Citizen, the mobile application that alerts its more than two million users to crime and disaster around them, has launched a contact tracing functionality, called SafeTrace, in the fight against the coronavirus. Now it’s just a matter of the New York City-based startup finding a customer for the product, which has raised privacy red flags among civil liberty lawyers and technologists.

A review of internal Citizen documents and the privacy policy related to the contact tracing function gave privacy advocates plenty of causes for concern. These included how data collected through contact tracing would be used and shared via both GPS and Bluetooth proximity tracking. Joshua Simmons, vice president and board member of the Open Source Initiative, which promotes and protects open source software, said the GPS function was “too much” and “totally unnecessary for contact tracing.”

Vigilante by name

The Citizen app was launched in 2016 under the name “Vigilante,” but pulled back and rebranded as Citizen after concerns the original name might encourage users to seek out and intervene in crimes (for which it got it briefly kicked off of the Apple app store). Today, Citizen uses proprietary technology, along with human volunteers, to report incidents by monitoring police scanners. It also lets users stream video of incidents, and comment on videos, in a way that resembles social media. As these incidents are reported, Citizen sends alerts to users in close proximity to the incidents, determined by the location of the users’ smartphones.

Citizen was developed by Sp0n, Inc. Citizen is a private, for-profit company funded by venture capital firms including Peter Thiel’s Founders Fund and Sequoia Capital, to the tune of over $60 million, according to Crunchbase, a platform that tracks startup funding.

Contact tracing, or the process of ascertaining whom people infected with COVID-19 might have come into contact with during the period in which they were contagious, has traditionally been done by a human interviewer. But to address the pandemic, multiple groups have been working on ways to use smartphones to track that contact. While countries including Israel are using GPS tracking, and nations including China are coupling this technology with facial recognition that claims to detect fevers, concerns over privacy have led the United States and European Union (EU) to consider less-invasive measures.

See also: European Contact Tracing Consortium Faces Wave of Defections Over Centralization Concerns

In multiple EU countries, the protocol on which contact tracing apps would be built is based on Bluetooth proximity tracing, with data processed locally on devices, not stored on a central server. A central server makes the data collected not just a target for hacks, but also government surveillance.

In the U.S., Apple and Google have said they will launch updates to their operating systems that will allow apps to use Bluetooth proximity tracing, but have explicitly said they will not allow location tracking because of privacy concerns. Google and Apple have faced criticism from the French government, which pushed them to alter their protocols, because it wanted to add more data-gathering functions to any prospective contact tracing app. Apple and Google have not backed down, though, and EU countries including Germany, Italy and the Netherlands have come around to the tech firms’ decentralized and minimalist approach.

GPS data tracking a person’s movements is very revealing, and difficult to effectively anonymize.

But the final apps people will opt into for contact tracing in the U.S. are still in development, for the most part, with little known publicly about them. That includes projects pursued by federal or state governments as well private companies like Citizen.

With the onus on states to take on the lion’s share of the COVID-19 response, app makers have tended to work with local health organizations. Given that a recent study has suggested such contact tracing apps would need a 60 percent participation rate to be effective, trust in these apps, and the necessity of the data they collect, is key.

If the documents obtained by CoinDesk that outline Citizen’s contact tracing program and its public privacy policy are any indication, according to privacy advocates, that trust is going to be hard to achieve.

One Citizen employee, who asked not to be named out of fear of reprisal, said that “move fast, fix it later” is part of the company’s culture.

CoinDesk has reached out to Citizen repeatedly by email and via social media. We have yet to receive a response to inquiries about its contact tracing program.

GPS data makes the system more invasive

An internal slide deck entitled “COVID-19 Contact Tracing – Product Story for External Share” outlines the proprietary technology Citizen uses for the SafeTrace functionality in its app. In an apparent prospective pitch to New York City, Citizen emphasizes its solution will “fuse GPS location data, Bluetooth low energy, WiFi fingerprinting, and Cell Tower triangulation in a rich feature set providing highly accurate contact proximity and duration data.”

screen-shot-2020-05-20-at-10-16-25-amA slide from Citizen’s Product Story Slide DeckSource: CoinDesk

After reviewing the deck and privacy policy, Simmons said it is unclear if there are proper protections around this data. The lack of transparency stems from the fact the technology is proprietary and privately owned, said Simmons.

The use of GPS data for tracking is also troubling, he said.

“Pervasive GPS tracking is fraught with unintended consequences, even with proper controls in place,” said Simmons. “They claim it’s anonymized because it’s not connected to an individual identity. But as the last decade has shown many times over, that’s not an effective way to anonymize a dataset. If you see an anonymous user returning to the same address every night, you can comfortably assume that’s their residence and work backwards from there.”

Simmons sees such functionality as unnecessary to contact tracing, given the number of proposals out there (including Google’s and Apple’s) that are being pursued without it.

“GPS data tracking a person’s movements is very revealing, and difficult to effectively anonymize,” said Ángel Díaz, counsel at the Liberty and National Security Program of The Brennan Center for Justice in New York.

Multiple studies have shown how anonymous data can be reidentified, including an extensive investigation from the New York Times on the relative ease through which location data can be de-anonymized, and what it can say about you.

