MassNotify was the COVID-19 automated exposure notification system (combination of technology and processes), powered by technology developed by Apple and Google. By enabling this service, you could have been quickly notified if you had likely been exposed to the virus by another MassNotify user, allowing you to reduce risk for your loved ones, seek medical attention, and slow the spread in your community. The system allowed users to send and receive notifications of a potential high-risk exposure to COVID-19, in a privacy-focused manner. The notifications included instructions on next steps a user could take to help stop the spread of COVID-19.
The exposure notifications were intended to complement the conventional contact tracing efforts undertaken by public health authorities involving contact by a contact tracer.
How it worked
Except as specified in this section, MassNotify did not collect or exchange any personal data (as defined in the Fair Information Practices Act, MGL ch. 66A) when users were running the MassNotify exposure notification system, shared their recent COVID-19 results anonymously, or received anonymous exposure notifications from someone they were near recently.
There are three instances in which MassNotify collected personal data.
First, in order to provide anonymous verification links to people who test positive for COVID-19 to share with other MassNotify users, DPH provided the cellphone numbers of COVID-19 positive individuals to a secure third-party system that generated SMS text messages to them with their MassNotify verification links.
The cellphone numbers provided by DPH to the secure third-party system for issuance of verification codes were not stored by the third-party or verification server. They were transmitted to another third-party provider of SMS messaging services, which retained the cellphone numbers for twenty-four (24) hours in connection with those services and then deleted them.
Second, users could also self-request a verification link. For example, DPH may not have had the cellphone numbers of COVID-19 positive individuals and therefore was not able to start the process of issuing them a verification code. Or, users may have wanted to use a verification code that they had received, but found that it had expired.
Using the self-request feature of the MassNotify tool, the user could have chosen to provide the mobile phone number of their device and attested that they have received a positive test within the last 14 days in order to receive a verification link. This request shared the individual’s cellphone number with the secure third-party system that provided verification codes, which in turn issued a verification link to the user through an SMS text message. When a user requested a verification link in this manner, a cryptographically-protected version of their phone number was stored in the secure verification server for a certain amount of time to prevent users from self-requesting a positive diagnosis more than once in a 30-day period. If the user successfully used the verification link, the cryptographically-protected version of the phone number was stored for 30 days. If the user did not use the verification link, the cryptographically-protected version of the phone number was cleared from the server after ~60 minutes. If the individual experienced any technical issues with a self-request for a verification link, they could have emailed the MassNotify help desk for assistance.
Third, the component of MassNotify that verified users’ COVID-19 positive status, and the component with which users could have shared anonymous Bluetooth codes, also collected the user’s smartphone or home network public facing Internet Protocol or “IP” address. Although an IP address could be used to identify you, MassNotify did not use IP addresses for this purpose. MassNotify used IP addresses only to assist the Commonwealth in resolving issues that it may have encountered while implementing and operating MassNotify, and to ensure proper operation of the technology components of the system. Among other activities, MassNotify protected IP addresses by deleting them, typically within a standard 14-day period but, in certain instances, after 30 days. In addition, MassNotify protected IP addresses by securing them, limiting access to them to a tightly controlled group of people who use them only for debugging the system or responding to denial of service (“DNS”) attacks, using mandatory access controls and audit policies, and obscuring real IP addresses by using a technology process called “chaff requests” (intentionally generated fake user requests).
The mobile devices of MassNotify users shared anonymous codes (randomly generated codes made up of strings of numbers) via Bluetooth. The only data used in this process were the anonymous codes, Bluetooth signal strength (proximity), and date and duration of exposure. These data were not linked to a user’s identity or location. Each user’s codes changed frequently to further protect their identity. These data were stored only on the user’s own device and were never shared unless and until the user had a positive COVID-19 diagnosis and elected to share this information anonymously within the MassNotify system. The anonymous codes sent to and received from a user’s cellphone were stored for a period of 14 days and then automatically deleted from the phone. Once deleted, these data cannot be restored.
A user who tested positive for COVID-19 could have chosen to notify other MassNotify users who had been near the user. If the user did not choose to notify others, nothing about the user’s COVID-19 positive status was shared. To trigger a notification, the COVID-19 positive user must have entered a valid verification code. Verification codes were provided to all newly COVID-positive individuals through a verification link sent in an SMS text message from a secure third-party system to which DPH provided the cellphone numbers of COVID-19 positive individuals or through a self-request, as described above. Neither the verification code nor the verification link was associated with the positive user’s identity.
Several times a day, cellphones that had activated MassNotify checked for anonymous codes associated with positive COVID-19 cases that had elected to share their codes. The user’s device checked those codes against the list of codes it had encountered in the past 14 days. If there was a match, and the date, duration, and proximity indicated a possible exposure to the virus, the user would receive an exposure notification.
The notification informed the user of the date of exposure and instructions on what to do next.
User consent & choices
Using the system
MassNotify had the potential to help stop the spread of COVID-19 and its use was highly encouraged, but the use of MassNotify technology and the decision to share codes with other users was completely voluntary.
