Crime App Citizen Exposed Users' COVID Data

The data includes users' exposure to people with COVID, their self-reported test reports and symptoms, and sometimes their full name.
May 24, 2021, 7:09pm
Citizen app
Image: Victor J. Blue/Bloomberg via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Crime and neighborhood watch app Citizen, which also launched a COVID-19 contact-tracing feature and broader citywide COVID surveillance program, exposed users' COVID-related data to the public internet, allowing anyone to view specific users' recent self-reported symptoms, test results, and whether their device had recorded any close contacts with other people using the feature. The information is directly linked to a person's username, which often is the person's full name.

Advertisement

The news highlights a haphazard security decision by Citizen. The company also recently put a bounty of $30,000 for information that would lead to the arrest of a person who turned out to have not committed a crime, and, as Motherboard reported, is planning a dramatic expansion into offering an on-demand private security force.

"5 Bluetooth contacts," one of the exposed pieces of COVID data reads. "0 Symptoms Reported Today," and "No Current Test Results Provided" other parts of the one person's exposed COVID datas. Citizen told Motherboard that the data included "share cards," images of a user's COVID information that are designed to be shared either by the user on social media or with their family and friends. Citizen exposed the data to the wider public, however.

Do you work at Citizen? Do you have access to internal Citizen documents? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

As well as its ordinary crime reporting app, Citizen also offers "SafePass," its own contact-tracing program.

"With SafePass, you can track your symptoms, find testing sites, and enable Bluetooth contact tracing to get alerted when you’re exposed to COVID-19. If you need to meet with people outside your household for work or other essential reasons, create Pods together so you can stay aware," Citizen's website reads. Last year Los Angeles announced a partnership with Citizen to use SafePass.

Advertisement

The exposed data relates to the SafePass feature, with the URL of the website hosting the data including the phrase "safepass-generator."

A source who said they affiliate themselves with the hacking collective Anonymous pointed Motherboard to the exposed Citizen COVID data. When Motherboard viewed the data, it contained around 1,000 pieces of COVID data. It is not clear whether the data updates over time or how many users it impacted in total, however.

covid-record-to-publish.png

An example of the exposed Citizen COVID data. Redactions by Motherboard to cover the user's profile image and username. Image: Motherboard

Citizen made several claims about the security of its COVID tool. The feature's privacy policy says that "We have specific systems to control data access, and all access is logged and regularly audited." The SafePass website says "Data is private and encrypted" and that contact tracing data is deleted after 30 days (some of the data in the exposed cache dates from earlier than 30 days ago). The Google Play Store page for Citizen SafePass—a second, standalone app from the main Citizen app but which provides the COVID contact-tracing service—says that "Only people in the Pods you're a part of will be able to see information about you," with Pods referring to small groups of people that share their COVID-related information with one another. Clearly, this was not true.

Shortly after Motherboard approached Citizen for comment, the exposed data became inaccessible. A Citizen spokesperson told Motherboard in a statement that "Users who participate in SafePass have the choice to create a public profile card that includes their name, photo, and self-reported COVID-19 symptoms or test results—it is designed to be shared on social media or shared with friends and family as part of our contact tracing app."

"We recently learned that a limited number of public share cards had been exposed in a data breach and immediately disabled the database to prevent unauthorized access. We have engaged an external security firm to work with our internal team to investigate the scale and scope of who could have accessed public, self-reported share cards," the statement added.

Subscribe to our cybersecurity podcast CYBER, here.