This week, a lawsuit was filed in the U.S. District Court of Massachusetts against the Commonwealth of Massachusetts for its use of a COVID-19 contact-tracing app for residents’ mobile phones. However, very few residents voluntarily downloaded the app. The solution? The lawsuit alleges that Massachusetts caused the app to be downloaded to certain residents’ mobile devices without consent or knowledge. The complaint alleges that “on June 15, 2021, [the Massachusetts Department of Public Health (DPH)] worked with [a third party application developer] to secretly install the Contact Tracing App onto over one million Android mobile devices located in Massachusetts without the device owners’ knowledge or permission.” The complaint further alleges that “[w]hen some Android device owners discovered and subsequently deleted the App, DPH would re-install it onto their devices. The App causes an Android mobile device to constantly connect and exchange information with other nearby devices via Bluetooth and creates a record of such other connections. If a user opts in and reports being infected with COVID-19, an exposure notification is sent to other individuals on the infected user’s connection record.”

The complaint also alleges that the app collected information about the user’s travel, social interactions and internet usage. The app was installed as a “settings feature” instead of an “applications file” in order to remain unnoticed.

The lawsuit alleges violations of the Fourth and Fifth Amendments to the U.S. Constitution, Articles XIV and X of the Massachusetts Declaration of Rights, and the Computer Fraud and Abuse Act. The class seeks an injunction against continued use of the spyware and an order requiring the DPH to remove the spyware from users’ mobile devices. The class also seeks to recover attorneys’ fees and $1 for symbolic damages.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy and Security Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy and Security Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.