By Ian Allen
On November 16, Vice News ran “How the US Military Buys Location Data from Ordinary Apps.” The story is what is sounds like: personal location information harvested from apps – including a Muslim prayer app with 100 million downloads – is being sold up a chain from app developers to location data aggregators to defense contractors who then provide the data to the US Special Operations Command (SOCOM). In recent years, the Washington Post, the New York Times, the Wall Street Journal, and others, have also investigated the use of these app data by law enforcement and advertisers. In more normal times (sans pandemic and Presidential election, for example) these stories might elicit a real public reaction and resultant changes in the law. After all, consider what’s happening: personal location data (anonymized, yes, but deanonymization is not prohibitively difficult) is being sent by commercial applications to data brokers who then sell this information on the open market. The fourth amendment, as Senator Wyden has noted, seems to have been sold. But there’s also another danger here: unethical use of mobility data will degrade its potential to save lives in the fight against COVID-19.
I’ve seen it from both sides. First, as a former Marine and former CIA officer, I understand well the operational potential of these data. The analysts and operators in SOCOM surely believe that they are using it to save lives, and it’s relevant that success in counterterrorism is a thing prevented; that proving success is proving a negative. Having spent seventeen years in counterinsurgency and counterterrorism, I’m intimately familiar with this feeling; with the costs of failure and the fragility of success. Failure is always looming. Success is when you get through another day and nothing has blown up. Then you get up tomorrow and do it again. This is an environment where any small advantage feels essential.
Now, I’m now the cofounder and CEO of a data analytics company. Since March we’ve been working with public health researchers to help build the infrastructure and analytics they need to better understand the impact of COVID-19. Location data has been an essential part of this effort. With geographically and demographically inclusive location data, researchers can better understand how different regions and groups are affected by the disease. These insights helped elected leaders allocate resources, evaluate social distancing restrictions, and manage school and business closures.
As we manage the return to school and work in the midst of this third wave, these data are more important than ever. Just as we’ve progressed far in the development of vaccines and treatment protocols, we understand far better how to manage social distancing restrictions. To avoid broad lockdowns, social distancing restrictions can be highly targeted based on predictive analytics – the kind based largely on location data. This can provide a scalpel rather than a broadsword, dialing interventions up and down rather than on and off, thus saving both lives and livelihoods.
What strikes me, however, is that the federal and state governments have been extremely reluctant to maximize use of these data. Imagine if al-Qaida had managed an attack that was just a fraction as devastating as COVID-19. There’d be no holds barred. Yet the cost of this disease has been hundreds of thousands of dead, unprecedented debt, millions of jobs lost, decades of progress toward equality at risk of being wiped away with kids out of school (given the vast disparity in-home resources between economically privileged and underprivileged families). Even without an attack by al-Qaida, there’s approximately zero chance that congress will restrict the military’s use of these data. What will congress and the Biden administration do to facilitate this capability for public health?
There’s a reason for this reluctance, of course. We’re deeply politically divided and public trust in technology companies is near an all-time low. Thus, it’s incumbent on tech leaders and elected officials to make the case for how the high-powered computers we all carry in our pockets can help stop the disease and restart the economy. Google and Apple have made a great start. In recognition that manual contact tracing is overwhelming state health systems, Google and Apple developed an Exposure Notification system. With this underlying technology, states are able to build apps that will notify people when they have been potentially exposed to COVID-19. More, the app doesn’t use location data; only proximity measurements made with Bluetooth Low Energy. Even so, only fourteen states and the District of Columbia have built an exposure notification app using this technology (Virginia, the only state with a doctor for a governor and former tech investor as a senator, was the first). Also, there’s nothing on the horizon from the federal government. To be ten months from the first COVID-19 fatality in the US and have almost no federal, and few state, technological tools to provide even minimal contact tracing support is a failure on many levels.
For analyses that require location data, there are researchers across the country – including the Harvard Institute of Quantitative Social Science – that are expanding the statistical techniques known as Differential Privacy; a mathematical approach that can protect individual privacy in these data sets while retaining statistical significance. Unlike many choices with technology since 9/11, COVID-19 is not forcing upon us a choice between privacy and security. We can protect civil liberties while also providing researchers and elected leaders with the aggregated data they need to fight this war on COVID-19.
But there are choices. If your state has the exposure notification app, use it. If it doesn’t, press to get one. What’s more critical is a national system that uses exposure notification and location data to understand where outbreaks are happening. This can provide decision-makers with the detailed insights they need to make highly targeted decisions about resource allocation and social distancing restrictions.
The complicating issue, of course, is lack of trust and deep political division. This was my first thought when I read that SOCOM was buying data from a Muslim prayer app: the optics are atrocious and the harm to these users is real. I also recalled the early discussions we had inside the company back in March: the disease was exploding and we felt an urgent need to build the analytical tools that researchers desperately needed. However, we also knew that we’d be establishing precedents for how location data is used to support public health analysis. As we put it then: setting a bad ethical and policy precedent now would risk the long-term public support of this type of analysis. This, in turn, would limit the tools public health researchers needed, and risk lives in the long run.
Which is to say that trust between researchers, tech companies, policymakers, and the public is essential to defeating COVID-19 (and the next pandemic, to say nothing of how this data can be used to plan for and respond to natural disasters and climate change). We should recognize that the use of commercially procured personal location data represents a kind of informal social contract. Companies should recognize that there is only so much social equity with this data. If we are going to spend that equity, we should be sure that we’re holding ourselves to the highest ethical standards and we’re applying these data to the most pressing issues. The use of these data in the name of counterterrorism as Vice News described does not meet the standard. If we are to choose between that and COVID-19, the data point to a clear decision.