COVID-19 & Privacy: here's how contact tracing works in this city of 600,000 people
We tackle some privacy issues surrounding COVID-19 contact tracing and explore the city of Milwaukee's present protocols. It's not as scary as it could be.
During the COVID-19 pandemic we’ve seen a wide range of contact tracing capabilities, ranging from more manual phone call and interview-based methods all the way to national security level surveillance tools being repurposed in the name of public health.
We submitted a formal data request with the City of Milwaukee’s Health Department to better understand how the city of almost 600,000 residents conducts its contact tracing methods, and assessed its impact on privacy.
Milwaukee relies on a manual interview-based method for contact tracing, which is minimally privacy invasive and doesn’t appear to infringe on civil liberties. We’re relieved it’s not as scary as it could be.
Keep calm and carry on (please)
Our new normal *eye roll complete* entails dealing with a virus we do not entirely understand, and which has contributed to significant social stress across the political, economic, and other domains. Our sole interest here today is learning more about how COVID-19 policies and the technology used to monitor the virus’ spread impact individual privacy.
Specifically, we wanted to learn more about how mid-sized cities were coping with present conditions and submitted a formal data request with one such city, Milwaukee, to better understand how the city of almost 600,000 conducts its contact tracing. Why contact tracing? The greatest risk to individual privacy and security is posed when emotions run high and governing bodies scramble to provide some semblance of a coherent response to a threat — social contract theory at its most obvious.
Part of the impact on individual privacy during public health emergencies is how governmental bodies set, enforce, and monitor adherence to public health policies designed to protect their populations and contain the virus, of which contact tracing is an often key component. For that same reason, we analyzed the city’s enforcement policies for establishments that violated health department policies for social distancing and mask wear (but that’s for another time while we process the data).
Of note, we’re deliberately staying away from any other inferences outside the narrow privacy scope that could be found elsewhere in the public discourse (say, politics or social justice). Repeat after me: we’re just here for the privacy.
Contact tracing: not all methods are created equal
We have to wax slightly philosophical for a moment: Governments feel they cannot very well be seen by society as remaining inactive during a public health emergency. As such, many states (nations) have sought to repurpose existing tools, methods, processes, and systems from a smattering of domains and industries in ways that provide a more timely response to perceived demand for action. Given that viruses spread from person to person (i.e. through personal contact), logic follows that a governing body’s ability to conduct contact tracing of infected individuals would offer valuable insights into the spread of the virus. Enter the solution of contact tracing as a potential method by which to monitor and “manage” the pandemic.
While far from a perfect parallel, it so happens that certain matters of national security also entail tracking and monitoring connections and contacts among individuals to better inform a desired endstate, aka hunting bad guys. The thread leading to the death of Usama bin Laden (UBL), for example, came about by monitoring known or suspected Al Qaeda operatives and discovering the identity of UBL’s courier, who eventually led the intelligence community to the compound in which UBL was hiding (spoiler alert it didn’t end well for him). In this basic comparison, we quickly see how various surveillance tools or methods of spycraft possess a similar potency and know-how required to monitor a similarly amorphous, complex, dynamic adversary (in this case, a virus as opposed to a terrorist network).
It is thus governments across the world have arrived at various points along the pandemic response spectrum, specifically with contact tracing. Israel, for example, turned many privacy and civil liberty heads when it enlisted its domestic spy agency Shin Bet to assist the Ministry of Health (MOH) in using surveillance tools that provide “tracing assistance” to the MOH. In order to reduce the virus’ spread, Shin Bet spied on its own citizens’ cell phones to obtain users’ identification, location, and communication — apparently only excluding actual call content (which doesn’t say much, given spy agencies don’t necessarily need to hear actual call content when so much else is already available). All perfectly legal due to the extenuating circumstances.
Thailand is another example of an aggressive governmental response, where citizens are encouraged to download a government-run smartphone application that sends Bluetooth and GPS location data to a central server used for contact tracing and notification. In Singapore, where a similar method is being employed, police have already been granted legal powers to repurpose COVID-19 contact tracing data to assist with criminal investigations. It’s a slippery slope.
Okay so what about this city you mentioned?
