People

Companies' next moral crisis: How to track employees without invading their privacy

Nearly one-quarter of CFOs surveyed by accounting giant PwC said contact tracing was part of their office reopening strategy.

A photo illustration shows logos for coronavirus tracking apps

Before reopening offices, many companies will need to decide how to do contact tracing with employees.

Photo: Olivier Douliery/AFP via Getty Images

As tech companies grapple with how to reopen offices in the next phase of the COVID-19 outbreak, mobile contact-tracing systems seem like a perfect way for Silicon Valley to channel its data prowess to protect employees.

At least in theory.

In reality, the prospect of tracking workers' movements in case they contract the coronavirus — then potentially expose co-workers or customers — is raising difficult questions about effectiveness and privacy, according to industry leaders. It's another powder keg of risk and liability that businesses must navigate amid an unprecedented public health crisis as governments begin to lift shutdown measures.

Firms looking to invest in contact tracing will have to decide whether to create their own systems or mandate that employees opt into broader public contact-tracing efforts before they return to work. They'll need to decide how systems would integrate with their particular business routines, while balancing their responsibility to an individual employee's privacy against their responsibility to others.

Nearly one-quarter of chief financial officers surveyed by accounting giant PwC in late April said contact tracing was part of their office reopening strategy. But what form such efforts will take is an open question.

"Companies are going to find out that they're going to have to do contact tracing in one form or another. The question is going to be, what is the most efficient and private way of performing this task?" said Jay Cline, principal and U.S. privacy leader for PwC. "Employee privacy is the sleeping giant of the COVID-19 crisis. In order to meet the public health objectives, companies have to meet privacy objectives at the same time."

While Google and Apple are at the forefront of efforts to digitize contact tracing using Bluetooth technology, other groups are building their own systems, from researchers at MIT to central governments in South Korea, the U.K. and France. Opportunistic tech vendors are pitching localized offerings, like Nodle's app in Berkeley, and wearable device manufacturers are pitching in-office tracking capabilities. At the same time, companies are enlisting consultants and attorneys to evaluate whether it's worth investing in their own internal contact tracing systems.

The objective is to balance potential liability for spawning a COVID-19 cluster — as has happened at workplaces including meat-processing plants — with concerns about privacy and data security. Among the potential pitfalls are false positive reports, false negatives, over-collection of sensitive health data, and the loss of that data to hackers.

"It's still a huge question mark," said Matthew Damm, an employment law attorney at Fenwick & West. With few state-approved contact-tracing apps and no federal guidance on the issue, he's urging companies to pursue the "least invasive" methods possible.

The trouble with tracing

HP, which employs 55,000 people worldwide, has already reopened offices in China and elsewhere by emphasizing precautions for employees including wearing masks, getting tested for COVID-19, and submitting to touchless body-temperature checks, said Chief Human Resources Officer Tracy Keogh. Tech-enabled contact tracing, however, has so far taken a backseat.

"We're not doing any tracking of people," Keogh said. "Some of these tools are pretty invasive."

State and federal regulators, such as the Equal Employment Opportunity Commission, have issued emergency orders to ease some standards for employee privacy, including allowing temperature checks, which raise an assortment of other issues.

The alternative to digital contact tracing — interviewing people who come down with the disease, then notifying others who may have been exposed — is time-tested but time-consuming. PwC's Cline said that early data suggests it takes companies 11 hours of human resources work per infected employee to do manual contact tracing.

At UCLA, public health professor David Eisenman said apps could be a faster and more cost-effective supplement to public health departments reduced by years of budget cuts. "We do not as a country continue to fund public health," Eisenman said. "It's not a resilient system, whereas an app is scalable."

But at the University of California San Francisco, in Silicon Valley's backyard, researchers are building public contact-tracing systems that rely on manpower rather on than apps. The tech that Google, Apple and others are building could be useful not on its own but "in addition" to manual equivalents, assistant professor of medicine Mike Reid said during a public health update last week. Officials are focused on hiring and training thousands of people to call, text and provide social services information to those who may have been exposed.

"This is not a technology that we're using in San Francisco," Reid said. "There's really going to be no replacement for a large army of public health professionals that do this work."

Companies could choose to trust that any employees exposed to the virus will be notified through such public systems. However, different systems have different standards for what constitutes a "contact." Reid said people are only notified of a potential exposure to COVID-19 if they spend 10 minutes in "close contact," or less than 6 feet away from an infected person.

The data game

Last week, when Apple and Google released the first version of its new contact-tracing API, Samy Kamkar was among the developers to download and test the nascent system, which relies on anonymized Bluetooth proximity data. The co-founder and chief security officer of Los Angeles building tech company OpenPath was impressed by the privacy safeguards: User IDs frequently change, data is stored on local devices rather than a centralized database, and geolocation data is not collected.

But if tech workers opt into broader public contact-tracing systems, companies could find themselves at the mercy of self-reported data. "My biggest question right now is what prevents me from pretending I am infected if I'm not?" Kamkar said.

More challenges could arise if people are asked to submit to more than one contact-tracing app — perhaps one at work and one or more outside of it. More splintering, Samkar said, would mean more uncertainty. "I don't think people will want to use competing systems," he said, "because you're losing a ton of data, a ton of information."


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


At PwC, Cline and his team are advising companies wading into contact tracing to think carefully about how long data will be retained, who has access to information and how systems are encrypted. He noted that contact tracing is also closely related to the ability to quickly test for COVID-19, or eventually, antibodies from the virus.

"Companies can sit out contact tracing perhaps until more tests are widely available," Cline said. "That's one of the key components for app-based contact tracing to work the best — for a whole workforce to have been tested, or have tests readily available."

At Fenwick & West, Damm said contact tracing is just one of many ways COVID-19 has upended business as usual. "The idea of an employer taking an employee's temperature would have sounded absurd three months ago," he said. "It's certainly not a world that we're used to living in."

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins