Source Code: Your daily look at what matters in tech.

source-codesource codeauthorAndrea PetersonNoneWant your finger on the pulse of everything that's happening in tech? Sign up to get David Pierce's daily newsletter.64fd3cbe9f
×

Get access to Protocol

Your information will be used in accordance with our Privacy Policy

I’m already a subscriber
Politics

Verily's COVID-19 website becomes a health data privacy battleground

"These tools can be a helpful part of the solution during our ongoing public health emergency, but patient privacy shouldn't be sacrificed as a result," said Sen. Mark Warner.

San Mateo COVID-19 testing site

Verily's COVID-19 screening website, which helps determine whether users should go to a coronavirus testing location, has raised health data privacy concerns.

Photo: Justin Sullivan/Getty Images

Verily's COVID-19 screening website has prompted the latest dispute between Alphabet and policymakers over protecting health data.

Even as the tech giant has raced to help triage the crisis, lawmakers contacted by Protocol expressed concern about how the data the website collects might end up being used commercially and whether Verily is complying with privacy laws. More broadly, there's concern, shared by some experts, that the health privacy legislation that exists doesn't adequately account for how health data has evolved with new technology.

On Tuesday, a group of senators led by Bob Menendez, D-N.J., sent a letter to Verily asking for more details about what the company plans to do with data collected as part of its response to COVID-19. It's the second such letter the company has received from lawmakers regarding the site.

"First and foremost, all the data to be collected in this pilot program or any other related screening websites should remain confidential and must not be used for any commercial purposes in the future, and Verily should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA)," the lawmakers wrote.

The letter also argues that people "interested in accessing SARS-CoV-2 screening websites should not be required to create or sign in to a Google account (or any other email account) to access this critical health resource."

Asked about Verily's COVID-19 screening effort, Sen. Mark Warner, D-Va., told Protocol that he plans to fight for health data privacy provisions in the next economic stimulus package, which lawmakers are just beginning to negotiate.

"While technology can certainly help improve screening and potential contact tracing in some cases, I have serious concerns that certain companies are using this as an excuse to hoover up sensitive health data," Warner said. "I sought unsuccessfully to include health data privacy provisions in the 'COVID-3' legislation and hope that subsequent legislation will contain these important protections."

"These tools can be a helpful part of the solution during our ongoing public health emergency, but patient privacy shouldn't be sacrificed as a result," he said.

Verily launched a pilot site that helps people determine if people in parts of the Bay Area should seek COVID-19 testing last month. The pilot site immediately drew scrutiny from lawmakers, who quickly reached out to Alphabet with questions a few weeks ago.

Verily tried to assuage concerns in a response from CEO Andrew Conrad dated March 26, provided to Protocol by Menendez's office. People were required to use Google accounts to sign in because it "was built on Verily's preexisting Baseline platform to secure health information, and needed a reliable and secure means of user authentication for its site," Conrad wrote.

Google "does not have access to the data beyond its role to provide infrastructure, security services, data storage, website hosting, and other support functions," he wrote, saying that the company would be prohibited from using the information for commercial purposes or selling it to third parties.

However, that doesn't go far enough for Patient Privacy Rights founder Deborah Peel. Under the current setup, there's no oversight to prove that the company isn't using the data for commercial purposes or selling it to third parties, she told Protocol in an email.

The questions point to larger, industry-wide issues about just what is protected under current health privacy laws, particularly the oft-cited HIPAA.

"One critical distinction the policymakers are already thinking about is not everything for which … there should be health privacy protection is necessarily protected by HIPAA," said Leon Rodriguez, a health privacy lawyer who previously served as the director of the office of civil rights at the Department of Health and Human Services.

Conrad did not directly respond to a question about the site's HIPAA compliance; instead, in a long paragraph, he highlighted how the Baseline platform the COVID-19 site relies on "was built to securely manage personal health information and designed to follow applicable federal and state regulations governing the collection and use of an individual's data."

