Skip to main content
NCBI home page
Elsevier - PMC COVID-19 Collection logoLink to Elsevier - PMC COVID-19 Collection
. 2023 Jan 2;63(2):158–163. doi: 10.1016/j.scijus.2022.12.008

The use of COVID-19 contact tracing app data as evidence of a crime

Marie-Helen Maras a,, Michelle D Miranda b, Adam Scott Wandt c
PMCID: PMC9805950  PMID: 36870696

Abstract

This commentary draws attention to the introduction of data collected by COVID-19 tracing apps as evidence in criminal proceedings and the novel considerations this evidence presents for criminal justice agents and digital forensics professionals.

Keywords: COVID-19, Contact tracing app, Function creep, Digital forensics, Evidence

1. Introduction

According to the World Health Organization’s (WHO) Coronavirus (COVID-19) Dashboard, as of 10 October 2022, over 6.5 million deaths worldwide have been attributed to the COVID-19 pandemic. In response to the pandemic, countries across the globe engaged in the rapid and mass deployment of technological measures to monitor and contain the spread of COVID-19 within and across national borders. One of these measures involved the use of contact tracing apps. These apps are designed to detect and report contact between individuals (at some defined distance) through smartphones and associated apps contained therein via Bluetooth or GPS (depending on the app). If a person utilizing one of these apps tests positive for COVID-19 and reports this on the app, the app notifies other users who were near the person who tested positive for COVID-19.

These contact tracing apps, which were introduced around the world – by government agencies and private agencies – to respond to a public health crisis, and the data processed by them, are now being accessed for criminal justice purposes in certain countries. Given their new use in this manner, this commentary explores the type of data collected by contact tracing apps, incidents where law enforcement officers accessed contract tracing data, laws that regulate or restrict (or fail to restrict) access to this data, and the way data can be accessed or otherwise used by criminal justice agents (e.g., police and prosecutors) and digital forensics professionals.

2. A new source of digital evidence for use in criminal proceedings? Depends on the jurisdiction…

Contact tracing apps were initially implemented and communicated to the public as only being used for specific public health reasons – that is, as necessary measures to mitigate the spread of COVID-19. To accomplish their stated purpose, which is to trace COVID-19 infections and alert app users of infections and/or potential exposure to COVID-19, contact tracing apps collected personally identifiable information (PII) that could be used to track individual movements, activities, associations, and interactions. The PII collected includes the information the user provides to the app at time of installation and registration, such as their name, address, date of birth, phone number and email address. The user may also provide health related information concerning their COVID-19 infection and/or exposure. The PII collected also includes information the device collects when the app is used and the smartphone’s unique device number, operating system (and version of operating system), and make and model number, among other device data. The contact tracing app further processes and transmits data, such as the proximity to other app users (via Bluetooth) and/or location data from location services (e.g., GPS). The type of data collected, stored, and shared by contact tracing apps varies by app and by jurisdiction, and is dictated by the absence or presence of laws or other regulatory measures that delineate the processing of this data.

Despite the introduction of contact tracing apps as a response to COVID-19, what has been observed in certain jurisdictions is a lack of adequate oversight and regulation of the processing of contact tracing app data by third parties. In fact, contact tracing app data, which was initially intended only for use for public health reasons in response to a public health emergency, is now being used for reasons other than what was originally intended; a process known as function creep [1]. With function creep, users of technology are unaware about the true nature and extent of the data collected and shared about them and the use of the data beyond the originally stated purpose of the technology. The data from COVID-19 tracing apps has been sought by criminal justice agencies for investigative and enforcement purposes. Other mobile device data has also been used by government agencies in response to the COVID-19 pandemic as well.

A notable example of function creep was observed in Singapore. Singapore implemented several surveillance technologies as a measure to contain the spread of COVID-19, requiring QR scan check-in for venues (e.g., shops and restaurants) and developing its own contact tracing app. In Singapore, while there are data protection laws in place that govern the collection, sharing, and other use of data by private sector organizations (e.g., Personal Data Protection Act of 2012 (No. 26 of 2012)), there is no right to privacy in their Constitution. Singapore’s COVID-19 contact tracing app, TraceTogether, relied on Bluetooth technology using proximity data to trace COVID-19 infections, storing proximity data and other data in a centralized government database [2]. To foster trust and promote public adoption of TraceTogether, the government asserted that the data submitted to, collected by, and shared by the app would only be used for contact tracing. Nevertheless, in 2021, it was revealed that this data was used (and could be used) in “serious criminal investigations” [3]. In fact, contact tracing data had already been used in the investigation of a murder before a new law was passed in Singapore that enabled a “police officer or other officer of any law enforcement agency… [to] order the disclosure or production of, or search, access or seize, any personal contact tracing data for…an investigation or criminal proceeding in respect of a serious offense” (see Section 82(2) of COVID-19 (Temporary Measures) Act 2020). In April 2022, Singapore announced that the TraceTogether app was being phased out; however, the data collected by the app would be retained [4].

