On June 15th, the state of Massachusetts announced the roll out of “MassNotify” which, if manually enabled, uses Bluetooth technology to alert you to potential COVID-19 exposure. In the past few weeks, people throughout the state have expressed concern about whether or not this service is a violation of privacy. As with many other stories regarding both technology and the COVID-19 pandemic, it can be difficult to identify the truth, so it is important to establish the facts of this new service.
This technology is not new; in April of 2020 Apple and Google announced that in addition to COVID-19 contact tracing apps, they would be partnering to develop “a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms.” On iPhones, the technology was made available as part of the iOS 13.5 update in May of 2020, and on Androids it was added to devices as part of a Google Play Services update.
In the last year, numerous state health agencies have worked with Apple and Google to develop state-wide exposure notification systems using this technology. MassNotify is one of the latest systems to be implemented, but other states such as New York and Pennsylvania have been using their own versions of this system for months.
If you are concerned about your privacy being violated by this system, one of the most important aspects of this technology to understand is that it is voluntary. In order to activate MassNotify, you must go into “Exposure Notifications” in your phone’s settings, manually turn on the notifications, and select that you live in Massachusetts and wish to participate in MassNotify.
If you do not go through these steps, you will not be participating in the Exposure Notification service. Additionally, the services can be turned off at any time.
This technology does not track location, and as stated on the MassNotify FAQ page “no personal information is collected or shared when you contribute your data, so there is no way to identify you.” The Department of Health only has access to state-wide level data.
Whether or not you choose to participate in the MassNotify is entirely up to you. Because this service is part of the Google and Apple operating systems, you still may see “Exposure Notifications” in your phone’s settings, but if you do not manually opt-in, no data will be collected.
No thank you. I will be masking up in public indoor spaces but there’s no way I’m installing something like this.
I generally don’t trust bluetooth and keep it disabled, since I keep an old phone that the manufacturer no longer provides security updates for. I’ve seen various bluetooth software vulnerabilities run across the list of security updates for the GNU/Linux distro I use at home. These I can’t get onto my phone’s Linux and supporting userland until I get a free operating system like postmarketos or at least lineageos on this phone.
And the “fact” that no personal data can be found out about you if you set yourself as infected on the phone seems questionable just off the top of my head. Bluetooth is a near field technology. So it would be relatively trivial for an interested person to selectively enable it and carefully watch the results if he wanted to know if a particular person was infected. I would call whether you have a SARS-CoV-2 infection personal data, wouldn’t you?
You may say, “geez, if you’re so concerned about security and privacy shouldn’t you get a phone that still gets Linux/Android updates?” Okay, maybe. But I’m also keen to reduce e-waste and Google’s ideas of what’s a privacy violation make me not interested in enabling Google Play Store or getting new versions of Android. (Their view seems to be that we should trust them, so if something doesn’t leave their servers it’s not a problem.) Apple might be marginally better (but how would we know?) but I’m not into walled gardens or control freak architectural decisions.