MassNotify is the COVID-19 automated exposure notification system (combination of technology and processes), powered by technology developed by Apple and Google. By enabling this service, you can be quickly notified if you’ve likely been exposed to the virus by another MassNotify user, allowing you to reduce risk for your loved ones, seek medical attention, and slow the spread in your community. The system allows users to send and receive notifications of a potential high-risk exposure to COVID-19, in a privacy-focused manner. The notifications will include instructions on next steps a user should take to help stop the spread of COVID-19.
The exposure notifications are intended to complement the conventional contact tracing efforts undertaken by local public health authorities and Massachusetts’ Community Tracing Collaborative involving contact by a contact tracer.
How it works
Except as specified in this section, MassNotify does not collect or exchange any personal data (as defined in the Fair Information Practices Act, MGL ch. 66A) when users are running the MassNotify exposure notification system, sharing their recent COVID-19 results anonymously, or receiving anonymous exposure notifications from someone they were near recently.
There are three instances in which MassNotify collects personal data.
First, in order to provide anonymous verification links to people who test positive for COVID-19 to share with other MassNotify users, DPH provides the cellphone numbers of COVID-19 positive individuals to a secure third-party system that will generate SMS text messages to them with their MassNotify verification links.
Second, in a minority of cases, DPH may not have the cellphone numbers of COVID-19 positive individuals and therefore will not be able to start the process of issuing them a verification code by sending their cellphone number to the secure third-party system. In other cases, users may want to use a verification code that they have received, but find that it has expired. In either case, when such individuals email the MassNotify Helpdesk, it will respond with an email containing the phone number for the Commonwealth’s MassNotify Team. When they call the MassNotify Team, one of its members will ask them for the following authenticating information: the caller’s first and last name, address, date of birth, gender and cellphone number. Callers may, at their option, also provide the date of their COVID-19 test and their landline number (users may decide that they don’t want to share their authenticating information, in which case they will not receive a verification code). If the caller can be identified by the MassNotify Team, through reference to the Commonwealth’s systems, as a COVID-19 positive individual, the Team will share the individual’s cellphone number with the secure third-party system that provides verification codes, which will in turn issue a code to the user through an SMS text message. The Massachusetts COVID-19 Team will record the authentication information in the COVID-19 Team’s customer relationship management system.
The cellphone numbers provided by DPH or the MassNotify Team to the secure third party system for issuance of verification codes are not stored by the third-party or verification server. They are transmitted to another third-party provider of SMS messaging services, which retains the cellphone numbers for twenty-four (24) hours in connection with those services and then deletes them.
Third, the component of MassNotify that verifies users’ COVID-19 positive status, and the component with which users may share anonymous Bluetooth codes, also collect the user’s smartphone or home network public facing Internet Protocol or “IP” address. Although an IP address could be used to identify you, MassNotify will not use IP addresses for this purpose. MassNotify uses IP addresses only to assist the Commonwealth in resolving issues that it may encounter while implementing and operating MassNotify, and to ensure proper operation of the technology components of the system. Among other activities, MassNotify protects IP addresses by deleting them, typically within a standard 14-day period but, in certain instances, after 30 days. In addition, MassNotify protects IP addresses by securing them, limiting access to them to a tightly controlled group of people who use them only for debugging the system or responding to denial of service (“DNS”) attacks, using mandatory access controls and audit policies, and obscuring real IP addresses by using a technology process called “chaff requests” (intentionally generated fake user requests).
The mobile devices of MassNotify users share anonymous codes (randomly generated codes made up of strings of numbers) via Bluetooth. The only data used in this process are the anonymous codes, Bluetooth signal strength (proximity), and date and duration of exposure. This data is not linked to a user’s identity or location. Each user’s codes change frequently to further protect their identity. This data is stored only on the user’s own device and is never shared unless and until the user has a positive COVID-19 diagnosis and elects to share this information anonymously within the MassNotify system. The anonymous codes sent to and received from a user’s cellphone are stored for a period of 14 days and then automatically deleted from the phone. Once deleted, this data cannot be restored.
A user who tests positive for COVID-19 may choose to notify other MassNotify users who have been near the user. If the user does not choose to notify others, nothing about the user’s COVID-19 positive status is shared. To trigger a notification, the COVID-19 positive user must enter a valid verification code. Verification codes are provided to all newly COVID-positive individuals through a verification link sent in an SMS text message from a secure third-party system to which DPH or the MassNotify Team provide the cellphone numbers of COVID-19 positive individuals, as described above. Neither the verification code nor the verification link is associated with the positive user’s identity.