Singapore is not the only country where function creep for contact tracing apps was observed. Function creep has been observed in the European Union, where data is protected under the General Data Protection Regulation (GDPR) and the right to privacy (i.e., “the right to respect for private and family life, home and correspondence”) enshrined in Article 8 of the European Convention on Human Rights. For example, this function creep has been observed in Germany, which even considers informational self-determination (i.e., the right of people to determine if, when, and to what extent information about them is revealed to others) as a right (based on a constitutional ruling) [5]. Despite these protections, in 2022, one incident was reported in Germany in which local law enforcement accessed contact tracing data from the Luca app to identify potential witnesses for a death investigation; this data was not accessed from the company that owns the app (Culture4life) but from the establishment located adjacent to where the incident had occurred and local health authorities that had access to the data [6].

Israel also authorized government agencies to access COVID-19-related data during the pandemic. Although the right to privacy is enshrined under Israel’s Basic Law: Human Dignity and Liberty, the Privacy Protection Authority clarified that the right could be limited to protect public health [7]. In 2020, Israel authorized its Israel Security Agency, an intelligence agency, to monitor civilian mobile phone locations in response to the COVID-19 pandemic [8]. While Israel originally allowed police to use cellphone tracking data obtained without a warrant to enforce quarantine restrictions, the government reversed their position due to significant international scrutiny about the ethics of this surveillance [9]. Nonetheless, law enforcement agencies were still able to obtain this data with a warrant [10]. In addition to Israel, there are several other countries whose contact tracing apps were found – after their deployment and use by the public – to expose and/or have the potential to expose users’ private data [11].

Privacy and data protection concerns raised during the COVID-19 pandemic led to calls for contact tracing apps to follow privacy-by-design principles,[12] which dictate that privacy be considered at each step of the design and engineering process and enabled as the default [13]. Digital proximity tracing using Bluetooth technology and stored data in a decentralized manner on users’ phones were proposed to enhance privacy involving users’ personal data. The Google-Apple Exposure Notification (GAEN) Protocol, which includes these features, could be used by contact tracing applications, working natively with Apple and Android smartphones if users chose to opt-in to the operating system’s supported contact tracing [14]. While several countries and several U.S. states have adopted this protocol for use in their apps, the protocol was not adopted as a nationwide standard (apart from individual users in specific countries who chose to opt into the operating system-supported version).

It is important to keep in mind that while the Google-Apple Exposure Notification (GAEN) Protocol follows privacy-by-design principles, this does not equate to actual real-world privacy. Bluetooth-based contact-tracing apps do upload private data from users who report COVID-19 infections. For instance, the IP address of the user who seeks to share exposure notification information is retained by certain apps (as an example, see the privacy review of Canada’s contact tracing app, COVID-19 Alert, for information about the reasons for IP address retention and the duration of this retention) [15]. Therefore, data must still be collected and transmitted for users to interact with public health officials and that data still resides with a custodian that is subject to domestic legal processes [16]. Also, even though the GAEN Protocol does not directly record location data within a centralized database, it does not prevent indirect identification of users or locations by comparing and supplementing the records it contains to other datasets such as cellular tower records, Google location service records, or a myriad of data collected and stored by third party applications. Linkage attacks or correlation attacks [17] can occur, which make the identification and tracking of individuals still possible despite privacy-by-design assurances. In addition, even though the GAEN Protocol uses a series of randomly generated and frequently rotated identification keys to enhance user privacy and provide protection from Bluetooth eavesdropping devices, such as the Ubertooth One, these keys are still stored on the smartphone and can be forensically recovered along with the keys of all the smartphones the user has been in proximity of. These records, matched with the record types mentioned above, can be used by investigators to identify specific individuals, individuals they have been in proximity to, and their geolocations. Further, in jurisdictions where government apps used GAEN, private sector and public sector organizations, such as U.S. universities, used private apps with different features for contact tracing, requiring the registration of users and disclosure of private data for workplace entry [18]. Other areas in the U.S. private sector and abroad also required private data registration to enter restaurants, entertainment venues, and other establishments.

When mandates for contact tracing occurred, legislative restrictions were not in place in many jurisdictions to prevent the use of this data for reasons unrelated to contact tracing. In fact, in Australia, on several occasions, police accessed (with and without warrants) contact tracing QR code check-in data from establishments (e.g., bars and restaurants) for use in criminal investigations [19]. This access, and the backlash that ensued, led to the passage of the Protection of Information (Entry Registration Information Relating to COVID-19 and Other Infectious Diseases) Act 2021 to restrict access to contact tracing data for non-public health purposes.

