The 9/11 Playbook for Protecting Privacy

By Adam Klein and Edward Felten
·8 min read

The coronavirus pandemic will transform American life like no event since the terrorist attacks of September 11, 2001. The outbreak, it is now clear, will cause death and economic destruction far greater than 9/11, awakening us to the profound threat that pandemic disease poses to our well-being, economy, and way of life.

As after 9/11, government power is expanding to address this danger. The Centers for Disease Control and Prevention received $500 million to create a Covid-19 “surveillance and data collection system,” and the government is already relying on analysis of cell-phone geolocation data, provided by mobile-advertising companies, to predict where the disease may spread next. New ideas for health-related surveillance, from internet-connected thermometers to smartphone apps, seem to emerge by the hour.

The challenge, as always in times of national crisis, is to meet the emergency while preserving individual rights and our way of life. The 9/11 Commission, which conducted the definitive investigation of the 9/11 attacks, made various recommendations to achieve this balance. One of those new safeguards was the Privacy and Civil Liberties Oversight Board, on which we serve. The board, an independent federal agency, reviews counterterrorism programs to ensure that they are appropriately balanced with individual liberty.

Given the epidemic’s catastrophic dimensions, everything that can help, including using personal data to track and stop the disease, should be considered. As after 9/11, the question now is not whether new programs are needed, but how to implement them. How can we defeat the epidemic while preserving our privacy, liberty, and way of life?

All of these questions may become even more vexing after the pandemic crests, as government and private entities consider whether to condition access to certain jobs, public places, or events on whether a person has or may have the virus or, alternatively, has recovered and become immune to it. The steps needed to make such systems function effectively, in the presence of large and obvious incentives for people to lie about their status, could be quite invasive. Clear, binding rules governing any digital measures used to support such restrictions will be indispensable.

Our experience overseeing post-9/11 counterterrorism programs provides several lessons for how to achieve this balance in efforts to control the coronavirus. These basic principles apply whether governments conduct Covid-related surveillance programs on their own or in partnership with private companies.

Weigh the benefits of each collection and use of data against the risks.

Geolocation data—precise GPS coordinates or records of proximity to other devices, often collected by smartphone apps—is emerging as a critical tool for tracking potential spread. But other, more novel types of surveillance are already being contemplated for this first pandemic of the digital age. Body temperature readings from internet-connected thermometers are already being used at scale, but there are more exotic possibilities. Could smart-home devices be used to identify coughs of a timbre associated with Covid-19? Can facial recognition and remote temperature sensing be harnessed to identify likely carriers at a distance?

Each scenario will present a different level of privacy sensitivity, different collection mechanisms, different technical options affecting privacy, and varying potential value to health professionals, meaning there is no substitute for case-by-case judgment about whether the benefits of a particular use of data outweighs the risks.

The various ways to use location data, for example, present vastly different levels of concern for privacy. Aggregated location data, which combines many individualized location trails to show broader trends, is possible with few privacy risks, using methods that ensure no individual’s location trail is reconstructable from released data. For that reason, governments should not seek individualized location trails for any application where aggregated data would suffice—for example, analyzing travel trends to predict future epidemic hotspots.

If authorities need to trace the movements of identifiable people, their location trails should be obtained on the basis of an individualized showing. Gathering from companies the location trails for all users—as the Israeli government does, according to news reports—would raise far greater privacy concerns.

Establish clear rules for how data can be used, retained, and shared.

Once data is collected, the focus shifts to what the government can do with it. In counterterrorism programs, detailed rules seek to reduce the effect on individual privacy by limiting how different types of data can be used, stored, and shared.

The most basic safeguard is deleting data when it is no longer needed. Keeping data longer than needed unnecessarily exposes it to data breaches, leaks, and other potential privacy harms. Any individualized location tracking should cease, and the data should be deleted, once the individual no longer presents a danger to public health.