See also: As Pandemic Decimates Startups, Privacy Industry Holds Strong

Citizen’s SafeTrace promotional webpage explicitly references how it’s using Bluetooth data. This logs whom you came into contact with via a brief Bluetooth connection with a person’s device close to you and will be deleted 30 days after the fact, according to the company. It is not until later on in a FAQ section that Citizen says that while Bluetooth tracing is optional and connected to the SafeTrace function, GPS tracking is not. In an FAQ, it states:

We use your device’s GPS and Bluetooth signals to determine your location; we need to use both technologies to identify your proximity to other users within nearby proximity, based on CDC social distancing guidance. You choose whether to share your location, and can always revoke Citizen’s access to your location data in your device settings, but the app will not function if the app can’t access location data.

This means that for the app to work at all, you have to let it use your location and harvest GPS data. That GPS data is governed by the general privacy policy, not the SafeTrace privacy policy, and is not deleted. Nor can you ask that it be deleted after the fact.

Citizen has also decided to show users where their point of contact with a potentially infected person occurred, and discloses this while recognizing there is a chance it will result in a user being identified.

“When users receive alerts that they came into contact with a sick person, Citizen will show them where the contact occurred on a map,” said Díaz. “If a user knows the person they interacted with at a particular location, they can easily re-identify the sick person. This creates a dangerous opportunity for exposing people’s identities and subjecting them to online and offline harassment.”

Privacy policy concerns

The privacy policy of any application governs how it can use your data. While many policies are opaque to a regular person about what that entails, they’re informative if you are able to parse them. But Citizen reportedly has not always followed its own privacy policy when it comes to sharing data with third parties, according to a May 2019 investigation by the Washington Post.

One of the slides in the deck says Citizen will wipe the data collected from contact tracing after 30 days, given the virus incubation period is 21 days. The same slide says the data will be anonymized, will not be shared, sold or used for advertising, and only a subset of Citizen’s engineering team will have access to it.

But multiple civil liberties lawyers who reviewed the policy were not clear on what the data collected might be used for, and what will be deleted or not.

Albert Fox Cahn, the founder and executive director of the Surveillance Technology Oversight Project (STOP), said Citizen’s business model is to get as many eyeballs as possible on the screen and to build up the network of users. Any contact tracing function working in a city in partnership with a health department would likely increase the number of people using the Citizen app. It’s a natural outcome were a government to make the Citizen app, even a portion of it, into a vital part of the health ecosystem, Cahn said. Such growth can lead to greater scale, more funding, and potentially the attention of advertisers down the road, he said (even though Citizen has said it will not serve user advertisements).

Michele Gilman, director of the Saul Ewing Civil Advocacy Clinic at the University of Baltimore, echoes these concerns.

“The policy leaves open the possibility of sharing personal information as necessary ‘to fulfill other citizen app features,’” she said. ”They must have something in mind, even if it’s to gain a million users for something in the future. They aren’t a charity. They aren’t a nonprofit.”

Citizen did not respond to a request to discuss concerns regarding the privacy policy.

The language around aggregated data in the privacy policy also concerned Cahn. Citizen’s policy says that in relation to user activity:

“We aggregate user activity data (like how you interact with Citizen, what times you use Citizen, what kind of device you have, etc.) for analysis to improve Citizen’s user experience.”

There is no other explanation as to what that “etc” entails.

See also: COVID-19 Tracing Apps Have to Go Viral to Work.That’s a Big Ask

In another section, Citizen’s policy says:

“We may share aggregated location data for the purpose of combating COVID-19 with government agencies and public health organizations.”

“With a lot of firms, we will see the sale of ‘anonymized’ aggregated data. They don’t really address that in the privacy policy,” said Cahn.

Díaz isn’t sure what the full range of government agencies might entail.

“The privacy policy contemplates that users can opt into sharing diagnosis information with government agencies, but doesn’t specify who those agencies are” said Díaz. “Agreeing to share data with public health officials is not the same thing as agreeing to share information with NYPD or ICE.”

Citizen has made attempts to work with law enforcement, according to a March piece on the company from the Intercept. This includes bringing in Bill Bratton, former police commissioner in New York City, as a board member, and hiring Peter Donald, the New York Police Department’s former assistant commissioner for communication and public information as head of policy and communications. Donald played a key role in getting Vigilante, Citizen’s previous iteration, kicked off of Apple’s app store.

“Citizen is so integrated with law enforcement and seems to envision some sort of business model that might partner with law enforcement in the future,” says Gillman.

The potential involvement of law enforcement agencies, gaps in the privacy policy, and the multiple kinds of illuminating data that are collected can all undermine contact tracing’s effectiveness if it degrades people’s trust, according to Díaz.

James Larus, Dean of the School of Computer and Communications Science at the Swiss Federal Institute of Technology Lausanne, has been pushing for privacy preserving contact training apps in the EU that don’t include location tracking.

“We need to be able to convince the general public, including the people who don’t really understand what the debate is about, or don’t understand the technology at all, that what we’re telling them is true,” he said.

“People need to know they will just be contributing to the public good and potentially being informed they were infected early enough that they could get treatment.”