In certain jurisdictions, data submitted to establishments for contract tracing purposes (e.g., name, phone number or email address) and/or to contact tracing apps, can be requested by criminal justice agents, with or without a legal order, from the third party that holds this data, such as an Internet service provider or establishment (e.g., restaurant or bar). For example, in the United States, pursuant to the Stored Communications Act (i.e., Title II of the Electronic Communications Privacy Act of 1986) and the Telecommunications Act of 1996, criminal justice agents can either access data directly from third parties by issuing a subpoena or obtaining a court order if prior notice is given to subscribers, or by obtaining a warrant if prior notice is not given to subscribers [20]. In addition, as delineated by law, this data could be accessed without a court order or subpoena during exigent circumstances, through the consent of the party whose data is sought, or by other means (e.g., the acquisition of contact tracing app data from data brokers who can legally purchase data directly from apps).

Similarly to other countries that passed legislation after COVID-19 contact tracing apps were introduced in their jurisdictions, several U.S. states introduced laws that restricted contact tracing data processing. For example, New York state passed specific legislation (S8450C) to protect contact tracing data from being obtained or used by criminal justice agents for criminal investigations or government agents for immigration purposes. Specifically, this act amended sections of the NY Public Health Law § 2181 to mandate that “no contact tracer or contact tracing entity may provide contact tracing information to a law enforcement agent, entity or immigration authority… and any evidence derived therefrom shall not be subject to or provided in response to any legal process or be admissible for any purpose in any judicial or administrative action or proceeding.” The U.S. states of Kansas and South Carolina have also enacted legislation to limit contact tracing data processing. Yet these states differ from New York in that they do not explicitly limit law enforcement or other government agencies from accessing the data. Limitations are, however, placed on what data can be used and for what reasons (e.g., according to Kansas Statutes § 48–961(g), “[c]ontact tracing shall not be conducted through the use of any service or means that uses cell phone location data to identify or track, directly or indirectly, the movement of persons”). In 2020, Act No. 142 was passed in South Carolina, which, among other things held that “[a]ny contact-tracing technologies utilized for data collection must be restricted for the collection of public health information only…Access to any information collected will be used for public health information purposes only and will comply with all confidentiality requirements contained in the Health Insurance Portability and Accountability Act” (HIPAA) of 1996. It is important to note that HIPAA permits the disclosure of private health information under certain conditions (e.g., for law enforcement purposes pursuant to legal orders). Therefore, unlike the New York law, the South Carolina law does not include provisions to prevent criminal justice agents from accessing contact tracing data for use in criminal investigations if they have the appropriate legal order.

3. If it is available, it can be accessed eventually…

Criminal justice agents’ access to technology and related data associated with individuals and their medical and health data is not a new phenomenon. Cases in point are these agencies’ access to consumer genealogical data and Internet of things (IoT) data, such as Internet-enabled health and medical devices.

3.1. Consumer DNA databases

Consumer DNA databases (e.g., 23andMe and AncestryDNA) were created to enable the public to trace their ancestry through genetic testing. Databases such as GEDMatch enabled individuals to upload their genetic testing results and use their platform to conduct genealogical research and identify relatives. A now infamous case that drew attention to the use of information from a consumer DNA database in a criminal investigation involved a serial rapist and murderer known as the Golden State Killer [21]. This investigative technique is known as investigative genetic genealogy or forensic genetic genealogy (hereafter FGG), which is defined as “the forensic genetic genealogical DNA analysis of a forensic or reference sample of biological material by a vendor laboratory to develop an FGG profile and the subsequent search of that profile in a publicly-available open-data personal genomics database or a direct-to-consumer genetic genealogy service” [22]. This investigative technique has also been used in other countries, including Sweden, the Netherlands, Canada, and the Philippines [23]. A Swedish case that has been compared to the Golden State Killer case in the U.S. is a 2004 double-murder in Linköping in which the suspect was similarly tracked down through commercial genealogy databases [24].

Law enforcement access is determined by the private companies’ policies (i.e., terms of service (TOS), privacy policies, and/or law enforcement guidelines) and the jurisdiction where data is located and/or can be accessed. Consumer DNA database companies have terms of service that already identify the way law enforcement can access the content of their databases, including DNA. For example, Ancestry states that law enforcement agencies outside of the United States may only access data pursuant to a mutual legal assistance treaty or letters rogatory [25]. For U.S. law enforcement agencies, Ancestry mentions what type of data will be released and the legal order required to release it: with a subpoena, “basic subscriber information as defined in 18 USC § 2703(c)(2) about Ancestry users” will be released to law enforcement; with “a court order issued pursuant to 18 USC § 2703(d),” “additional account information or transactional information pertaining to an account (such as search terms, but not including the contents of communications)” can be released; and the “[c]ontents of communications and any data relating to the DNA of an Ancestry user will be released only pursuant to a valid search warrant from a government agency with proper jurisdiction” [26]. Likewise, other consumer DNA database companies, such as FamilyTreeDNA and 23andMe, have similar law enforcement guidelines with similar requirements for legal orders to obtain the data [27].