Several times a day, cellphones that have activated MassNotify will check for anonymous codes associated with positive COVID-19 cases that have elected to share their codes. The user’s device checks these codes against the list of codes it has encountered in the past 14 days. If there is a match, and the date, duration, and proximity indicate a possible exposure to the virus, the user will receive an exposure notification.
The notification will inform the user of the date of exposure and instructions on what to do next.
User consent & choices
Using the system
MassNotify has the potential to help stop the spread of COVID-19 and its use is highly encouraged, but the use of MassNotify technology and the decision to share codes with other users is completely voluntary.
Users may turn the system on or off at any time, or uninstall the app on an Android device. The system does not collect, track or store users’ location, GPS information, or personal information (other than the secure third-party verification server which receives cellphone numbers of COVID-19 individuals from DPH or the MassNotify team, and the MassNotify Team’s customer relationship system which receives and stores authenticating information in a small number of cases, as described above).
Disabling exposure notifications
Users may disable MassNotify at any time by uninstalling the app (Android), turning off the feature (iOS), turning off the mobile device, or turning off the Bluetooth function. If the user uninstalls or deactivates MassNotify, all codes currently stored on the device will be immediately deleted.
If MassNotify is deleted or uninstalled, your device will no longer generate or exchange random codes with other users’ mobile devices. Any random codes that were previously shared with other MassNotify users will be automatically deleted after 14 days from the date the code was generated.
Generating exposure notifications to other users
Providing notification of a positive COVID-19 test result to other users is also completely voluntary. Users may choose to anonymously notify other MassNotify users of a positive COVID-19 test result. If a user tests positive for COVID-19, and chooses to notify others, the user must enter a positive test verification code to release the anonymous codes stored on the mobile device. The user will also be asked to enter a date of symptom onset, if applicable. If available, symptom onset date is used to identify the other MassNotify users who should receive an exposure notification because their devices were within a certain number of feet of the COVID-19 positive individual for a certain number of minutes. Finally, the user is prompted to consent to alert others.
When a user consents to alert others, the notifications that may be generated by MassNotify do not disclose the COVID-19 positive user’s identity, location, phone number, or any other personal data.
The exposure notification includes the date of the exposure (obscured, for privacy purposes, by being stated as a 24-hour window). Sharing the exposure date is important to ensure that users have the information necessary to take the right precautions (such as self-quarantine) for an appropriate amount of time based on the exposure date. It is possible that someone who receives an exposure notice could guess the identity of the COVID-19 positive individual, if they had a very limited number of contacts on a given day.
A verification code is required to share a positive test result in the system. This ensures that only verified positive test results are used to generate exposure notifications. Verification codes will only be generated by MassNotify when requested by DPH or the MassNotify Team through a secure third-party system. Verification codes are provided to all MassNotify users who are newly COVID-19 positive individuals and for whom DPH has a cellphone number through a verification link sent in an SMS text message from the secure third-party system. Neither the verification code nor the verification link is associated with the positive user’s identity. However, if multiple users share the same cellphone, it is possible that when a verification code is sent, the user(s) that are not COVID-19 positive will learn the COVID-19 positive status of the person with whom they share the phone. Verification links and codes expire after 24 hours.
Sharing of information
The following categories of non-personally identifying data may be processed and collected by MassNotify if users opt to provide it:
- App installation and deletion metrics (Android only)
- Exposure notification metrics
- Exposure notification interaction metrics
- Key upload metrics
- Verification code metrics
- Anonymous keys that have been voluntarily shared
The data is provided to DPH. This data is only collected if a user explicitly opts-in, and a user can choose to stop sharing the data at any time by turning off analytics sharing with MassNotify by using the setting on their phone. The aggregated, anonymous data collected for analytics purposes may only be used by DPH or those it authorizes to monitor system usage, as well as for performance evaluation and statistical, scientific and public health research purposes. This information will not include any personal or location information.
MassNotify is intended for use for ages 18 and over as well as users between the ages of 13 and 17 with parent or legal guardian consent. There is no MassNotify-specific parental approval system for this age group. However, parents can control access to MassNotify by using the tools readily available to parents to manage their childrens’ access to device settings, apps, and purchases. For example, 13-year-olds using Android phones must have an account set up for them by a parent who has provided verifiable parental consent. Additionally, the parent can use Screentime settings and Ask to Buy to manage devices that the child signs into with their account and apps that they download.
Ms. Cecelia Dunn
Bureau of Infectious Disease and Laboratory Sciences
Massachusetts Department of Public Health
305 South Street
Boston, MA 02130