Take a deep breath and relax your death grip on the coffee mug (or tea if you gave up coffee for Lent): Despite the doom and gloom of state or corporate surveillance tools and methods being leveraged for contact tracing, our exemplar city of Milwaukee thankfully does not appear to conduct its contact tracing in any manner similar to our more aggressive examples. Rather, it relies on unscary manual (human) interactions to conduct its contact tracing and disease surveillance, which is what we’re diving into next.
When you’re a threat to public health
As with all viral transmissions ever *we are not epidemiologists*, interruption of the COVID-19 virus transmission in communities is premised on early detection and prompt isolation of new cases. It thus falls to health care providers to report to the requisite authorities any instances of someone they treat or visit who has a communicable disease — that’s per some Wisconsin Department of Health legal code for the control of communicable diseases that’s been around for a while.
The reasoning? Wisconsin’s Department of Health Services (DHS) has a series of codified disease categories based on their severity of threat to public health. COVID-19 is in Category I, containing diseases that are of “urgent public health importance”, which require immediate notification by the patient’s local health officer to DHS. In addition to the immediate report, the case must also be reported electronically through a disease tracking system named (it’s a mouthful) Wisconsin Electronic Disease Surveillance System, or WEDSS.
Said plainly, when someone visits a health care facility or clinic, and is found to test positive for (or suspected to have) the virus, it is obligatory to report this information for the common good. And so far, that’s entirely reasonable. Who doesn’t want to contribute to the common good by way of public health tracking of communicable diseases?
Once you’re in the system
Once an individual is reported into WEDSS, we can begin to assess impacts to their privacy. This is our entry point into the privacy arena (keep in mind this is well within the scope of HIPAA so you are also afforded those protections). For starters, WEDSS is simply a secure, web-based case management system. It allows public health officials to report, investigate, and surveil communicable diseases in the state. It’s used by public health staff, infection control practitioners, clinics, labs, and others.
Why is it used? Because no one wants to manually input thousands of data entries into a single spreadsheet, or worse, do it by hand (at least we don’t). Really though, having an electronic system saves time, allows DHS to communicate with the correct health department based on a patient’s address, allows information to be shared securely, and reduces paperwork — which we’re all about.
WEDSS (and other systems like it), are a form of “integrated surveillance information system” used by public health departments. It’s also the primary source of data for a national level disease surveillance system, which transmits data to the CDC. And despite the word dirty word surveillance being used in the name, this is simply a common industry term for the monitoring of infectious and communicable diseases. So please remain calm.
I’m only here for the contact tracing
Once you’ve been entered into the system by a health officer, we take a step closer to contact tracing — but don’t think the boogeymansuddenly has all your data and knows where you hide your stash of Swiss chocolate in the closet (weird place, by the way, but we won’t judge).
In order to access WEDSS, you need a special account, in addition to training and demonstrated understanding of HIPAA laws and the WEDSS system itself. From the official documents and checklists shared with us by the city of Milwaukee, we can attest that no person with an iota of self-preservation instinct would actually want to go out of their way to use this system (it’s for government use, after all, so it can’t be too user-friendly).
And finally, contact tracing: once you’ve been identified as a positive or suspected COVID-19 case, a trained contact tracer will call you and have a basic chat about your plans for isolation, some quarantine recommendations, ask how you’re feeling, and other such matters. These calls are made with care to ensure you know it’s not a scammer or other criminal calling, which we really appreciate from a security and risk perspective. To ensure your security, DHS ensures that their staff does the following:
[DHS] staff will always identify themselves as representatives of the state or a local public health department and verify who they are talking with on the call—before they even begin to talk about contact tracing. Once they verify who they are speaking with is the right person, they will explain why they are calling. While [the DHS] contact tracer will say you have been exposed, they won’t identify the person they were in contact with or where it might have happened.
That all sounds fine and well, but for what will this contact tracer ask you? For starters, never your Social Security number, credit card info, or bank account numbers — because that’s sketchy and an instant trip to privacy jail. What they will ask for is: your name, address, phone number, email, gender, race, and whether you have any symptoms. That’s all the data they will ask you for (really, that’s it).
And before we object and say that we don’t want the government having any data of ours whatsoever, let us be mindful that this is information absolutely already is residing in the public record (with or without the government’s help) that can be accessed with a few basic searches.
