.edu/2020/safe-paths-privacy-first-approach-con-

14 Brennan Center for Justice Government Access to Mobile Phone Data for Contact Tracing

You can also read