In a Pandemic, Data Privacy Goes Out the Window

What you need to know about your privacy as the coronavirus spreads

Photo: ATTA KENARE/Getty Images

In most circumstances, the Centers for Disease Control and Prevention (CDC) is a pretty benign organization. Sure, it gets all the cool toys — Biosafety Level 4 labs, high-powered electron microscopes, and the like. But most of the time, the scope of its activities is limited to such niceties as compiling flu statistics, publishing beautiful scientific images, and reminding you to wash your hands.

During a pandemic like the current coronavirus outbreak, all that changes. The CDC, as well as state public health departments, take on remarkably broad powers. Public health officials can detain you, force you into quarantine, and even search your phone, read your emails, and access your personal data.

To understand the CDC’s authority, it helps to take a brief step back and consider the laws surrounding public health in the United States.

Public health officials can detain you, force you into quarantine, and even search your phone, read your emails, and access your personal data.

Like much of the U.S. legal system, public health law is a tangled web of federal, state, and local regulations. The CDC is a federal agency. That means it gets much of its authority from the U.S. Constitution. That gives the CDC some broad powers. The agency can, for example, quarantine people entering the United States or traveling between states. This was laid out in the 1944 Public Health Service Act. To exercise its authority, the CDC requires an executive order about a specific disease, which then-President Barack Obama gave for coronavirus in 2014 and which was reinforced by an order from President Donald Trump in January.

Beyond that, the CDC can also quarantine and investigate people who are already in the United States. This was established in the same 1944 act, based on the (reasonable) concept that an infectious person could affect citizens in multiple states.

On top of the CDC’s powers, states’ public health authorities have even broader ones. These legal authorities allow state governments to take action to protect the public even if they restrict the freedoms of individuals. In practice, when a pandemic disease is actively spreading, these state and federal divisions break down. Most state and local authorities have zero desire to handle pandemics on their own. They almost always bring the CDC in for help, allowing it to operate under its broad police powers.

So what, exactly, does this tangled web of powers actually allow public health officials to do?

Quite a lot, it turns out.

The best way to understand public health officials’ vast power during a pandemic is to go straight to the source. The CDC’s Field Epidemiology Manual has an extensive section educating investigators on the myriad things they can do to stop the spread of disease. These include (emphasis added):

Obtaining clinical specimens and data from persons affected by an outbreak; obtaining data from healthcare facilities; collecting environmental samples; protecting the privacy of personal information; and implementing and enforcing control measures, such as vaccination, chemoprophylaxis, quarantine, or even seizure or destruction of private property.

Public health authorities would presumably be within their powers to not only seize your phone and search it if they felt this was necessary to stop the spread of disease but also to destroy it (or any of your other property). They could also presumably obtain data on where you’ve been, either from your devices, your ISP, or a third party like Google. In short, during a pandemic, data privacy goes out the window.

Why would they need this data? One of the core strategies for stopping a pandemic is contact tracing — taking an infected person, finding anyone they came into contact with, and either vaccinating those people or isolating them until the risk of infection has passed.

If people refuse to cooperate, there are ways of forcing them.

In previous pandemics, this was accomplished through a meticulous review of a person’s movements with old-fashioned boots-on-the-ground investigations and interviews. Today — when nearly every American citizen carries a device that leaves a breadcrumb trail tracking their every movement — much of this work could likely be done digitally by mining an infected person’s data.

The manual makes it clear that most people cooperate voluntarily with public health investigations. But it’s also equally clear that if people refuse to cooperate, there are ways of forcing them:

If an investigator meets with resistance, state and local public health officials may need the assistance of their general counsel or their state’s attorney general for such actions as applying for a court order to compel an entity (or individual) to grant investigators access to premises or records.

That’s a friendly way of saying that public health authorities are just one court order away from obtaining almost any data they want about you.

Technically, that’s nearly always the case. The police or another state authority can access your data via their police powers by getting a court order. But there are some major differences, too. For one thing, under normal circumstances, most people under investigation have at least been accused of a crime. Those under investigation during a pandemic have likely committed no crime — they just had the unfortunate luck to get sick.

There’s also the question of who’s doing the investigating. Police agencies deal with investigations all day long. They have the experience and training to understand the nuances of search and seizure laws, the procedures in place to protect data and evidence, and existing regulatory bodies to provide scrutiny and constitutional pushback.

