MassNotify is the COVID-19 automated exposure notification system (combination of technology and processes), powered by technology developed by Apple and Google. By enabling this service, you can be quickly notified if you’ve likely been exposed to the virus by another MassNotify user, allowing you to reduce risk for your loved ones, seek medical attention, and slow the spread in your community. The system allows users to send and receive notifications of a potential high-risk exposure to COVID-19, in a privacy-focused manner. The notifications will include instructions on next steps a user should take to help stop the spread of COVID-19.
The exposure notifications are intended to complement the conventional contact tracing efforts undertaken by public health authorities involving contact by a contact tracer.
How it works
Except as specified in this section, MassNotify does not collect or exchange any personal data (as defined in the Fair Information Practices Act, MGL ch. 66A) when users are running the MassNotify exposure notification system, sharing their recent COVID-19 results anonymously, or receiving anonymous exposure notifications from someone they were near recently.
There are three instances in which MassNotify collects personal data.
First, in order to provide anonymous verification links to people who test positive for COVID-19 to share with other MassNotify users, DPH provides the cellphone numbers of COVID-19 positive individuals to a secure third-party system that will generate SMS text messages to them with their MassNotify verification links.
The cellphone numbers provided by DPH to the secure third-party system for issuance of verification codes are not stored by the third-party or verification server. They are transmitted to another third-party provider of SMS messaging services, which retains the cellphone numbers for twenty-four (24) hours in connection with those services and then deletes them.
Second, users may also self-request a verification link. For example, DPH may not have the cellphone numbers of COVID-19 positive individuals and therefore is not able to start the process of issuing them a verification code. Or, users may want to use a verification code that they have received, but find that it has expired.
Using the self-request feature of the MassNotify tool, the user can choose to provide the mobile phone number of their device and attest that they have received a positive test within the last 14 days in order to receive a verification link. This request will share the individual’s cellphone number with the secure third-party system that provides verification codes, which will in turn issue a verification link to the user through an SMS text message. When a user requests a verification link in this manner, a cryptographically-protected version of their phone number is stored in the secure verification server for a certain amount of time to prevent users from self-requesting a positive diagnosis more than once in a 90-day period. If the user successfully uses the verification link, the cryptographically-protected version of the phone number is stored for 90 days. If the user does not use the verification link, the cryptographically-protected version of the phone number is cleared from the server after ~60 minutes. If the individual experiences any technical issues with a self-request for a verification link, they can email the MassNotify help desk for assistance.
Third, the component of MassNotify that verifies users’ COVID-19 positive status, and the component with which users may share anonymous Bluetooth codes, also collect the user’s smartphone or home network public facing Internet Protocol or “IP” address. Although an IP address could be used to identify you, MassNotify will not use IP addresses for this purpose. MassNotify uses IP addresses only to assist the Commonwealth in resolving issues that it may encounter while implementing and operating MassNotify, and to ensure proper operation of the technology components of the system. Among other activities, MassNotify protects IP addresses by deleting them, typically within a standard 14-day period but, in certain instances, after 30 days. In addition, MassNotify protects IP addresses by securing them, limiting access to them to a tightly controlled group of people who use them only for debugging the system or responding to denial of service (“DNS”) attacks, using mandatory access controls and audit policies, and obscuring real IP addresses by using a technology process called “chaff requests” (intentionally generated fake user requests).
The mobile devices of MassNotify users share anonymous codes (randomly generated codes made up of strings of numbers) via Bluetooth. The only data used in this process are the anonymous codes, Bluetooth signal strength (proximity), and date and duration of exposure. These data are not linked to a user’s identity or location. Each user’s codes change frequently to further protect their identity. These data are stored only on the user’s own device and are never shared unless and until the user has a positive COVID-19 diagnosis and elects to share this information anonymously within the MassNotify system. The anonymous codes sent to and received from a user’s cellphone are stored for a period of 14 days and then automatically deleted from the phone. Once deleted, these data cannot be restored.
A user who tests positive for COVID-19 may choose to notify other MassNotify users who have been near the user. If the user does not choose to notify others, nothing about the user’s COVID-19 positive status is shared. To trigger a notification, the COVID-19 positive user must enter a valid verification code. Verification codes are provided to all newly COVID-positive individuals through a verification link sent in an SMS text message from a secure third-party system to which DPH provides the cellphone numbers of COVID-19 positive individuals or through a self-request, as described above. Neither the verification code nor the verification link is associated with the positive user’s identity.
Several times a day, cellphones that have activated MassNotify will check for anonymous codes associated with positive COVID-19 cases that have elected to share their codes. The user’s device checks these codes against the list of codes it has encountered in the past 14 days. If there is a match, and the date, duration, and proximity indicate a possible exposure to the virus, the user will receive an exposure notification.
The notification will inform the user of the date of exposure and instructions on what to do next.
