By Linda Childers
As companies across the country gradually reopen in the wake of COVID-19, many have implemented safety protocols designed to keep employees healthy.
One technological solution being marketed to businesses are social-distancing and contact-tracing wristbands.
They are designed to enforce the Centers for Disease Control and Prevention’s (CDC) guidelines of maintaining a six-feet distance from others to try to mitigate risks of contagion.
The wristbands might sound like a benign way to keep employees safe, but experts told Digital Privacy News that the technology might add another layer of surveillance to workplaces and could be used to penalize employees for spending the workday outside of designated areas.
“Because identifying contacts is critical to preventing the spread of a virus, there’s a natural inclination to leverage technology as a means of automating this task,” said Jeffrey Lowell Vagle, an assistant professor at the Georgia State University College of Law in Atlanta.
“A poorly designed or implemented contact-tracing system could actually cause more problems than it solves.”
Jeffrey Lowell Vagle, Georgia State University College of Law.
“But there are tradeoffs to be considered when implementing such a system.
“It’s one thing for the program to be managed — and the data to be collected — only by a trusted health agency,” Vagle argued. “It’s quite another for this kind of program to be conducted by your employer, where the information has the potential to be misused.”
One Firm’s Product
One company marketing such wearables is Microshare Inc., based in Philadelphia. The devices seek to help enforce social-distancing guidelines and maintain a record of employee interactions.
The company’s contact-tracing wearable uses Bluetooth beacons and long-range, low-power LoRaWAN networks, said Michael Moran, Microshare’s chief risk and sustainability officer.
The technology is more reliable than smartphones, which are considered a privacy risk because of geotracking, security breaches — and inaccuracies involving GPS.
“There’s a balance that must be struck in all things involving data’s benefits and its misuse,” Moran told Digital Privacy News.
With Microshare’s technology, employees wear a Bluetooth-enabled badge, keyring or wristband. When devices come within close proximity to another device for a certain period of time, they record information and upload the encounters to a central database at the company.
The information then can be accessed by a client’s wellness coordinator tasked with curbing COVID-19 exposure, Moran said.
“If an employee calls in sick with possible COVID-19 symptoms, the wellness coordinator can then alert anyone they were in contact with to possible exposure,” he said. “In doing so, this can also curb further spread of the virus, while the initial employee awaits their test results.”
Bluetooth vs. Smartphones
While Bluetooth technology avoids many of the security risks and vulnerabilities associated with smartphones, some experts worry about the technology’s accuracy and efficiency.
“Bluetooth was primarily designed for communicating over short distances,” Richard Lutkus, a partner with the Seyfarth Shaw law firm in San Francisco, told Digital Privacy News. “Using it to obtain data from a large industrial or office setting could result in many false-positives.
“If there’s a thin wall between two employees working in separate offices, it could signal they aren’t maintaining a safe six-foot distance,” he said.
Vagle, who also is an affiliate scholar with the Center for Internet and Society at Stanford Law School, agreed that the reliability of the social-distancing results also was important.
“A poorly designed or implemented contact-tracing system could actually cause more problems than it solves, by taking up valuable resources to track down false-positives and other errors,” he said.
Using Data Against Workers
Since the wearables provide detailed data of employee movements during the day, Lutkus said he worried that this information also could be potentially used against workers.
“We’re already seeing litigation related to COVID-19 — and we expect these cases to continue,” he told Digital Privacy News.
“If a plaintiff were to file a lawsuit against their employer, the same policies implemented to protect them could potentially be flipped against them — for example, showing they were outside of their work area and implying they were slacking off.”
By balancing privacy with safety, Microshare insisted their wristbands don’t share personal information.
“There are enough data breaches that suggest any data can be compromised, even when significant protections are in place.”
Richard Lutkus, Seyfarth Shaw law firm, San Francisco.
“Only time-stamped proximity events are recorded,” said Charles Paumelle, the company’s co-founder and chief product officer. “This information is only shared with the company’s wellness experts, who can match the events to specific employee badges in the case of infection.”
Paumelle said data was retained to trace proximity contacts that an employee has had over the past two weeks. Guidance on how long the data is kept is provided by public-health authorities in the part of the country where the client is based (approximately 30 days).
Once that period is up, data must be deleted, he said.
Security as an ‘Afterthought’
But with companies rushing to develop contact-tracing and social-distancing devices to meet urgent client demands, Lutkus worried that security might not always be a priority.
“There are enough data breaches that suggest any data can be compromised even when significant protections are in place,” he said.
“Most companies are rushing to deploy systems to be first-to-market.
“When I see this, it tells me that companies are focusing on operation-function and that security is usually an afterthought,” Lutkus said.
For instance, he cited the Internet of Things industry, where security is often an afterthought.
“For any company making these devices, without a robust inspection of their code and their hardware by security experts, I wouldn’t trust any of them to adequately protect my data,” Lutkus told Digital Privacy News.
“Most of these companies won’t allow third-party code or hardware review, so we are left trusting they are doing the right thing abreast of the domestic and international data-privacy laws.
Lutkus added: “I seriously doubt many have even talked to privacy lawyers about how to comply with those laws.”
Linda Childers is a writer in the San Francisco Bay Area.