The policies of consumer DNA database companies also include restrictions on the individuals who can upload data to the database, what type of data can be uploaded, and/or the circumstances where the site can be used for law enforcement purposes. Ancestry, for instance, includes within its terms and conditions, a prohibition from using “information obtained from the DNA Services (including any downloaded DNA Data (defined in the Privacy Statement)) in whole, in part, and/or in combination with any other database, for any medical, diagnostic, or paternity testing purpose, in any judicial proceeding, or for any discriminatory purpose or illegal activity” [28]. As of 2022, 23andMe holds that “[t]hose who wish to participate in the 23andMe service must guarantee that any sample they provide is either their own saliva or that of an individual for whom they have legal authorization to agree to the TOS on their behalf” [29]. Thus, the company considers it a TOS violation “for law enforcement officials to submit samples on behalf of a prisoner or someone in state custody who has been charged with a crime” [30]. While another company, GEDMatch, has a policy about law enforcement “not upload[ing] Raw Data to GEDmatch via the GEDmatch.com website,” it does allow for the upload of this data on the company’s “GEDmatch Pro portal to identify the perpetrator of a Violent Crime (where ‘Violent Crime’ is defined as murder, nonnegligent manslaughter, aggravated rape, robbery, or aggravated assault) or to identify human remains” [31]. FamilyTreeDNA, in contrast, enables its services to be used by law enforcement to identify the remains of the deceased and to investigate homicides, sexual assault, and abduction cases with permission from the company and “register[ing] all forensic samples and genetic files prior to uploading to the FamilyTreeDNA database” [32].

The public backlash and privacy concerns raised by law enforcement use of this data prompted the U.S. Department of Justice and government agencies of other countries to issue a policy on the use of this investigative technique [33], consumer DNA database companies to update their policies, and in some cases the passage of law to delineate the scope of law enforcement access to this data (e.g., limiting access to specific serious crimes). For instance, several U.S. states passed legislation limiting law enforcement access to this data. As of October of 2021, investigators in the state of Maryland are only able to access consumer DNA data for serious felony cases, such as murder, rape, and felony sexual assault with judicial authorization [34]. The U.S. state of Montana has also passed legislation regarding law enforcement use of FGG; however, the law is not as comprehensive as legislation in Maryland and only requires law enforcement to obtain a search warrant or consent of the consumer whose DNA data law enforcement wants to access to obtain the data [35]. Likewise, several U.S. states, including California, Utah, and Arizona, have since passed similar laws requiring law enforcement to obtain search warrants before accessing the data and preventing consumer DNA companies from burying consent clauses in their policies [36].

3.2. The Internet of things (IoT)

IoT device data has been used for reasons beyond those originally intended – that is, for criminal justice purposes [37]. These types of devices include Internet-enabled healthcare and medical devices and consumer devices that collect medical data, which fall into several major categories: (1) body movement, sleep, and exercise data; (2) heart-rate, blood pressure, and cardiac rhythm data; (3) blood glucose monitoring data; (4) hand hygiene data; (5) depression and mood observations; (6) menstrual cycle tracking; (7) disease monitoring [e.g., Parkinson’s disease]; (8) connected inhalers; (9) ingestible sensors; and in the near future (10) connected contact lenses. While this long list of devices will eventually provide a treasure trove of evidence related to crimes, law enforcement is currently adapting its protocols to better utilize the data. Currently, law enforcement have already accessed common IoT devices, mainly wearable fitness devices (e.g., Fitbit), and medical devices (e.g., pacemakers) in the U.S. and other countries (e.g., Germany and Australia) [38]. Recently, in the U.S., Richard Dabate was sentenced to 65 years imprisonment for murdering his wife in part due to the introduction of Fitbit data by law enforcement to refute his account of the events [39]. Fitibit’s privacy policy informs users that law enforcement can access the data under certain conditions: they “may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request…or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of the Services or the physical safety of any person” [40]. Further, medical and health data have been accessed and introduced in court for other crimes. For instance, in 2016, an arson and insurance fraud suspect’s pacemaker data was introduced in a U.S. court to refute his account of events [41]. These cases and others show an increasing trend of law enforcement access to fitness, medical, and health data to investigate crimes. In the United States, the general federal and state standard for acquiring IoT data involves obtaining: (1) consent; or (2) a search warrant supported by probable cause and a supporting affidavit [42]. Law enforcement access to IoT data is also dependent on jurisdiction and the IoT company’s policies.

