Location Data and COVID-19 Contact Tracing: How Data Privacy Regulations and Cell Service Providers Work In Tandem. (arXiv:2103.14155v2 [cs.CR] UPDATED)

Governments, Healthcare, and Private Organizations in the global scale have
been using digital tracking to keep COVID-19 outbreaks under control. Although
this method could limit pandemic contagion, it raises significant concerns
about user privacy. Known as ~”Contact Tracing Apps”, these mobile applications
are facilitated by Cellphone Service Providers (CSPs), who enable the spatial
and temporal real-time user tracking. Accordingly, it might be speculated that
CSPs collect information violating the privacy policies such as GDPR, CCPA, and
others. To further clarify, we conducted an in-depth analysis comparing privacy
legislations with the real-world practices adapted by CSPs. We found that three
of the regulations (GDPR, COPPA, and CCPA) analyzed defined mobile location
data as private information, and two (T-Mobile US, Boost Mobile) of the five
CSPs that were analyzed did not comply with the COPPA regulation. Our results
are crucial in view of the threat these violations represent, especially when
it comes to children’s data. As such proper security and privacy auditing is
necessary to curtail such violations. We conclude by providing actionable
recommendations to address concerns and provide privacy-preserving monitoring
of the COVID-19 spread through the contact tracing applications.