Heather Federman, the vice president ofprivacy and policy for BigID, says it's unclear how long thesepandemic-era privacy incursions will remain in place. (Courtesyphoto)

Back in January, if a tech giant asked consumers if they wantedto share their location data and health status with strangers, oran employer asked workers to take daily temperatures, many folksprobably would've told them to shove off. But as the U.S. deathtoll from the coronavirus pandemic passes 80,000, more Americansmight prioritize public health and put aside a distrust of Big Techand everyday privacy intrusions.

Related: Employee privacy rights to consider when dealingwith a potential COVID-19 exposure

Heather Federman, the vice president of privacy and policy forBigID, which uses machine learning to help companies protect theircustomer and employee data, says it's unclear how long thesepandemic-era privacy incursions will remain in place.

"I've stopped using the words 'going back to normal,' because Idon't think we're going back to whatever it was before," shesaid.

Federman, a lawyer by training who began her career at theFuture of Privacy Forum as a legal and privacy fellow, and ledprivacy teams at Macy's and American Express, shared her thoughtson the legal and privacy implications of contact-tracing apps andother data-centric initiatives used to flatten the curve.

Answers have been edited for length and clarity.

What are your thoughts on Apple and Google's proposalfor a contact-tracing app?

I have mixed feelings about it. On one hand, these companiesfeel like they have to do something. On the other hand, there'sstill a lot of questions as to how this will work. One interestingpositive is that this is the first time you've had two majorcompetitors coming together to create a system that isinteroperable. That's something we're seeing pop up in various dataprotection laws—the ability to import your data into anothersystem. This happens to be an interesting example of that actuallyhappening. It does seem that they're trying to do their best tomake this as privacy preserving as possible. We're using Bluetoothtechnology, they're trying to collect as limited information aspossible. It's decentralized, so rather than it being on a centralserver, it is on your device. So while there are some governmentstaking issue with that, that is a step in the right direction.

I think the other question is yes, you're able to consent tothis, but how likely is it that you're actually going to haveenough users adopt this? And from what I'm seeing, you need atleast 60% of the population to adopt it.

What are you most concerned about with thesecontact-tracing apps from a privacy perspective?

I think my biggest concern is I've been doing a lot ofcomparison to the Patriot Act after Sept. 11. We had something thatwas a limited provision, because we were all freaked out, andunderstandably so. But [for] something that was supposed to besunsetted back in 2005, it's still up for renewal. That's myconcern for something like this. Apple and Google have said theywant the data to be destroyed, but at what point is it actuallydestroyed? Is it once we're all vaccinated?

One challenge these contact-tracing apps encounter ishow to responsibly reuse data from a privacy perspective. What arethe major hurdles with this?

I think the reuse of data has always been an issue in theprivacy world. This pandemic has exacerbated that issue becauseit's really front and center when we're dealing with location andhealth data. And the answer is unfortunately it's not clear, whichbrings us back to the trust issue. If it's not mandated that we dothis, what's going to allow me to trust you that you're not goingto use this for a secondary purpose. If you want me to be part ofthat 60% that's opting in, then I better know that you're usingthis for a limited purpose and you're only going to be using it fora limited amount of time. And I don't have those assurances yet.And that's the part that scares me, and I think scares a lot ofpeople.

Do you anticipate any litigation stemming from theseapps?

Probably. We're a litigation-happy country. Hypothetically, itcould come into play if we're dealing with a false positive becauseBluetooth has certain limitations. So, let's say you get a falsepositive that you were notified you might have COVID-19, and youneed to stay at home, but it turns out you didn't have it. Youcould sue for losing pay for that period because you had to stay athome. I'm not quite sure how you prevent the liability issue.They're working with public health officials, so they couldpotentially tell those officials, "It's up to you to be the face ofthis and if someone is suing you, they're not suing Apple or Googleas the third-party provider. They're suing you, the public healthofficials."

What are you hearing when it comes to contact tracing inthe workplace and other measures that could get employees back towork but potentially infringe privacy?

I'm on group chains with different privacy practitioners, andthey're all asking, "How do we do this in a way that we can allowpeople safely back in the office without totally going overboard."I think that's also very unclear at this moment. Temperature checksseem to be popular right now, but the problem with that is you canbe asymptomatic, so I think that's going to be a concern. Theconcern is how much is too much. The temperature check is onething. But what happens if they start monitoring your web-browsingactivity to see if you're googling "Do I have COVID?" I don't knowif we're crossing into that territory, but most employers when youget onboarded say that we can monitor any of your work devices.We're already seeing stuff around employee monitoring.

I'm also seeing a daily survey that employees have to completebefore they go in. And it's not just about the employee, but thepeople they have close relationships with. That's not justimplicating you, but your family. One way to handle that data is tosegregate that information in a separate database, versus yourregular HR data, and only touch that data when necessary.

Read more: 

• How will states handle data privacy legislationafter COVID-19?
• AHIP president calls for health data privacy rulesto apply to tech firms
• Data breaches cost health organizations $12 billionlast year