Users could have turned the system on or off at any time. The system did not collect, track or store users’ location, GPS information, or personal information (other than the secure third-party verification server which receives cellphone numbers of COVID-19 individuals from DPH or through self-requests, as described above).
In order to support Massachusetts’ launch of Exposure Notifications on Android phones, the functionality that underlies MassNotify could have been distributed by the Google Play Store to allow users to turn on and use Exposure Notifications directly from the settings on their Android phone. This functionality was distributed by Google in this manner so that MassNotify was able to work as soon as a user decided to turn it on. It is important to note that distributing the functionality in this manner did not automatically activate Exposure Notifications on users’ devices, and users’ device settings were not changed. Android users would still have needed to turn on Exposure Notifications through their settings in order for MassNotify to become active. For more information on how Exposure Notifications worked through your Android phone settings, please see Google’s Play Store article here.
To use Exposure Notifications, users must have gone through the MassNotify onboarding process. Users decided whether to enable Exposure Notifications and whether to share information through the system to help warn others of possible exposure.
Disabling exposure notifications
Users could disable MassNotify at any time by, turning off the feature in their smartphone settings, turning off the mobile device, or turning off the Bluetooth function. If the user deactivated MassNotify, all codes currently stored on the device were immediately deleted.
If MassNotify was deactivated, your device would have no longer generated or exchanged random codes with other users’ mobile devices. Any random codes that were previously shared with other MassNotify users would have been automatically deleted after 14 days from the date the code was generated. Upon the discontinuation of MassNotify with the end of the federal COVID-19 public health emergency on May 11, 2023, Apple and Google have instructed that all random codes will be automatically deleted from users’ phones after 14 days.
Generating exposure notifications to other users
Providing notification of a positive COVID-19 test result to other users was also completely voluntary. Users could choose to anonymously notify other MassNotify users of a positive COVID-19 test result. If a user tested positive for COVID-19, and chose to notify others, the user must have entered a positive test verification code to release the anonymous codes stored on the mobile device. The user would also have been asked to enter a date of symptom onset, if applicable. If available, symptom onset date was used to identify the other MassNotify users who should receive an exposure notification because their devices were within a certain number of feet of the COVID-19 positive individual for a certain number of minutes. Finally, the user was prompted to consent to alert others.
When a user consents to alert others, the notifications that were generated by MassNotify did not disclose the COVID-19 positive user’s identity, location, phone number, or any other personal data.
The exposure notification included the date of the exposure (obscured, for privacy purposes, by being stated as a 24-hour window). Sharing the exposure date was important to ensure that users had the information necessary to take the right precautions (such as getting tested for COVID-19) at the appropriate time based on the exposure date. It is possible that someone who received an exposure notice could guess the identity of the COVID-19 positive individual, if they had a very limited number of contacts on a given day.
A verification code was required to share a positive test result in the system. This ensured that only verified positive test results were used to generate exposure notifications. Verification codes could only be generated by MassNotify when requested by DPH, or by a user through the self-request process. Both types of requests were made through a secure third-party system. Verification codes were provided to all MassNotify users who were newly COVID-19 positive individuals and for whom DPH had a cellphone number through a verification link sent in an SMS text message from the secure third-party system. Neither the verification code nor the verification link was associated with the positive user’s identity. However, if multiple users shared the same cellphone, it is possible that when a verification code was sent, the user(s) that are not COVID-19 positive would learn the COVID-19 positive status of the person with whom they shared the phone. Verification links and codes expired after 24 hours when distributed by the DPH process described above and expired after 15 minutes when the verification link was a self-request from a user.
Sharing of information
The following categories of non-personally identifying data were processed and collected by MassNotify if users opted to provide it:
- Metrics on the number of devices contributing anonymous data
- Exposure notification metrics
- Exposure notification interaction metrics
- Key upload metrics
- Verification code metrics
- Anonymous keys that had been voluntarily shared
The data were provided to DPH. These data were only collected if a user explicitly opted-in, and a user could choose to stop sharing the data at any time by turning off analytics sharing with MassNotify by using the setting on their phone. The aggregated, anonymous data collected for analytics purposes may only have been used by DPH or those it authorized to monitor system usage, as well as for performance evaluation and statistical, scientific and public health research purposes. This information did not include any personal or location information.
MassNotify was intended for use for ages 18 and over as well as users between the ages of 13 and 17 with parent or legal guardian consent. There was no MassNotify-specific parental approval system for this age group. However, parents could control access to MassNotify by using the tools readily available to parents to manage their children's access to device settings, apps, and purchases. For example, 13-year-olds using Android phones must have had an account set up for them by a parent who had provided verifiable parental consent. Additionally, the parent could use Screentime settings and Ask to Buy to manage devices that the child signed into with their account and apps that they downloaded.
Ms. Cecelia Dunn
Bureau of Infectious Disease and Laboratory Sciences
Massachusetts Department of Public Health
305 South Street
Boston, MA 02130