On Wednesday, Los Angeles announced a contact tracing partnership with Citizen, the crime reporting app formerly known as Vigilante. Citizen is now rolling out SafePass, a contact tracing feature meant to track symptoms, find testing sites, get alerts when exposed to COVID-19, and share diagnostic information.
“The County’s partnership with SafePass is a valuable tool to help slow the spread of COVID-19 throughout the region,” said Los Angeles County Supervisor Kathryn Barger at the press conference. “The success of the SafePass app relies on a continued sense of community impact among our residents by asking individuals to do their part to protect themselves and their neighbors.”
Citizen has come a long way since its days as Vigilante. In November 2016, days after its public launch in New York City, it was kicked off the Apple App Store amidst concerns the app would actively encourage vigilantism either through racial profiling or violent responses. By March 2017, the app was back after rebranding itself as “Citizen”.
In a 2017 Medium post, the company insisted that while the Vigilante was removed from the App Store for “a violation of Apple’s App Store Review Guidelines, with concerns centered around user safety,” things would be different with Citizen. The company traded a masked defender logo for an all-seeing eye and removed a feature that allowed users to “report incidents” directly to Citizen, but preserved nearly every other aspect of the Peter Thiel-backed app. (The crime reporting feature was added back in earlier this year)
Citizen went on to secure $12 million in funding from Sequoia Capital and expanded to San Francisco. In an interview with TechCrunch, founder Andrew Frame said “The name has changed, but the mission has not.” Frame defended the Citizen app from criticism further, telling TechCrunch that the company did not have a relationship with NYPD: “We don’t really coordinate with them… We have no official relationship.”
For years, however, the Citizen app and its staff have acted as if such a relationship exists. In Community Manager Dennis Prince Mapp’s own words: “We’re trying to unite [local community members and the police] and show that we’re all human. We’re trying to humanize the app and trying to humanize the NYPD.”
Earlier this year, Motherboard filed Freedom of Information requests with every city that Citizen operated in at the time (Philadelphia, New York, San Francisco, Los Angeles, and Phoenix). The NYPD claimed that it had had no communication or relationship with Citizen; an appeal was also rejected. Oakland and San Francisco both said it has no emails from Citizen. But emails from the Los Angeles’ Mayor’s office from last year, obtained by Motherboard, show that Citizen set up a meeting with the city’s gang violence and youth development coordinator. A member of a local nonprofit who was working with Citizen told the Los Angeles Mayor’s office in an email:
“Citizen has become so vital and intertwined within the safety infrastructure of New York that the FDNY is now mandating the app on department-issued phones in order to triage, prioritize, and respond to breaking information,” they wrote. “I’m reaching out to you because Citizen is launching in Los Angeles in just a few weeks and I think that this is a great opportunity for our community to re-imagine safety with Citizen.”
A spokesperson for the FDNY said that the Los Angeles’ Mayor’s office was given inaccurate information. “The information provided below in that email is inaccurate. There is no policy within FDNY mandating use of the app in question.” The spokesperson added that some firefighters may use the app informally. A freedom of information request filed by Motherboard with the FDNY has not yet been returned.
At best, the Citizen app seems to be a glorified “transcription service for emergency radio” that encourages people to “go out to stream and document incidents that are unfolding around them.” At worst, it is just another in a long line of fear-mongering surveillance platforms that offer paranoia-as-a-service. Even as violent crime nationwide drops, apps like Citizen, Nextdoor, and Neighbors have thrived by becoming playgrounds for racial profiling that turn community members into vigilantes and override privacy or safety concerns in the name of order.
None of this seems to have deterred public officials from partnering with Citizen to make the SafePass app. It won’t be Citizen’s first foray into the realm of contact tracing, either. CoinDesk wrote an extensive report on Citizen’s first contract tracing feature, SafeTrace, which raised numerous privacy red flags.
One major issue emerges almost immediately when reviewing documents laying out how Citizen’s technology would utilize “GPS location data, Bluetooth low energy, WiFi fingerprinting, and Cell Tower triangulation in a rich feature set providing highly accurate contact proximity and duration data.” Both Citizen and LA County insist the datasets built from this program will remain anonymized, but it has long been established that it is relatively easy to “reidentify” such datasets—especially with GPS data.
Both the press release and SafePass’ website emphasize the use of “Bluetooth technology,” but upon closer examination it is clear SafePass is also using GPS data just like its predecessor. On its promotional page, there is only one mention of GPS data buried at the bottom, in the FAQ section as an answer to the eighth question “Is my contact tracing data safe?” to which the one mention of GPS reads: “All GPS data collected by the Citizen app is deleted after 30 days.”
In a statement to Motherboard, a Citizen spokesperson said: ““We will retain your bluetooth data, GPS location data and identity verification information for 30 days from collection on a rolling basis, and all other personal information for the period necessary to fulfill the purposes outlined in this policy and to support other Citizen app features you might use, unless a longer retention period is required or permitted by law, or an individual requests that we delete information about them.”
There’s also no information provided as to what data isn’t deleted, important because the app collects much more than GPS and Bluetooth data. Ángel S. Díaz, counsel at the Brennan Center—a New York-based public policy institute—shared on Twitter that he had analyzed Citizen’s contact tracing app when it was pitched to NYC and found its privacy protocols lacking at best. The app gave little information about what it did with “location data, copies of gov-ID, COVID-19 diagnosis information, and undefined ‘health information,'” nor did it communicate what it is allowed to do with undeleted data even if “anonymized” or simply “aggregated.” Diaz wrote that it’s “easy to imagine Citizen’s desire to integrate this data into hotspot alerts for users of its crime alerts service.”
A Citizen spokesperson told Motherboard “Identity verification information: When a user submits their COVID-19 diagnosis to us to enable tracing, we may request a copy of the user’s government-issued ID or use other means to verify the user’s identity to protect our community against platform abuse and fraud. We will delete your identity verification information within 30 days from collection.”
Given Citizen’s poor privacy track record and history of being used for racial profiling and vigilantism, even standard policy sections seem weird and leave one wondering why Citizen isn’t taking extra steps to assure users that their data will be secure, anonymous, and shared only with public health agencies. Díaz cites a section of the company’s policy that states “To the extent necessary to continue to provide contact tracing services, we may share some or all of your personal information in connection with or during negotiation of any merger, financing, acquisition or dissolution transaction involving the sale, transfer, divestiture, or disclosure of all or a portion of sp0n Inc.’s business or assets.”
It’s hard to think of few companies that would be worse candidates for a contact tracing partnership. Ideally, the project should be run on open source code with open standards that can both be replicated anywhere else and made as transparent as possible. Instead, an app desperate for yet another rebrand has somehow swindled Los Angeles County into providing a chance at more users, more data, and more paranoia-as-a-service.
Jason Koebler contributed to reporting.