Privacy around COVID Exposure Notifications (Contact Tracing)

Paul Cullen Rowe
3 min readNov 3, 2020


Colorado just launched their “Exposure Notifications” COVID contact-tracing program. It’s a setting you turn on on your phone.

Other states are rolling out similar programs, either using the same setting or a separate app. In this post I’m referring only to Colorado’s, and it should be noted that these are only my conclusions based on reading their provided documentation, and could be incorrect.

I’m a privacy nerd, I give talks on the data security and give workshops on improving privacy in software engineering environments.

There’s a ton of concern around these programs treatment of privacy and the government’s ability to track your movements and your relationships. These concerns are justified.

So I dug into it — or at least what they made available in every single “learn more” screen and privacy document.

I went and read EVERYTHING they had.

So are they tracking me?

It seems like your device sends essentially this data to other devices:

// not actual data, just my illustrationsomeRandomIdentifierKey: 'obqn34guinbqwepo4'
timeStampOfContact: 3:33pm Oct 31 2020
hasBeenExposed: true/false

Your identifier key updates every 20min so it can’t be linked to an individual. It should also be noted that it does not send or receive location information ever.

Actual logs from my device after one day. Someone get me a charger.

Here’s how it works:

If you have bluetooth turned on, your phone is always looking for other devices to connect to bluetooth anyway. So this uses that, and it fires off this data to other devices who are opted-in to receive it.

Every device keeps a list of all keys its logged and their positive/negative, plus all the keys that those keys were in contact with, etc. This list lives only on your phone, is encrypted, and deletes each item after 2 weeks.

Your phone also keeps track of how long you were near another device and how close you were (based on bluetooth signal strength).

If someone was exposed (or self-reported a positive test) and then was in contact with you or someone you were in contact with, it notifies you. It also tracks duration of exposure, so it probably won’t notify you if you simply walk past someone on the sidewalk.

So should I be concerned?

Assuming there’s nothing nefarious under the hood, there are no glaring privacy concerns with this program.

There is nothing at all that is personally identifiable in the data captured. All it cares about is whether you’ve been exposed to someone who is COVID positive, and notifying you.

Should I turn it on?

I believe that more data is better data and could save lives in this case, so from a moral standpoint, I say yes.

For privacy concerns, it passes my smell test. I personally decided to turn on the Exposure Notifications setting on my iPhone. I have not been in contact with anyone lately, so I am pleased to report that I haven’t seen the notification alerting me of exposure.

If you decide to explore deeper, please let me know if you discover anything interesting or fun!



Paul Cullen Rowe

Director of Engineering at Method. Adrenaline Junkie. Build, Break, Boom.