4. Using COVID-19 contact tracing data in criminal investigations and proceedings: Reflections on policy and practice

Access to and utilization of digital data in the context of criminal investigations and digital forensic examinations requires the consideration of broader criminal justice policies to shape practice, as there are adverse legal consequences that may arise from the collection, recovery, and analysis of data that is protected under law. Failure to consider such constraints could impact data accessibility, searching, and retrieval in the laboratory, and evidence admissibility in legal proceedings. As with existing evidence collection and admissibility matters (established, for example, in the U.S. in Frye v. United States [43] and Daubert v. Merrell Dow Pharmaceuticals, Inc., [44] as well as the Federal Rules of Evidence) [45], understanding policies and their resulting impact on practice is the responsibility of all criminal justice agents.

At present, there are existing upstream, midstream, and downstream policies and established procedures for accessing data from mobile apps and other digital technologies, which can be and have been used to inform access to COVID-19-related data. Upstream regulation through policies and legislation serves to guide policy and practice midstream (e.g., forensic practitioners and processes) and downstream (e.g., prosecutors and evidence admissibility issues). Absent explicit policies and legislation that prohibit the use of COVID-19-related data for anything other than public health reasons, COVID-19-related data could be accessed in a similar manner to data from other digital technologies (i.e., DNA databases and IoT devices). For countries that have laws regulating access to COVID-19-related data, law enforcement either cannot or are restricted from accessing COVID-19-related data unless certain conditions are met (e.g., access is restricted for specific types of crime under investigation). Overall, law enforcement agents’ access to COVID-19-related data will depend on the jurisdiction, laws that regulate the use of this data, the type of data sought, the policies of the company’s contact tracing app, and the way access to the data is sought (e.g., legal order).

Nevertheless, the main issue is with access to and use of COVID-19-related technologies that were introduced not for criminal justice purposes but for public health reasons, and adopted by the public under the impression that the data collected by them was only meant to be used to deal with the COVID-19 pandemic. The public was not informed that the data could be used for other purposes when they were encouraged to (and in some cases mandated to) adopt this technology by governments. In view of that, when technology is deployed for public health emergencies, the scope of access and use of the data collected and shared by the companies deploying this technology should be explicitly delineated in their policies and clearly communicated to the public. Following the use of genetic testing data for law enforcement reasons, Phillips (2017) had similarly proposed that organizations provide comprehensive information to educate consumers on data acquisition, storage, and potential utilization to allow for informed consent [46].

When considering the forensic laboratory, the aforementioned upstream policies and challenges to government practices must be conveyed to the practitioner (e.g., digital forensic examiner/analyst) to prevent unauthorized access to and examination of digital data collected from COVID-19 contact tracing apps, which could lead to admissibility issues downstream. Mid-stream considerations within the forensic laboratory might include robust practices in which the digital forensic examiner/analyst and their methods for accessing and extracting data from COVID-19 apps should be well informed and documented, which would be in line with existing quality control and regulation measures in forensic laboratories as demonstrated by analyst qualifications and the adherence to standard operating procedures (SOPs). Such measures are not novel and have most recently been recommended for DNA databases and genetic genealogy searching. Wickenheiser (2019) has proposed “restricting [data] access to specific authorized individuals; providing sufficient checks and balances for access; [ensuring] strict use of the data that is accessed; data sharing in a very controlled manner to provide investigative leads; and [issuing] penalties for misuse to safeguard data” [47]; similar proposals were made by Dahl and Sætnan [48]. At the laboratory level, it is imperative that lab supervisors, quality assurance (QA) managers, examiners, and investigators verify that any search warrants and court orders are aligned with their SOPs, internal QA practices, and any accreditation standards and/or that the experts provide justifications for any deviations that are necessary due to their professional, scientific, or technical evaluation of the submitted devices and the data contained therein within the context of the investigation. Routine laboratory audits and external reviews should incorporate checkpoints to ensure that personal data recovered from COVID-19 apps is not being misused or stored unnecessarily. Quality assurance measures should include the evaluation and creation of data collection procedures, stringent accessibility requirements, and procedures for the retention and withdrawal of such personal data [49]. In addition, Dahl and Sætnan (2009) recommended that the laboratory provide publicly available documents concerning the proper use of personal digital data, highlighting the example that the UK is attempting to provide such information in their laboratory reports [50]. One way to address some of these mid-level concerns would be to enlist a forensic advisor to triage and communicate with investigators and lawyers about searching and retrieving data from digital devices and apps [51], such as COVID-19 tracing apps. All in all, clear policies and procedures are needed to provide guidance on the forensic analysis phase of an investigation where the recovery or analysis of data stems from a contact tracing app.