Public health authorities, in contrast, are likely less prepared to conduct involuntary searches. It’s just not in their normal mandate. And while they do have experience protecting sensitive patient data for research, how well versed are they in procedures for safeguarding data and other sensitive evidence gathered during an investigation?

It’s also unclear how they’d handle unrelated information (like evidence that a sick person had acted as a whistleblower or committed some unrelated crime) while searching through data for public health purposes.

There’s also the problem that pandemics don’t exactly bring out peoples’ rational sides. The manual makes it clear that authorities still have to follow the Constitution during their investigations:

In the exercise of its public health police powers, a state must use the least restrictive alternative that will achieve the state’s interest, particularly when the exercise involves limitation of an individual’s liberty. The standard used to determine that a government’s exercise of its public health police powers is appropriate is whether the government action is necessary, uses reasonable means, is proportional, and avoids harm.

But when people are in a full-blown panic over a new virus that’s spreading rapidly, the definition of “necessary” may get a whole lot broader.

It seems reasonable that authorities would check the location records of a person with coronavirus to see where they might have contracted the illness and to notify those who may be at risk. But should they also search the records of their friends and other close contacts? What about those peoples’ contacts?

With a fast-spreading virus, it’s all too easy to start by placing a net around a single patient. It could ultimately expand to encompass everyone potentially at risk — the whole populace.

Knowing where to draw the line requires a fine reading of the Constitution and a nuanced understanding of the balance between societal good and personal freedom. It’s unclear who might be willing to do that kind of fine reading during a serious pandemic.

To their credit, public health authorities are well aware of the importance of public buy-in during investigations. In a well-publicized event in 2014, a Spanish nurse’s dog was euthanized when she contracted Ebola. She woke up from days of agonizing recovery to learn that her dog was dead. Authorities were concerned that it could spread the virus, so they killed it. In contrast, when an American nurse came down with Ebola, her dog was cared for 24/7 in a special containment facility and ultimately returned to her unharmed.

This wasn’t done just for touchy-feely good press. Authorities know that many people would die to save their dog. If an infected person knew that coming forward would place their pet at risk, they might keep quiet about their condition, even if it put their own life and the lives of others in danger.

So authorities take steps like placing dogs in elaborate quarantines. These kinds of good-faith measures increase the chance of infected people coming forward, allowing authorities to treat them and protect the public. The same dynamics could apply during a pandemic, with officials taking a compassionate approach to avoid alienating their citizens.

Or they could not. Depending on how coronavirus develops, authorities may quickly be overwhelmed by cases. Niceties like quarantining dogs might be replaced with a more iron-fisted approach: grab the data, trace all your contacts, and ask questions about constitutional rights once the virus has been contained.

So far, most coronavirus victims are cooperating with authorities. But already, some are pushing back. One person who was evacuated from Wuhan and quarantined at Travis Air Force Base in California asked to leave. California authorities quickly issued an order forcing her to stay against her will. This will almost certainly happen again if the virus continues to spread, with more patients being held and investigated against their wishes.

That brings up the question of whether this is the right pandemic for public health authorities to begin exercising their broad powers. The novel coronavirus is scary and a very serious threat. But it only has a marginally higher mortality rate than the seasonal flu, which kills up to 60,000 people in the United States each year.

If authorities take a heavy hand now — and compromise rights like data privacy that citizens have spent years fighting for and safeguarding — the public might be less willing to cooperate voluntarily during a future pandemic. If a more deadly pathogen emerges in the future, this reluctance and wariness could cost lives.

The erosion of data privacy could also persist beyond the pandemic itself. The war on terror was originally launched as a response to the September 11 crisis, but it has persisted for decades, with legal authorities extending well beyond their original goals.

At the moment, there’s no evidence that public health authorities are abusing their broad powers. But the coronavirus has just begun to spread in the United States. This is an election year. There will be intense pressure from both sides of the United States’s divided political landscape for officials to act decisively and visibly.

The United States is not an authoritarian state. Our personal freedoms are among our most cherished assets. Public health officials should do everything in their power to stop the spread of the coronavirus — that’s their mandate. But in doing so, they must also safeguard the personal liberties that make our country worth protecting in the first place.

Co-Founder & CEO of Gado Images. I write, speak and consult about tech, privacy, AI and photography. tom@gadoimages.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store