Poland’s new tracking app for those exposed to the coronavirus illustrates why reasonable limits are essential. The Polish government plans to retain location data collected by the app for six years. It is hard to see a public-health justification for keeping the data that long. But the story also illustrates well how a failure to consider users’ privacy can undermine a program’s efficacy: the app’s onerous terms led at least one Polish citizen to refuse to download it.

The rules governing these programs should also make clear whether, and with whom, data can be shared. The intelligence agencies that we oversee call this “dissemination,” and operate under complex rules that limit when sensitive information can be shared with other agencies or external partners.

Measures taken by other countries in response to Covid-19 illustrate why such limits are important. South Korea published online the location trails of people diagnosed with the virus. While this may be help others determine whether they were exposed, it is also a significant infringement on privacy; the “anonymized” location trails were easily de-anonymized by combining patterns of movement with publicly available data, such as home addresses.

There are other ways in which data collected for health purposes could have a second life. Could potentially incriminating location data collected for Covid purposes be shared with law enforcement or tax authorities? Will government or academic researchers be given access? If a person’s movements involved international travel, could the data be shared with foreign governments? Americans should know in advance whether personal data collected to fight Covid-19 may be diverted to other uses.

How long will new programs continue?

Covid-19 will not last forever. Neither should emergency measures undertaken to stop it. American history offers many precedents for limiting crisis powers to the duration of the emergency. During the Second World War, for example, Congress enacted various measures that, by their terms, were valid only during the “present emergency” or “for the duration of the war.” After the war, these measures lapsed as the need for them passed.

Alternatively, Congress may consider creating a new set of permanent legal authorities that specifically authorize the government to collect and analyze electronic data during disease outbreak emergencies. Any such framework should contain mechanisms for triggering those powers in future epidemics, periodically reconsidering whether they are still needed, and shutting them off once each outbreak ends, to ensure that they are used thoughtfully and only for their intended purpose. It should also include clear limits on sharing, retention, and use of data, including whether data can used for non-health-related purposes.

Transparency is vital.

Perhaps the most important principle is that governments and cooperating companies from the private sector should be explicit about what they are doing and why. Most importantly, what is the public-health justification for each activity, and what are the implications for privacy and civil liberties? Those responsible should clearly explain precisely what type of data is at issue, and who will perform any needed aggregation or other privacy-protective technical steps. Where surveillance programs are designed based on incomplete information or predictions that may change over time, officials should explain the basis for the chosen path forward and what facts might lead the government to change course. And if the government attempts to compel companies to hand over user data, it should explain publicly what legal authority it is relying on.

Ordinarily, Congress and state legislatures have primary responsibility for overseeing executive agencies at their respective levels of government. Social distancing measures, however, may make convening to conduct oversight difficult for the foreseeable future. For that reason, complete transparency is vital. Public disclosure of which agencies are conducting Covid-related surveillance, what data they are collecting (and why), which private partners are involved, and what rules apply once the data is collected will enable independent experts (working from home, of course) and the media to provide needed accountability. Public scrutiny could identify shortcomings and suggest potential improvements—or, alternatively, confirm that the programs being launched are necessary, thoughtfully designed, and as solicitous of privacy as possible. Alternatively, the government could convene a bipartisan panel of experts in health, technology, and law to provide independent views on Covid-related surveillance, as our board does for counterterrorism programs.

For the intelligence agencies we oversee, transparency is inherently difficult—without significant secrecy, their operations would fail. Since 2013’s Snowden leaks, however, U.S. intelligence services have worked to rebuild trust by providing an unprecedented level of information about what they do, and why. If the NSA and CIA can do this, we should expect much more from public health agencies.

Americans should remember that every choice in this area entails a tradeoff against some other cherished value. Large-scale use of location information by the government would unquestionably infringe on individual privacy. But other measures already being employed by the government to fight Covid-19, including the near-total prohibitions on public movement already in force in many states, constrain our lives even more. Many Americans would prefer a carefully designed, rigorously overseen program of epidemic surveillance to long-term physical lockdowns, if public-health experts determine that only one or the other will do.