Massachusetts Illegally Installed Covid Spyware on Android Users’ Phones

A federal lawsuit alleges that the Massachusetts Department of Public Health installed Covid spyware on the Android smartphones of millions of state residents to code and trace their movements without their knowledge.

The state hid the application from users, the lawsuit says, by ensuring that it did not launch a shortcut on the phone’s homescreen.

The lawsuit says the move violates the federal and state constitutions, and asks for an injunction to stop the state from spying on both their residents and those from other states who also fell victim to the scheme.

The Lawsuit

Filed in the U.S. District Court for Massachusetts by the New Civil Liberties Alliance, the 68-page lawsuit alleges that the health department, frustrated because few Bay Staters had downloaded the application, hatched a covert scheme to install it without anyone’s knowledge.

And if users found it and tried to delete it, the department’s tenacious nannies reinstalled it.

“DPH [Department of Public Health] developed a COVID-19 contact-tracing software application (‘Contact Tracing App’ or ‘App’) for Android mobile devices (e.g., smartphones and tablets) using an Application Programming Interface (‘API’) provided by Google, Inc. (‘Google’),” the lawsuit avers:

An initial version of the App was made available in April 2021, but few Massachusetts residents voluntarily installed that version. To increase adoption, starting on June 15, 2021, DPH worked with Google to secretly install the Contact Tracing App onto over one million Android mobile devices located in Massachusetts without the device owners’ knowledge or permission. When some Android device owners discovered and subsequently deleted the App, DPH would re-install it onto their devices.

The App causes an Android mobile device to constantly connect and exchange information with other nearby devices via Bluetooth and creates a record of such other connections. If a user opts in and reports being infected with COVID-19, an exposure notification is sent to other individuals on the infected user’s connection record.

The version that just 5,000 or so Bay Staters installed was called “MassNotify.”

A second app, labeled “MassNotify v.3” in the Google Play Store, later renamed “Exposure Notification Settings Feature–MA,” came next. State officials slipped that app onto millions of phones without the owners’ knowledge.

“Instead of making the Contact Tracing App available for voluntary download, however, starting on or around June 15, 2021, DPH worked with Google to ‘automatically distribute’ the App to Android devices ‘so users don’t have to download a separate app,’” the lawsuit alleges:

In other words, the Contact Tracing App was installed onto Android mobile devices without users’ permission or awareness.…

Once “auto-installed,” DPH’s Contact Tracing App does not appear alongside other apps on the Android device’s home screen. Rather, the App can be found only by opening “settings” and using the “view all apps” feature. Thus, by design, the typical device owner would remain unaware of its presence.

Worse still, the state targeted not just those who live under the state’s leftist regime, but those who were merely traveling through:

DPH periodically installs the App onto all Android devices located in or being transported through Massachusetts. To accomplish the stealth installations of the Contact Tracing App, DPH uses an Android device’s location data to target individuals who happen to be in Massachusetts. As a result, individuals who reside in other States but travel to or through Massachusetts … will have the App installed on their Android devices. For instance, one Google Play reviewer stated: “I am not a Massachusetts resident and this spyware was surreptitiously installed on my phone without my consent or notification. It keeps reinstalling itself after removal. Words cannot describe how violated this makes me feel both from MA and Google.”

The lawsuit includes screenshots of reviews by Android users who complained on Google Play that they did not install the app.

Constitutional Violations

The spyware program, the lawsuit alleges, violates Android users’ federal constitutional protection against unwarranted search and seizure.

In addition to violating the privacy rights of users, the secret spyware installation “constitutes a Fourth Amendment search,” the lawsuit alleges:

The Commonwealth is indiscriminately conducting a search of all individuals with Android devices who reside in or have passed through Massachusetts between June 15, 2021, and present day. These searches constitute clear Fourth Amendment violations.

The spyware also represents an “unjust taking” of private property, which is prohibited by the Fifth Amendment, because it physically occupies the phones without just compensation.

The installation also violates two provisions of the Massachusetts Declaration of Rights on the same grounds, the lawsuit alleges.

As well, the installation constitutes trespassing, violates the Computer Fraud and Abuse Act, and provides unauthorized access to a computer system.

“Many states and foreign countries have successfully deployed contact tracing apps by obtaining the consent of their citizens before downloading software onto their smartphones,” NCLA’s Sheng Li said. “Persuading the public to voluntarily adopt such apps may be difficult, but it is also necessary in a free society. The government may not secretly install surveillance devices on your personal property without a warrant — even for a laudable purpose.”

Countering Overreach Banner728