User consent & choices
Using the system
MassNotify has the potential to help stop the spread of COVID-19 and its use is highly encouraged, but the use of MassNotify technology and the decision to share codes with other users is completely voluntary.
Users may turn the system on or off at any time. The system does not collect, track or store users’ location, GPS information, or personal information (other than the secure third-party verification server which receives cellphone numbers of COVID-19 individuals from DPH or through self-requests, as described above).
In order to support Massachusetts’ launch of Exposure Notifications on Android phones, the functionality that underlies MassNotify may be distributed by the Google Play Store to allow users to turn on and use Exposure Notifications directly from the settings on their Android phone. This functionality is distributed by Google in this manner so that MassNotify is able to work as soon as a user decides to turn it on. It is important to note that distributing the functionality in this manner does not automatically activate Exposure Notifications on users’ devices, and users’ device settings are not changed. Android users still need to turn on Exposure Notifications through their settings in order for MassNotify to become active. For more information on how Exposure Notifications work through your Android phone settings, please see Google’s Play Store article here.
To use Exposure Notifications, users must go through the MassNotify onboarding process. Users decide whether to enable Exposure Notifications and whether to share information through the system to help warn others of possible exposure.
Disabling exposure notifications
Users may disable MassNotify at any time by, turning off the feature in their smartphone settings, turning off the mobile device, or turning off the Bluetooth function. If the user deactivates MassNotify, all codes currently stored on the device will be immediately deleted.
If MassNotify is deactivated, your device will no longer generate or exchange random codes with other users’ mobile devices. Any random codes that were previously shared with other MassNotify users will be automatically deleted after 14 days from the date the code was generated.
Generating exposure notifications to other users
Providing notification of a positive COVID-19 test result to other users is also completely voluntary. Users may choose to anonymously notify other MassNotify users of a positive COVID-19 test result. If a user tests positive for COVID-19, and chooses to notify others, the user must enter a positive test verification code to release the anonymous codes stored on the mobile device. The user will also be asked to enter a date of symptom onset, if applicable. If available, symptom onset date is used to identify the other MassNotify users who should receive an exposure notification because their devices were within a certain number of feet of the COVID-19 positive individual for a certain number of minutes. Finally, the user is prompted to consent to alert others.
When a user consents to alert others, the notifications that may be generated by MassNotify do not disclose the COVID-19 positive user’s identity, location, phone number, or any other personal data.
The exposure notification includes the date of the exposure (obscured, for privacy purposes, by being stated as a 24-hour window). Sharing the exposure date is important to ensure that users have the information necessary to take the right precautions (such as getting tested for COVID-19) at the appropriate time based on the exposure date. It is possible that someone who receives an exposure notice could guess the identity of the COVID-19 positive individual, if they had a very limited number of contacts on a given day.
A verification code is required to share a positive test result in the system. This ensures that only verified positive test results are used to generate exposure notifications. Verification codes will only be generated by MassNotify when requested by DPH, or by a user through the self-request process. Both types of requests are made through a secure third-party system. Verification codes are provided to all MassNotify users who are newly COVID-19 positive individuals and for whom DPH has a cellphone number through a verification link sent in an SMS text message from the secure third-party system. Neither the verification code nor the verification link is associated with the positive user’s identity. However, if multiple users share the same cellphone, it is possible that when a verification code is sent, the user(s) that are not COVID-19 positive will learn the COVID-19 positive status of the person with whom they share the phone. Verification links and codes expire after 24 hours when distributed by the DPH process described above and expire after 15 minutes when the verification link is a self-request from a user.
Sharing of information
The following categories of non-personally identifying data may be processed and collected by MassNotify if users opt to provide it:
- Metrics on the number of devices contributing anonymous data
- Exposure notification metrics
- Exposure notification interaction metrics
- Key upload metrics
- Verification code metrics
- Anonymous keys that have been voluntarily shared
The data are provided to DPH. These data are only collected if a user explicitly opts-in, and a user can choose to stop sharing the data at any time by turning off analytics sharing with MassNotify by using the setting on their phone. The aggregated, anonymous data collected for analytics purposes may only be used by DPH or those it authorizes to monitor system usage, as well as for performance evaluation and statistical, scientific and public health research purposes. This information will not include any personal or location information.
MassNotify is intended for use for ages 18 and over as well as users between the ages of 13 and 17 with parent or legal guardian consent. There is no MassNotify-specific parental approval system for this age group. However, parents can control access to MassNotify by using the tools readily available to parents to manage their children's access to device settings, apps, and purchases. For example, 13-year-olds using Android phones must have an account set up for them by a parent who has provided verifiable parental consent. Additionally, the parent can use Screentime settings and Ask to Buy to manage devices that the child signs into with their account and apps that they download.
Ms. Cecelia Dunn
Bureau of Infectious Disease and Laboratory Sciences
Massachusetts Department of Public Health
305 South Street
Boston, MA 02130