COVID-19 contact-tracing apps like Healthy Together and ABTraceTogether are tracking you and also the people in your phone contacts and Facebook friends lists.
In early 2020, a number of smartphone applications (apps) were tested and launched across North America to help regions identify which users have been infected with the COVID-19 coronavirus disease, who they came into contact with, and transmission zones.
These apps are attempting to help make contact tracing easier, a form of disease control that the Centers for Disease Control and Prevention (CDC) calls a key strategy for preventing further spread of the disease. The process involves public health staff who work with COVID-19 patients to help them recall everyone they came into contact with during the time they may have been infectious. Staff then warn exposed individuals in a rapid and sensitive manner (while protecting the identity of the patient) and provide support and information on how to mitigate the spread.
In May 2020, a number of Facebook posts claimed that mobile apps that are using contact tracing to research COVID-19 transmission patterns are also taking information from the user’s device to “identify, track or locate” various contacts on their phones or their Facebook friends lists. Most posts refer to one of two such apps: Healthy Together or ABTraceTogether. The posts say:
These posts greatly exaggerate the extent to which apps have access to contact lists and particularly to Facebook accounts.
Healthy Together, built by Twenty Holdings, Inc., was rolled out by the state of Utah in April and May 2020, as part of an effort to help public health officials trace contacts of those infected with the disease, and to allow Utahns to track their symptoms and find the nearest testing center. The app uses GPS, location data, and Bluetooth technology to identify potential contacts.
Bluetooth technology allows health officials to gather data by connecting devices to each other, while GPS data allows them to track a person’s movements and their location to within 5 to 10 feet. Thus, Bluetooth determines potential person-to-person transmission of the disease while GPS tracking figures out potential transmission zones and how contagious diseases can move through populations and regions.
The Utah government is encouraging more people to download this application. As of May 13, more than 45,000 people had done so, at least 2% of the state’s population, according to CNBC.
The app is opt-in and voluntary and allows users to control what data they release. They own their personal data and can delete it at any time. Location data is automatically deleted after 30 days, symptom data becomes anonymous after 30 days, and users can identify what data they would like to share, which includes Bluetooth data, location data, or contact lists.
The FAQ on the Utah government’s coronavirus resources website suggest that officials are taking precautions around user privacy as well:
Will anyone have access to personally identifiable information?
Public health officials and a limited number of development employees with Twenty Holdings, Inc. will have access to your name, phone number, and location data for COVID-19 tracing purposes only.
What collective data would the Utah government like to share publicly in the weeks following the launch?
The State of Utah values the role of limited government and recognizes that asking you to provide personal information may be uncomfortable and concerning to some. However, you can be assured that your personal data will be used only for the purpose of fighting COVID-19.
Utah will investigate GPS and location data to help understand transmission zones, with the goal of informing policy makers so they can make swift and smart decisions in the coming weeks or months.
We may receive:
Registration and Profile Information. We may receive information from you when you register to use Healthy Together. That information may include, among other things, your full name, phone numbers, and device identifiers.
Contact List. If you choose to share your mobile device contacts or address book with Healthy Together, we will store your contacts or address book information, including the phone numbers and names of your contacts, to enable you to invite your contacts to Healthy Together and help facilitate your user experience.
Healthy Together responded to Snopes’ questions about these rumors:
Only if a user opts-in to share their phone’s contact list, can they then invite friends on their contact list to use the app. Sending this invitation will prompt their contact to join Healthy Together, but this invitation to join the app is also opt-in. Sending an invitation to a friend does not mean Healthy Together will track or automatically collect data. If someone chooses to download the app by accepting their friend’s invitation, they too have to opt-in to share any data permissions.
The app is not connected to Facebook and Healthy Together users cannot invite their Facebook friends to use the app.
Healthy Together is not tracing anyone who is not a user of the app, and is not tracing anyone who does not opt in to the Bluetooth or location data permissions. Healthy Together is completely opt-in, users own their data, and can delete it at any time.
Thus the app’s ability to access your contact list is in the user’s control and is available only to invite friends to download the app. The app does not appear to have the ability to access your Facebook friends list. Furthermore, the app can only track and identify people who have downloaded it, so those people without the app cannot be tracked.
