Governments around the world are trying out new digital surveillance tools in efforts to limit the spread of COVID-19. To panicked populations everywhere, the use of these and any other available tools to address the global crisis has obvious appeal. But the proliferation of these tools raises lots of questions—including whether the tools are necessary to protect public health, or are even effective; who has access to the location, contact, and/or health data the tools collect; how that data is used and stored; and when, if ever, that data will be deleted. In contrast to proposals adopted elsewhere, one European proposal at least gestures toward the right answers.

The surveillance tools currently in use by countries hit hard by COVID-19 differ in the data they collect and the purposes to which they put that data. Some governments are compiling personal data to enforce quarantine orders. For example, China is collecting health and location data through a smartphone app that apparently transmits the data to the police and then prohibits people with the wrong color-coded health status from entering public spaces. Taiwan is constructing an “electric fence” around quarantined individuals, turning their smartphones into ankle bracelets by calling twice a day to ensure they never leave home without their location-tracking devices. Other governments are using location data to conduct contact-tracing. Israel is raiding a previously secret stockpile of cellphone metadata to identify and alert those who may have been exposed to an infected individual. Similarly, South Korea is using cellphone location data to create a “virus patient travel log,” in which it publishes the movements, but not the names, of individuals who have tested positive.

Finally, some governments are using anonymized location data to better understand the spread of the virus and the public’s response to social distancing messages. England can examine anonymized location data to create “movement maps” and assess compliance with stay-at-home orders. The U.S. government is reportedly in discussions with Facebook, Google, and other tech companies about the possibility of compiling anonymized location data for public health officials to use in mapping the spread of COVID-19. Meanwhile, it is already making use of de-identified location data dropped at its doorstep by mobile advertising companies. (A recent New York Times feature was based on the same kind of data, obtained from a data intelligence firm called Cuebiq.)

A team of Europeans is creating a different contact-tracing tool that they say is designed to limit the collection and exposure of personal data. The tongue-twisting “Pan-European Privacy-Preserving Proximity Tracing” (PEPP-PT) team, comprised of more than a 100 researchers from eight different countries, has worked with Vodafone and other cellphone providers to develop a tool that complies with the fairly stringent privacy standards set forth in Europe’s General Data Protection Regulation (GDPR). The team has provided a high-level description of how that tool would work: Using Bluetooth technology and encrypted, anonymous identifiers, the tool would determine when one cellphone has come into sufficiently close range of another for infection to occur. The tool would record that connection on the device only for the two-week contagion period. If someone tested positive for COVID-19, they could voluntarily provide the connection history recorded on their cellphone to local health authorities. Health authorities, in turn, could use the tool to alert people who may have been exposed to the virus and direct them to self-quarantine. The team plans to make the tool available on April 7.

The PEPP-PT proposal is intriguing from a privacy perspective. First, the anonymized data would be securely stored on a person’s device for a limited period of time. It would not funnel automatically into a centralized server where it could linger indefinitely. Second, people would provide that data to health authorities on a voluntary basis for use in addressing the current health crisis. At least as described by the PEPP-PT team, the data would not be automatically accessible to untold numbers of government officials to use for any number of purposes now or in the future. Third, the tool would collect connection data, not location data. The collection is thus limited to the data that seems most relevant for purposes of determining who may have been exposed to the virus—data revealing the other people a given person may have come into contact with. Location data, in contrast, reveals much more irrelevant information about a person.

Important questions remain to be answered. First, would the collected data remain anonymous? Anonymized data can often be de-anonymized by those who have access to additional data. Why shouldn’t we worry about that possibility here? Second, would a voluntary system be doomed from the outset? A significant percent of a given population would have to participate in order to enable effective contact tracing. Relatedly, what would stop governments from requiring data sharing by people who test positive, especially absent sufficient numbers of volunteers? And what would stop governments from requiring the designated health authorities to disseminate the data they collect to other governmental authorities, including police and national security departments? Finally, would the Bluetooth-enabled collection of connection data be sufficiently accurate? Bluetooth technology has known accuracy (as well as security) limitations, which could result in false positives and false negatives in this context.

Still, the PEPP-PT proposal seems worth considering, and it is certainly more promising than many other proposals. It is also timely. The cellphone industry is discussing the creation of a global location-data sharing system, and governments are resorting to ever-encroaching surveillance. Though these extraordinary measures may seem justified in these extraordinary times, we should hesitate to entrust so much more of our data to tech companies, police departments, and other governmental authorities that seem to view mass surveillance as manifest destiny. We should be particularly wary of tracking proposals propounded by surveillance-tech manufacturers, which have much to gain from public acceptance of new privacy-intrusive practices. Instead, we should rely on public health experts to articulate the actual need for surveillance in the service of our collective efforts to limit the spread of COVID-19, and we should look to privacy experts to ensure that new surveillance practices are no broader than necessary and subject to appropriate oversight.