"Their answer is very wishy-washy," a Menendez aide told Protocol, describing why the second letter asked about HIPAA again.

"It'd be better if they just came out and said, 'We don't think HIPAA applies to us,' and then we could have a conversation about … maybe it should, or maybe it does and you're not complying."

"HIPAA's supposed to protect your personal health care information," the aide said, adding that if Verily answered the question point-blank, "then we can have a conversation … and that would inform our policy decisions."

The Baseline program's FAQ page explicitly says it is HIPAA compliant, but the FAQ for the COVID-19 site does not mention the law, instead saying that "Project Baseline follows federal and state regulations governing the collection and use of an individual's data" and information is stored "in advanced systems with security and privacy protocols."

Verily did not respond to an inquiry about HIPAA compliance for the COVID-19 site.

University of Virginia law professor Margaret Riley told Protocol in an email that Verily may not be a "covered entity" under HIPAA. Covered entities are typically health care providers, health plans or health information clearinghouses that are subject to specific privacy and security rules under HIPAA and must give users certain rights related to their health information.

Still, Riley said, "[Verily] does seem to have relationships with covered entities," which means there are likely business agreements that address data protection.

"Verily has informed consent/privacy agreements with the individuals who participate," Riley added. "Those seem to meet HIPAA requirements even if those HIPAA requirements are not technically applicable."

Peel argued that patients essentially lack substantive privacy rights to electronic health data even under HIPAA's current status quo due to a rules change made in 2002, which rescinded consent requirements for data transfer.

HIPAA now "guarantees that the data holders can do whatever they want with our health data," she told Protocol.

Google has long wrestled with how HIPAA applies to its work. In the first iteration of Google Health, a medical data project launched in 2008 and shuttered in 2012, the company was explicit that HIPAA did not apply.

"Google is not a 'covered entity' under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder ('HIPAA')," the terms of the program stated. "As a result, HIPAA does not apply to the transmission of health information by Google to any third party."

In 2013, facing the questions raised as large tech companies including Google and Amazon partnered with health providers to store data in the cloud, the Department of Health and Human Services issued new rules that bound cloud vendors to more oversight under HIPAA. The arrangement today mainly leaves the onus on Google's business associates to certify their HIPAA compliance.

Even before this pandemic, Alphabet's more recent health-related ventures raised eyebrows on Capitol Hill, especially last November after reports that the company would gain access to millions of people's health records through a partnership with health care provider Ascension. The Department of Health and Human Services' Office for Civil Rights is also investigating the arrangement.

Also last year, Sens. Amy Klobouchar, D-Minn., and Lisa Murkowski, R-Alaska, introduced the Protecting Personal Health Data Act, which would require the Department of Health and Human Services to work with the Federal Trade Commission to issue new rules about health data.

Verily isn't the only tech company building screening tools to fight the coronavirus crisis, and concerns about health privacy are likely to extend beyond Alphabet amid the outbreak.


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


For example, Menendez's office told Protocol it's looking into Apple's recently launched a screening website that allows users to list their symptoms to see if they need to get tested. The landing page for Apple's tool pledges "Apple is not collecting your answers from the screening tool … The information collected will not personally identify you."

In response to a request for comment, Apple pointed Protocol to its original announcement, which specifies that the website does not require any "sign-in or association with a user's Apple ID."

Power

The video game industry is bracing for its Netflix and Spotify moment

Subscription gaming promises to upend gaming. The jury's out on whether that's a good thing.

It's not clear what might fall through the cracks if most of the biggest game studios transition away from selling individual games and instead embrace a mix of free-to-play and subscription bundling.

Image: Christopher T. Fong/Protocol

Subscription services are coming for the game industry, and the shift could shake up the largest and most lucrative entertainment sector in the world. These services started as small, closed offerings typically available on only a handful of hardware platforms. Now, they're expanding to mobile phones and smart TVs, and promising to radically change the economics of how games are funded, developed and distributed.

