A chief critic of the tech industry's attempts to track coronavirus patients went to work and held meetings with employees after his doctor directed him to take a test for COVID-19 that subsequently came back positive.
Marc Rotenberg, the president and executive director of the Electronic Privacy Information Center in Washington, D.C., acknowledged in a memo to his staff and his board that he should have quarantined and alerted his staff that he was taking a coronavirus test on March 9, instead of continuing to work alongside them for two days.
But Rotenberg's apology hasn't quelled the anger of some EPIC employees, who say he not only put their safety at risk, but also undermined their organization's resistance to invasive coronavirus surveillance.
"He's out there saying privacy trumps surveillance," said one former employee who worked there at the time. "Every time he opens his mouth, what runs through my head is: We need more surveillance."
Internal documents and interviews with several current and former employees reveal that this incident has sparked an uprising within EPIC's small team of about a dozen people, with several employees resigning — including Rotenberg's deputy, Mary Stone Ross — following Rotenberg's dual revelation that he had COVID-19 and that EPIC was facing funding difficulties. Others have written to EPIC's board, asking for substantive changes to the organization's management structure.
Rotenberg meanwhile has continued to warn Congress and the public against embracing technological tools that use location data to enable widespread coronavirus surveillance without considering the privacy implications. "Sometimes people have an almost sacrificial sense about their privacy," Rotenberg told BuzzFeed News in an article published 19 days after Rotenberg received his results. "They say things like, 'Well, if it'll help save lives for me to disclose my data, of course, I should do that.' But that's actually not the right way to solve a problem."
Rotenberg has apologized to EPIC's staff, writing in a letter reviewed by Protocol, "I am genuinely sorry for the disruption, concern and worry I may have caused to you and your family. Please know that was never my intent. I tried my best to make good decisions, given the information I had. In retrospect, there is more I should have done."
Asked to comment, Rotenberg responded by accusing a former staff member of leaking the story to Protocol. Asked again to comment, he said: "I think I said what needed to be said."
It was direct contact tracing that first alerted employees that they had been exposed to the virus. On March 11, an EPIC employee emailed the rest of the team to say he'd received a call from the Washington, D.C., department of public health. A health official told him he may have come into contact with someone who tested positive for coronavirus. In the email, the employee let his colleagues know he'd be working from home and monitoring for symptoms in order to protect the rest of the EPIC team.
But then shortly after, another staffer followed up saying they'd gotten the same call. Then another. Then another. By the end of the day, all of the advocacy group's Washington, D.C.-based employees confirmed they'd received the same warning.
Rotenberg hadn't responded to the thread, but earlier in the day, he had emailed the staff, encouraging them to work from home. "Also, social distancing is a good practice," he wrote, according to an email reviewed by Protocol. He did not mention that his COVID-19 test had come back positive that very morning.
The staffers swapped stories, wondering who might have brought the virus into the office. Some theorized it was a mail carrier. Some wondered if it had been a journalist who recently visited. Others speculated that Rotenberg, who returned from a trip to Milan in late February, might have been the source.
The next day, on March 12, Rotenberg called the entire team to a Zoom meeting and confirmed that he had, in fact, tested positive for coronavirus. He also laid out a rough timeline of his recent medical history, according to interviews with people on the call. He told them he'd returned from Milan on Feb. 22, and registered a temperature of 99.5 on March 1. At the time, that was still below what the Centers for Disease Control considered to be a symptom. But on March 5, he contacted his physician about his temperature and his recent travel to Italy, after receiving guidance from Georgetown University, where he teaches. According to the account Rotenberg gave in his apology letter, his doctor initially didn't think he needed to be tested but changed course the following day. At that point, it was Friday, and Rotenberg later told the staff he was already on a plane about to depart for Miami for the weekend. So he scheduled a test for when he returned to D.C. on Monday, March 9.
Rotenberg went to the office that Monday, Tuesday and Wednesday, and left as soon as he received the call about his results Wednesday morning. But he didn't mention any of this to his staff until the Zoom meeting that Thursday.
"We were all a little shocked," said one former employee who was on the call. "There was no sense of apology, no humility, not even, 'I thought I was responsible at the time, but looking back I would have done things differently.'"
Then Rotenberg dropped another bomb, telling the staff that EPIC only had enough money to pay people's salaries for another six months.
"It was, 'I exposed my team to a pandemic, and you might not have a job' in the same meeting," the former employee said. "Pretty rough."
"That really did it for everybody," said one current employee. "Everybody was like, 'What is going on?"
As privacy advocates, the EPIC staff understood more than most the importance of protecting employees' private health information. The nonprofit's lawyers are constant fixtures on Capitol Hill, forever butting heads with tech giants like Facebook and Google over the ways they collect and share personal data. But those employees also believed their boss had a responsibility to protect them, too. "The idea [of anonymity] is for workplace retaliation. I think that rationale is pretty strained when it's the executive director," said one of the former employees.
Even after testing positive and alerting staff, internal emails show, Rotenberg told employees he was going to the office to collect the mail, though it's unclear if he ever did. This prompted multiple employees to contact D.C.'s department of public health.
More than two weeks after the meeting, after EPIC employees wrote to members of the board with their concerns, Rotenberg sent the board and the staff a five-page letter both apologizing and defending his actions.
"I know some people are surprised and concerned that I was in the office on March 9, and I can imagine a scenario where someone else in the same situation could have stayed home to wait for a determination. In retrospect, that was obviously the better choice," Rotenberg wrote on March 30. "But at the time, and even today, that is not the CDC protocol. People are routinely tested then continue to practice social-distancing rather than self-quarantine."
For EPIC's employees — at least one of whom says they've experienced some symptoms consistent with the virus — this is hardly enough. Beyond the concerns for their own safety, the employees Protocol spoke with say Rotenberg's behavior gives those who might like to expand surveillance of coronavirus patients — and the rest of the population — the very excuse they need. "It rubs us all the wrong way when we see him quoted in the press talking about contact-tracing privacy issues when he's violating the guidelines," a former employee said.
Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.
In his letter to the staff and the board, Rotenberg said he followed all CDC protocols as they stood at the time. His letter didn't address whether he went to the office to check the mail after being diagnosed.
Of course, there's also Rotenberg's privacy to consider. EPIC's employees say they thought a lot about that before sharing this information publicly. But they argue that, in this situation, the risks to him maintaining his privacy outweighed the benefits.
"Privacy is something that's constantly weighed against other things," one current employee said. "It doesn't make sense for it to be absolute."
