Apple and Google recently announced they will jointly launch digital contact tracing tools to combat COVID-19. Their Bluetooth technology will allow Android and iOS phones to communicate and track when individuals pass within six feet of someone who tested positive for the novel coronavirus. Apple and Google are not alone. Around the world, countries including the UK, China, Taiwan, and South Korea have implemented comparable programs.
While these steps appear desirable, they raise serious risks for autonomy, privacy, and data security. The information collected could be used for commercial purposes, hacked by cybercriminals, or used to discriminate against individuals with COVID-19 or other health conditions. Moreover, it is difficult to establish whether the apps are beneficial — and surveillance methods implemented now may persist long after the pandemic subsides.
To address these concerns, Apple and Google promised there will be “strong protections around user privacy” and emphasized that transparency and consent “are of utmost importance.” However, tech companies have repeatedly failed to protect user privacy and security; the time to rely on privacy legislation and industry self-regulation has passed. Instead of those top down approaches, which privilege legislators, lobbyists, and tech companies over individuals, we argue for a bottom-up approach.
State and federal lawmakers should create a right to digital self-defense ensuring that Americans can freely use anonymity, privacy, and cybersecurity tools to shield themselves against widespread and relentless data collection by private and public actors. Some examples of these tools are the TOR browser, virtual private networks (VPNs), personal servers such as the FreedomBox, and low-tech solutions such as clothing that disrupts facial recognition.
There are many more available tools of digital self-defense, and not all of them will be relevant to COVID-19 apps; nevertheless, recognition of a right to digital self-defense may serve as a catalyst to the development of new tools, covering different platforms, operating systems and scenarios.
While some of these tools are widely available, their use often comes at a cost. Specifically, people who adopt them may be subjected to increased government scrutiny. On the public side for example, the FBI used spyware to track Tor users’ activity. Whether such surveillance constitutes an illegal “search” under the Fourth Amendment remains an unresolved legal question. In this context, people may wish to protect their privacy and cybersecurity even if they have committed no crimes.
On the private side, platforms such as Netflix and Hulu often refuse access to people who use these tools of digital self-defense. Some platforms, including Google, penalize users by requiring them to complete time-consuming CAPTCHAs that train the company’s algorithms to identify objects such as street signs and fire hydrants. These mechanisms frustrate users and encourage them to sacrifice privacy for easier access to services.
The right to digital self-defense may find support in the Bill of Rights, which was designed to protect states and their citizens from government tyranny. In the information age, we are witnessing the emergence of a new oppressive force — digital tyranny, where tech companies threaten our privacy and security through widespread surveillance, profiling, and manipulation. They often work with federal agencies through public-private partnerships, such as the collaboration between Amazon Ring and up to 400 law enforcement authorities.
Public-private partnerships — including those directed at COVID-19 tracking — can excuse federal agencies from respecting individual rights and freedoms because tech platforms conduct the surveillance, and most constitutional protections provided by the Bill of Rights do not extend to these private actors. Once the data is obtained, they pass it to their government partners. But the Bill of Rights is of limited effectiveness in the information age if it doesn’t also extend to technology companies.
Some may argue that a right to digital self-defense is unnecessary because people can always choose not to opt-in to a contact tracing program. However, this criticism is rooted in outdated notions of consent. Tech companies have a history of using deceptive methods to influence people’s choices. They use deceptive choice architecture to nudge people to consent. Besides, some surveillance programs are not optional; China’s mandated contract tracing app Health Code controls where citizens may travel, and U.S. programs could shift in that direction.
Others might contend that a more desirable approach is to demand that tech companies take privacy and security more seriously. However, platforms have no obligation to implement safeguards beyond what the law requires, and U.S. privacy laws are inadequate and overly susceptible to influence by industry lobbyists.
A federal right to digital self-defense can serve as a foundation on which state lawmakers can build. For example, the Health Information Portability and Accountability Act (HIPAA) sets a national floor for health privacy, and states can pass their own laws that provide protection above and beyond what HIPAA mandates.
Alternatively, states could establish the right to digital self-defense on their own by statute and incorporate it into their constitutions. In states where citizens can pass their own laws through ballot initiates, such as California and Alaska, the right could be implemented by the people, thus bypassing state legislatures, and stifling lobbyist efforts to water down legislation.
The COVID-19 pandemic is a public health emergency, but widespread surveillance carried out by private actors is not the solution. Given Big Tech’s track record, the social cost of widespread surveillance likely outweighs potential benefits, especially if tracking persists beyond the pandemic.
Lawmakers should codify a right to digital self-defense and encourage Americans to use anonymity, privacy, and cybersecurity tools to ensure that their privacy and security are not threatened by digital tyranny.
Ido Kilovaty is an assistant professor of law at The University of Tulsa College of Law, visiting faculty fellow at Yale Law School’s Center for Global Legal Challenges and an affiliated fellow at Yale Law School’s Information Society Project. He was a 2028-2019 Cybersecurity Policy Fellow at New America.
Mason Marks is assistant professor at Gonzaga University School of Law and an affiliated fellow at Yale Law School’s Information Society Project. In addition to a law degree from Vanderbilt University, he also holds an M.D. from Tufts University School of Medicine.