Massachusetts public health agency settles contact-tracing app lawsuit, agrees to delete data

The Pennsylvania Department of Public Health last month settled a class-action lawsuit by a handful of Android users who claimed that the state had worked with Google to automatically install a COVID-19 contact-tracing app on their phones, and the phones of more than one million others, tracking their locations and transmitting their personal information.

As part of the settlement, the state has agreed to “destroy” all data it had collected through the contact-tracing app, called MassNotify. The department also agreed, for the next five years, not to install similar applications on Android devices.

The New Civil Liberties Alliance, a right-leaning nonprofit law firm that challenges administrative overreach, last week called the settlement a victory for not only the state’s residents, but the nation. Peggy Little, the Alliance’s senior litigation counsel on the case, in press materials called it “a powerful cautionary precedent that government should not adopt new intrusive technology to spy on its citizens using their own smartphones without regard for law.” The firm has called the state’s app “insidious spyware,” installed ” not only on the phones of Massachusetts residents and workers, but even on people’s Android phones who were just passing through the Commonwealth.”

The Alliance filed its lawsuit in November of 2022, claiming that the department had “worked with Google to secretly install” the app, which was not displayed on the phone with an icon, as is typical for newly installed apps, but was accessible only through a setting somewhere in Android’s settings menus. And when users discovered and deleted the app, the Alliance claimed in its initial complaint, “DPH would re-install it on to their devices.” One user’s app review, cited in the case, reads: “Omg!!!! This app somehow installed itself on my phone. … This app is harder to get rid of than Covid.”

Like many other contact-tracing apps, MassNotify automatically exchanged information over Bluetooth with other nearby devices to alert users of possible exposures. According to the Alliance’s court filings, data exchanged included unique phone identifiers, locations, wireless network IP addresses, phone numbers and personal email addresses. The Alliance claimed the data was accessible to the state’s public health department, Google, application developers, the device makers, network providers and anyone with access to the app’s logs.

In requesting a case dismissal in February of 2023, the state public health department’s lawyers argued that the “exposure notification” feature was an optional, anonymous service that did not collect location information. The state also disputed one of the Alliance’s central legal claims: that automatic installation of an app is a Fourth Amendment violation, because “it interfered with phone owners’ property interests and collected private information about them.” The state argued that the app’s installation did not constitute a “search,” in the terminology of the Constitution’s prohibition of unreasonable searches or seizures of property.

The Alliance also claimed that “taking up storage space” on users’ phones without their consent amounted to the uncompensated taking of property for public use: a potential Fifth Amendment violation, if true. The state countered early in the case that the Alliance had not presented facts showing how phone storage was affected, nor about the plaintiffs’ “claimed property interest in digital storage.”

Like at least two dozen other states, and some foreign nations, Massachusetts turned to digital contract-tracing as a means to better understand, and avoid, a novel virus that would eventually kill a reported 7.1 million people worldwide. But even amid the chaos of the globe’s most recent health emergency, many government executives recognized that privacy would remain a principle to be respected. One survey, conducted in the spring of 2020 by the cybersecurity firm ESET, showed nearly three of four Americans rejected contact-tracing apps, citing concerns with digital privacy and unwanted health surveillance.

Like all social networks, contact-tracing apps are only useful if they reach a critical mass of users. The Alliance claimed in its complaint that the first version of MassNotify did not automatically install on users’ phones when they found themselves within state lines, but that the state created a new version after observing lackluster download numbers. (Margret Cooke, then Massachusetts’ public health commissioner, stepped down in 2023 to become a vice president with the Dana-Farber Cancer Institute. A current official with the department could not be reached for comment in time for publication.)

The Alliance in its filings referenced the prevalence of contact-tracing apps during the COVID-19 pandemic, noting that Massachusetts was “the only” state to “surreptitiously embed the Contact Tracing App on mobile devices that DPH locates within its borders, without obtaining the owners’ knowledge or consent.” Mark Chenoweth, the Alliance’s president and chief legal officer, noted in press materials that such “power grabs” are referred to in his circle as cases of “Governors Gone Wild.” He called the move Orwellian, and a raft of one-star reviews left by the app’s users show many agreed.