5. Concluding remarks

Although addressing social, legal, and ethical matters in forensic science and digital forensic investigations is hardly novel, the introduction of evidence from digital technologies (e.g., consumer DNA databases, IoT devices, and COVID-19 contact tracing apps) in the investigation and prosecution of crimes presents challenges in jurisdictions, which currently do not prohibit and limit its access and use for criminal justice purposes. Specifically, the introduction of data from these technologies, particularly COVID-19-related data, brings a slew of concerns regarding public backlash for its access and use, and the potential legal challenge for introducing evidence related to this data in courts. Barring laws that prohibit criminal justice agencies’ access to COVID-19 app data, the data can be accessed by these agencies.

Now that COVID-19 measures are relaxing, what is being observed are the consequences of the rush to deploy technology (i.e., COVID-19 tracing apps by governments and the private sector) in response to a public health emergency without considering the long-term impact of this technology – i.e., that data collected for health purposes is now sought for use in criminal investigations. The lawfulness of access to this data by criminal justice agents (law enforcement and prosecutors) and digital forensic professionals must be established and carefully considered before the collection, analysis, and presentation of this data as evidence in criminal proceedings. What should also be considered are the potential negative consequences for doing so, even in jurisdictions where such data could be lawfully accessed. Ultimately, the potential challenge to the introduction of this evidence in future legal proceedings, public backlash from the use of this data in criminal investigations (as evidenced in certain countries), the loss of trust in government agencies for function creep in the uses of COVID-19 contact tracing data, and the potential future reluctance of the public in using contact tracing apps for new or recurrent infectious disease outbreaks, epidemics, and/or pandemics because of this function creep, should factor into decisions of the use of COVID-19 contact tracing app data in criminal investigations and the introduction of this data as evidence in criminal proceedings.

CRediT authorship contribution statement

Marie-Helen Maras: Project administration, Conceptualization, Investigation, Writing – original draft, Writing – review & editing. Michelle D. Miranda: Conceptualization, Investigation, Writing – original draft, Writing – review & editing. Adam Scott Wandt: Investigation, Writing – original draft, Writing – review & editing.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References