Indeed, we can discover, explore, and query far much more in half the time it probably takes to make a contact tracing call, to include: personal and work emails, home addresses, legal or court records, criminal history, account passwords, relatives, dates of birth, professional history, your personal vehicles, drivers license number, and more. So from a data collection and privacy standpoint, the objective privacy impact of this data being confirmed by an official public health representative for the sole purpose of communicable disease monitoring in a secure and internal system is all but moot — and we’re quite pleased about that.
How do they know who I talked to and who to call next?
We’re glad you asked. According to official checklist documents shared to us by the city, the contact tracer will conduct an interview during their phone call. It’s here that the manual process of contact tracing begins to impact other people (minimally).
During the contact tracer phone call, they will ask about all contacts you had during your “infectious period” (which is 2 days prior to when your symptoms first appeared). It’s here that you would tell them about any close contacts you had (anyone within two meters of you for at least 15min), and give them the names and contact information for those people, which are broken down by household, close contact, or events and gatherings.
Of course, you are operating only as effectively as your memory and recollection permits here. We, for one, can’t remember what we had for breakfast and therefore may struggle to recall everyone we’ve been in close contact with X number of days prior — but that’s just us. Regardless, these are the people who get notified they came in contact with someone that has the virus. But remember, even these contacts don’t get told who it was they came in contact with, for your privacy protection. Another privacy-conscious move.
What about enforcing isolation and quarantine?
This part of public health disease management is slightly more vague, but we do have some information. During your call with the contact tracer, you will be asked about isolation and quarantine, while agreeing to self-monitor for symptoms, your isolation, and other such matters. In short, the government and public health system is trusting you, the individual, to take matters into your own hands and be a responsible adult. This pleases us.
In the event you felt for whatever reason compelled to verbally tell the public health official you did not intend to enter isolation (friendly reminder to please pick your battles), the city’s health department has a partnership with the Milwaukee Fire Department, who would deliver isolation orders to you with the legal authority granted to the health officer by the state. We’re not entirely sure what that orders delivery process looks like, but even at this point — when an adult refuses to be reasonable and responsible for themselves — there still is a minimal threat to your privacy and security. It’s the Fire Department, after all. Those guys are awesome and true public servants.
Stay healthy out there
And that’s about the size of it. This is the full extent, from our research, analysis, and processing of publicly available data — including official data requests with the city — to understand and explore contact tracing in Milwaukee as of early 2021. If you’re underwhelmed or were expecting more, that’s a very good thing, because our assessment is that the “manual” phone call method of contact tracing is appropriate, proportional, and fitting to the requirement to monitor and surveil a communicable disease that poses an urgent threat to public health. No methods known to us at this time infringe on individual privacy as we’ve observed elsewhere, and this method does not come anywhere close to the national security methods used that we explored earlier, such as those of Israel, Thailand, or Singapore.
Naturally, different cities and locations have different resources, leadership, and methods in play. Certain cities or governments require a phone application be downloaded to assist with contact tracing (typically using Bluetooth signals which are great for proximity stuff, like marketing), which is another viable option. Similarly, anyone with an iPhone may have noticed that Apple pushed an iOS update within the past few months that provided your device with the ability to be used for Bluetooth contact tracing, although this feature is in the user’s control and requires your permission (and a public health authority to report data to) in order to function. Meaning, please remain calm as it’s under your control and non-functional until you turn it on (reminder to check your settings).
As we process the remainder of data available to us, stay tuned for a glimpse into the city’s enforcement policies for mask wear and social distancing in local establishments such as bars and restaurants. We have some limited data available to us that allows us to infer basic observations of the virus’ impact on local small businesses and their operations.
Go forth in privacy.
Enjoy this article? Brief your friends, colleagues, and others (including grandmothers, who are avid consumers of our insights). Have a tip or article you want us to cover? Send it our way by leaving a comment below.
We are an informal publication of Signature Management Unit, a private intelligence, risk, and security firm from Milwaukee, Wisconsin.
An additional yet critical aside: if you’re worried about invasive privacy, corporate surveillance is your actual boogeyman. While governments do possess significant surveillance capabilities, they also suffer under extensive oversight and bureaucracy. Corporate surveillance is far less regulated and far more motivated by profit.