Of the biggest companies in gaming today, Amazon, Apple, Electronic Arts, Google, Microsoft, Nintendo, Nvidia, Sony and Ubisoft all operate some form of game subscription. Far and away the most ambitious of them is Microsoft's Xbox Game Pass, featuring more than 100 games for $9.99 a month and including even brand-new titles the day they release. As of January, Game Pass had more than 18 million subscribers, and Microsoft's aggressive investment in a subscription future has become a catalyst for an industrywide reckoning on the likelihood and viability of such a model becoming standard.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Over the last year, financial institutions have experienced unprecedented demand from their customers for exposure to cryptocurrency, and we've seen an inflow of institutional dollars driving bitcoin and other cryptocurrencies to record prices. Some banks have already launched cryptocurrency programs, but many more are evaluating the market.

That's why we've created the Crypto Maturity Model: an iterative roadmap for cryptocurrency product rollout, enabling financial institutions to evaluate market opportunities while addressing compliance requirements.

Keep Reading Show less
Caitlin Barnett, Chainanalysis
Caitlin’s legal and compliance experience encompasses both cryptocurrency and traditional finance. As Director of Regulation and Compliance at Chainalysis, she helps leading financial institutions strategize and build compliance programs in order to adopt cryptocurrencies and offer new products to their customers. In addition, Caitlin helps facilitate dialogue with regulators and the industry on key policy issues within the cryptocurrency industry.
Protocol | Policy

Lina Khan wants to hear from you

The new FTC chair is trying to get herself, and the sometimes timid tech-regulating agency she oversees, up to speed while she still can.

Lina Khan is trying to push the FTC to corral tech companies

Photo: Graeme Jennings/AFP via Getty Images

"When you're in D.C., it's very easy to lose connection with the very real issues that people are facing," said Lina Khan, the FTC's new chair.

Khan made her debut as chair before the press on Wednesday, showing up to a media event carrying an old maroon book from the agency's library and calling herself a "huge nerd" on FTC history. She launched into explaining how much she enjoys the open commission meetings she's pioneered since taking over in June. That's especially true of the marathon public comment sessions that have wrapped up each of the two meetings so far.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

Protocol | Fintech

Beyond Robinhood: Stock exchange rebates are under scrutiny too

Some critics have compared the way exchanges attract orders from customers to the payment for order flow system that has enriched retail brokers.

The New York Stock Exchange is now owned by the Intercontinental Exchange.

Photo: Aditya Vyas/Unsplash

As questions pile up about how powerful and little-known Wall Street entities rake in profits from stock trading, the exchanges that handle vast portions of everyday trading are being scrutinized for how they make money, too.

One mechanism in particular — exchange rebates, or payments from the exchanges for getting certain trades routed to them — has raised concerns with regulators and members of Congress.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.

Protocol | Workplace

The Activision Blizzard lawsuit has opened the floodgates

An employee walkout, a tumbling stock price and damning new reports of misconduct.

Activision Blizzard is being sued for widespread sexism, harassment and discrimination.

Photo: Bloomberg/Getty Images

Activision Blizzard is in crisis mode. The World of Warcraft publisher was the subject of a shocking lawsuit filed by California's Department of Fair Employment and Housing last week over claims of widespread sexism, harassment and discrimination against female employees. The resulting fallout has only intensified by the day, culminating in a 500-person walkout at the headquarters of Blizzard Entertainment in Irvine on Wednesday.

The company's stock price has tumbled nearly 10% this week, and CEO Bobby Kotick acknowledged in a message to employees Tuesday that Activision Blizzard's initial response was "tone deaf." Meanwhile, there has been a continuous stream of new reports unearthing horrendous misconduct as more and more former and current employees speak out about the working conditions and alleged rampant misogyny at one of the video game industry's largest and most powerful employers.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.
Latest Stories