  • 1.S. Suder, A. Siibak, Proportionate response to the COVID-19 Threat? Use of apps and other technologies for monitoring employees under the European Union’s data protection framework, International Labour Review 161(2) (2022) 315-335, https://doi.org/10.1111/ilr.12331; M.-H. Maras and W. O’Brien, Discrimination, stigmatization, and surveillance: COVID-19 and social sorting, Information & Communications Technology Law, published online 20 July 2022, https://www.tandfonline.com/doi/full/10.1080/13600834.2022.2101295. [DOI] [PMC free article] [PubMed]
  • 2.N. Singer, Virus-Tracing apps are rife with problems. Governments are rushing to fix them. New York Times, 8 July 2020, updated 20 July 2020. Accessed: 1 December 2022 [Online]. Available: https://www.nytimes.com/2020/07/08/technology/virus-tracing-apps-privacy.html.
  • 3.A. Illmer, Singapore reveals Covid privacy data available to police, BBC, 5 January 2021. Accessed: 24 July 2022. [Online]. Available: https://www.bbc.com/news/world-asia-55541001 (last accessed 24 July 2022).
  • 4.L. De Wei, Singapore Phases Out the Use of a Controversial Covid Contact Tracing App, Bloomberg, 22 April 2022. Accessed: 24 July 2022. [Online]. Available: https://www.bloomberg.com/news/articles/2022-04-22/singapore-phases-out-use-of-controversial-contact-tracing-app.
  • 5.Federal Constitutional Court of Germany, Judgment of 15 December 1983, 1 BvR 209/83, 269/83, 362/83, 420/83, 440/83 and 484/83.
  • 6.R. Pannett, German police used a tracing app to scout crime witnesses. Some fear that’s fuel for covid conspiracists, Washington Post, 13 January 2022. Accessed: 24 July 2022. [Online]. Available: https://www.washingtonpost.com/world/2022/01/13/german-covid-contact-tracing-app-luca/ (last accessed 24 July 2022).
  • 7.R. Levush, Israel: Privacy Protection Requirements for Conducting COVID-19 Epidemiological Investigations Issued. Global Legal Monitor, Library of Congress, 10 December 2020. Accessed: 10 October 2022 [Online]. Available: https://www.loc.gov/item/global-legal-monitor/2020-12-10/israel-privacy-protection-requirements-for-conducting-covid-19-epidemiological-investigations-issued/.
  • 8.A. Yadlin and A. Marciano, COVID-19 surveillance in Israeli press: Spatiality, mobility, and control. Mobile Media & Communication, 10(3) (2022) 421–447. Available: https://doi.org/10.1177/20501579211068269; A. Marciano A. (2021). Israel’s mass surveillance during COVID-19: A missed opportunity. Surveillance & Society, 19(1) (2021) 85–88. Available: https://doi.org/10.24908/ss.v19i1.14543. [DOI] [PMC free article] [PubMed]
  • 9.Ibid.
  • 10.D. Williams and A. Rabinovitch, Israel suspends cellphone tracking for coronavirus quarantine enforcement. Reuters, 22 April 2020. Accessed: 4 October 2022 [Online]. Available: https://www.reuters.com/article/health-coronavirus-israel-police-idINKCN2242JF.
  • 11.The exploration of each of these apps is beyond the scope of this article. For further information, see: N. Singer, Virus-Tracing apps are rife with problems. Governments are rushing to fix them. New York Times, 8 July 2020, updated 20 July 2020. Accessed: 1 December 2022 [Online]. Available: https://www.nytimes.com/2020/07/08/technology/virus-tracing-apps-privacy.html.
  • 12.B. Cyphers and G. Gebhart, Apple and Google’s COVID-19 Exposure Notification API: Questions and Answers, EFF, 28 April 2020. Accessed: 8 December 2022 [Online]. Available: https://www.eff.org/deeplinks/2020/04/apple-and-googles-covid-19-exposure-notification-api-questions-and-answers.
  • 13.Barth I.D., Hartel P. Understanding online privacy—a systematic review of privacy visualizations and privacy by design guidelines. ACM Comput. Surv. 2023;55(3):1–37. doi: 10.1145/3502288. [DOI] [Google Scholar]
  • 14.Use the COVID-19 Exposure Notifications System on your Android phone. https://support.google.com/android/answer/9888358?hl=en.
  • 15.Office of the Privacy Commissioner of Canada, Privacy review of the COVID Alert exposure notification application, 13 July 2020. Accessed: 10 December 2022 [Online]. Available: https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/health-emergencies/rev_covid-app/.
  • 16.Google. Exposure Notifications: Frequently Asked Question, see pp. 4-5, September 2020. Accessed: 18 December 2022 [Online]. Available: https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-FAQv1.2.pdf.
  • 17.A. Greenberg, Does Covid-19 Contact Tracing Pose a Privacy Risk? Your Questions, Answered, Wired, 17 April 2020. Accessed: 7 December 2022 [Online]. Available: https://www.wired.com/story/apple-google-contact-tracing-strengths-weaknesses/.
  • 18.G. Sevilla, Top Contact Tracing Apps to Keep Employees Safe, PC Mag, 2 September 2021, Accessed: 9 December 2022 [Online]. Available: https://www.pcmag.com/picks/6-contact-tracing-apps-to-help-your-business-open-safely.
  • 19.A. Galloway, ‘Breach of trust:’ Police using QR check-in data to solve crimes, The Sydney Morning Herald, 6 September 2021. Accessed: 24 July 2022 [Online]. Available: https://www.smh.com.au/politics/federal/breach-of-trust-police-using-qr-check-in-data-to-solve-crimes-20210903-p58om8.html.
  • 20.18 U.S.C 2703(b)(1).
  • 21.T. Fuller and C. Hauser, Search for ‘Golden State Killer’ Leads to Arrest of Ex-Cop, The New York Times, 25 April 2018. Accessed: 3 October 2022 [Online]. Available: https://www.nytimes.com/2018/04/25/us/golden-state-killer-serial.html; R. Wickenheiser, Forensic Science, Bioethics and The Golden State Killer Case. Forensic Science International: Synergy 1 (2019), 114-125. [DOI] [PMC free article] [PubMed]