The app ABTraceTogether requires even less information from the user. The other app at the center of the Facebook/phone contacts rumor mill has been downloaded in the Canadian province of Alberta 100,000 times as of May 5. This voluntary app also does not connect to your phone contact list or Facebook friends list but collects only the following information:
During the app set up, the only personal data we collect is your mobile number, so Alberta Health Services can contact you quickly if you were in close proximity to a COVID-19 case.
With your consent, the ABTraceTogether app exchanges Bluetooth proximity data with nearby phones running the same app. This data is anonymized and encrypted, and does not reveal your identity or the other person’s identity. In order to measure distance, information about your phone model and the signal strength recorded is also shared, since different phone models transmit at a different power.
This data is stored only on your phone, and is not shared with Alberta Health Services. Should Alberta Health Services need the data for contact tracing, they will ask you directly to share it with them and enable an upload of your contact tracing logs.
The information you provide will be collected by Alberta Health and Alberta Health Services for the purpose of conducting contact-tracing during the COVID-19 pandemic response to manage the public health emergency under the Public Health Act.
[…] ABTraceTogether enables you to exchange non-identifying information with other users via Bluetooth; other users will not have access to any of your individually identifying information. If you receive a positive diagnosis for COVID-19, Alberta Health or Alberta Health Services will send you a code to enter into the Application. Your information will then be accessed and potentially disclosed by Alberta Health and Alberta Health Services to one another, for the purpose of facilitating contact-tracing during the COVID-19 pandemic.
Privacy advocates like the Electronic Frontier Foundation (EFF) are critical of apps that ask for names and phone numbers of users, arguing that will erode trust and discourage people from signing on. They argue that developers need to be as transparent as possible to ensure their app is effective. Bennett Cyphers, a Staff Technologist with EFF spoke to Snopes, arguing that ultimately these apps should only get what is absolutely necessary from the user, with “as little private information [and] strict data minimization,” something they don’t agree apps like Healthy Together and ABTraceTogether are doing:
[The government] doesn’t need [this information], they want it … Apple’s and Google’s proposals [have] ways to do it where the user’s phone is able to give push notifications to the user through anonymized data.
There are ways to do contact tracing that is privacy preserving, and that the government doesn’t get data at all. The only difference between [the] decentralized contact tracing approach (which Apple and Google are proposing) and the centralized approach is that in the first model [when] someone who you’ve contacted is sick, [you will be notified] on your phone and it will tell you what to do and which public health officials to get in touch with. The other scenario is the government calls you themselves. The government prefers the latter because it gives them more control. We don’t think there is a significant difference in the outcome [pertaining to health access] for users.
…All these apps are opting to share a record of who the people interacted with. That can reveal a lot about what you do, whether you engage in political activism, criminal activity, all kinds of things not related to COVID, and the government will have access [to it] … We wouldn’t be able to tell you what the government will do [with this] but what they could do … [and] that’s the problem.
Jeff Jenkins, associate professor of Information Systems at the Brigham Young University, Marriott School of Business, said this about Healthy Together in a published news interview: “Jenkins said he feels like the app gives users a reasonable amount of control over their data, even if it’s not totally clear how the data will be used. ‘With any app, there is a tradeoff between the intended benefit — in this case, combating COVID-19 — and privacy.'”
A range of contact-tracing apps were being tested and implemented in the spring of 2020. In May, Apple and Google released their own smartphone technology to automatically notify people if they have been exposed to someone with the virus. Unlike Healthy Together, their tech relies solely on Bluetooth technology to monitor person-to-person contact. Many of these apps are achieving mixed results, and the full implications of their impact on data privacy are being closely followed by groups like EFF and the American Civil Liberties Union (ACLU).
In sum, little evidence exists to indicate that apps like Healthy Together and ABTraceTogether are collecting others’ information from users’ phone or Facebook contacts, especially without consent. As their privacy policies outline, the information they gather is for specific health-related purposes, and all the information given is with the user’s consent. Healthy Together can receive your contact list if you agree to it, while ABTraceTogether only asks for your phone number. Furthermore, users have to actually install the app for their interactions to be monitored, or their location to be tracked. Individuals without the app will not be tracked this way. As such, we rate this claim a “Mixture.”