  • 22.See ft 2, U.S. Department of Justice. (2019). Interim Policy: Forensic Genetic Genealogical DNA Analysis and Searching, 2 September 2019. Accessed: 2 October 2022 [Online]. Available: https://www.justice.gov/olp/page/file/1204386/download.
  • 23.N. F. de Groot, B. C. van Beers, G. Meynen, Commercial DNA tests and police investigations: a broad bioethical perspective. Journal of Medical Ethics 47(12) (2021), 788-795. Available: https://jme.bmj.com/content/47/12/788#ref-7. [DOI] [PMC free article] [PubMed]
  • 24.Suspect Confesses to 2004 Murder, Radio Sweden, 9 June 2020. Accessed: 1 October 2022. [Online]. Available: https://sverigesradio.se/artikel/7491455; Dubbelmordet i Linköping: 37-åringen döms för mord till rättspsykiatrisk vård, SVT NYHEDER, 1 October 2020. Accessed: 1 October 2022. [Online]. Available: https://www.svt.se/nyheter/lokalt/ost/efter-16-ar-nu-faller-domen-i-dubbelmordet.
  • 25.Ancestry.com. Ancestry Guide for Law Enforcement. Accessed: 10 October 2022. [Online]. Available: https://www.ancestry.com/c/legal/lawenforcement.
  • 26.Ibid.
  • 27.FamilyTreeDNA. FamilyTreeDNA Law Enforcement Guide. Accessed: 10 October 2022. [Online]. Available: https://www.familytreedna.com/legal/law-enforcement-guide; 23andMe. 23andMe Guide for Law Enforcement. Accessed: 10 October 2022. [Online]. Available: https://www.23andme.com/law-enforcement-guide/.
  • 28.Ancestry. Ancestry Terms and Conditions (effective 15 August 2022). Accessed: 10 October 2022. [Online]. Available: https://www.ancestry.com/c/legal/termsandconditions.
  • 29.23andMe Guide for Law Enforcement, above n 17.
  • 30.Ibid.
  • 31.GEDmatch.com Terms of Service and Privacy Policy (effective 30 December 2021). Accessed: 10 October 2022. [Online]. Available: https://www.gedmatch.com/terms-of-service-privacy-policy. The portal is promoted as “a dedicated portal designed to support police and forensic teams with investigative comparisons to GEDmatch data.” GEDmatch PRO™. About GEDmatch PRO™. Accessed: 10 October 2022. [Online]. Available: https://pro.gedmatch.com/about.
  • 32.FamilyTreeDNA Law Enforcement Guide, above n 17.
  • 33.Tillmar A., Fagerholm S.A., Staaf J., Sjölund P., Ansell R. Getting the conclusive lead with investigative genetic genealogy – A successful case study of a 16 year old double murder in Sweden. Forensic Science International (FSI) Genetics. 2021;53 doi: 10.1016/j.fsigen.2021.102525. [DOI] [PubMed] [Google Scholar]
  • 34.Maryland Chapters 681 and 682 of 2021 and Md. Code, Crim. Proc. § 17-102.
  • 35.Montana Code Annotated 44-6-104.
  • 36.California SB-41; Utah Code Title 13 Chapter 60; and Arizona 44-8001 (effective January 2023).
  • 37.M.-H. Maras, and A. S. Wandt, A. S. State of Ohio v. Ross Compton: Internet-enabled medical device data introduced as evidence of arson and insurance fraud. The International Journal of Evidence & Proof, 24(3) (2020), 321–328. Available: https://doi.org/10.1177/1365712720930600.
  • 38.Ibid.
  • 39.T. Connor, Fitbit Murder Case: Richard Dabate Pleads Not Guilty in Wife's Death. NBCNews, 28 April 2017. Accessed: 9 October 2022. [Online]. Available: https://www.nbcnews.com/news/us-news/fitbit-murder-case-richard-dabate-pleads-not-guilty-wife-s-n752526.
  • 40.Fitbit. Fitbit Privacy Policy (last updated 16 September 2022). https://www.fitbit.com/global/us/legal/privacy-policy.
  • 41.M.-H. Maras, and A. S. Wandt, State of Ohio v. Ross Compton: Internet-enabled medical device data introduced as evidence of arson and insurance fraud, The International Journal of Evidence & Proof, 24(3) (2020), 321–328 Available: https://doi.org/10.1177/1365712720930600.
  • 42.These are U.S. constitutional requirements as prescribed by the Fourth Amendment to the U.S. Constitution: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”.
  • 43.Frye v. United States, 293 F. 1013 (D.C. Cir. 1923).
  • 44.Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993).
  • 45.Frye, above n 34; Daubert, above n 35, 28 U.S.C. Federal Rules of Evidence.
  • 46.A. M. Phillips, Reading the Fine Print when Buying your Genetic Self Online: Direct-to-Consumer Genetic Testing Terms and Conditions, New Genetics and Society 36(3) (2017), 273-295. Both Phillips (2017) and Wickenheiser (2019) are careful to point out the consumer desensitization that has occurred with the myriad and often verbose information provided in “Terms and Conditions” by such public and private entities.
  • 47.Wickenheiser R. Forensic Science, Bioethics and The Golden State Killer Case. Forensic Science International: Synergy. 2019;1:120. doi: 10.1016/j.fsisyn.2019.07.003. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 48.Dahl J.Y., Sætnan A.R. “It All Happened So Slowly”-On Controlling Function Creep in Forensic DNA Databases. International Journal of Law, Crime & Justice. 2009;37:90. [Google Scholar]
  • 49.Ibid., 83-103.
  • 50.Ibid., p. 98.
  • 51.Bitzer S., Miranda M.D., Bucht R.E. Forensic Advisors: The Missing Link, WIRES. Forensic Sci. 2021;4(3) Article e1444, Available: https://wires.onlinelibrary.wiley.com/doi/epdf/10.1002/wfs2.1444. [Google Scholar]

Articles from Science & Justice are provided here courtesy of Elsevier

RESOURCES