Privacy Questions and Answers Regarding the Safer Illinois App

The Safer Illinois App has been built from the first day with privacy as a foundation. We take three specific actions that promote privacy in the Safer Illinois App:

Below, we present questions about privacy and provide an answer for each.

Most users will start in Orange: Potential Exposure. Once a negative test is received from on-campus testing, the status changes to Yellow: Recent negative test and Building Entry changes to Allowed.

The COVID-19 status color code was decided by the Champaign-Urbana Public Health Department. This is what the color codes mean for you in the Safer Illinois App:

  • Yellow: Recent negative test
  • Orange: Potential Exposure
  • Red: Positive test

The University uses industry best practices in data security to minimize risks to user personal data through data loss, misuse, unauthorized access and unauthorized disclosure and alteration. All user data is protected against unauthorized access or distribution. User personally identifiable information (PII) will never be shared with third parties without user permission. Users can delete all personally identifiable information (PII) and all anonymous data from our servers at any time by using commands within the Illinois App.

There are different types of data stored and transmitted from the Safer Illinois App.
  • Personal identification, such as NetID, UIN, and cell phone number, are used to create user accounts on the Safer Illinois App. This personal information is shared with Technology Services and is stored on the user’s phone as well as on account servers.
  • The SARS CoV-2 test results that users can retrieve through the Safer Illinois App are stored on their phones.
  • The anonymous Bluetooth tokens that are used as proximity records in the Exposure Notification system are stored on the phone for 14 days and are then automatically deleted. When a user has a positive test result (and if they have opted-in for Exposure Notification), 14-days’ worth of their Bluetooth tokens are uploaded to a secure database server and then downloaded by the other phones using the app. Each app then checks for matches against the token history saved on their phone. The tokens expire and are deleted automatically after 14 days, both from the phones and from the database server. The tokens are not saved anywhere else. Note that these randomly generated tokens are de-identified and are not associated with a particular phone or individual.

When users of Safer Illinois elect to receive their diagnostic test results through the app, the results are transmitted from the health care provider in charge of the tests. (On UIUC campus that provider is McKinley Health Center.) The notification is encrypted in transit and decrypted on the user’s phone. The test result is also saved in an encrypted form in our secure database in case users need to access their data from a new device. No other party but the user can decrypt the test result. The Illinois app will not share an individual's test results information with anyone.

The laboratory that conducts the test is required by law to submit all test results to the Illinois Department of Public Health, which is managing the response to the epidemic. Summary statistics of testing data are shared with the public on a dashboard. These statistics are used to manage the COVID crisis on campus and may be used for research in the future.

Contact tracing is a public health procedure used to identify people who may have come into contact with an infected person. Public health workers who conduct contact tracing interview known infected individuals, attempt to find all recent contacts with the infected individual, and then follow up with those contacts by recommending testing, quarantine, treatment or other measures.

Champaign-Urbana Public Health District manages human contact tracing in Champaign County. A team of contact tracers from CUPHD is assigned specifically to work on UIUC campus through McKinley Health Center.

The Safer Illinois app does not do contact tracing. It can’t, because the Safer Illinois app does not know the identities of other users of the app.

The Safer Illinois app provides exposure notification. Exposure notification lets people know if they were in the vicinity of someone who was later found to be infected. If users turn on exposure notification, their phones store Bluetooth-emitted tokens when they are in sufficient proximity to other phones. If users of the app later find out they are infected, 14-days of their Bluetooth tokens are uploaded to a secure database server and then downloaded by other phones. Then those phones look for matches with the tokens they have saved. Phones that find matches notify their users that they might have been exposed. Exposure notifications are generated on each user’s phone, and the notification is displayed only on the user’s phone. Individual exposure notifications are not reported to any other party. Summary statistics about exposure notifications are reported to campus leaders and to the Champaign-Urbana Public Health District.

See also How Exposure Notification Works

No, there are no plans to add geolocation tracking. We have discussed digital geolocation tracking of infections, but it touches a hot button with members of our community. Many people are not interested in location tracking for privacy reasons. If we were to implement location tracking, it would have to be as an opt-in opportunity only.

One reason to have location tracking of infections is that it would be very useful in curbing infection hotspots or super spreader events. But we are unlikely to offer location tracking in the Safer Illinois app unless we can do it in an anonymous fashion, so that we're not sharing any individualized data, in order to protect privacy.

No. The Safer Illinois app will be used only for the following functions: (1) Connecting with health care providers to receive test results and care recommendations, (2) Self-reporting of symptoms, (3) Opt-in Exposure Notification, (4) Enter/Do Not Enter status for campus buildings, (5) Recommended steps for improving and maintaining the user’s health, (6) Simplified up-to-date county public health guidelines. The Safer Illinois app does not report geo-location, so it cannot report or track a user’s whereabouts.

If you opt-in to use the exposure notification function of the app, you need to turn on location services in order to activate your device’s Bluetooth low-energy technology. Even if you turn on location services, the app does not access your location, or collect or store any location data.

The Safer Illinois app will not retain PII (personally identifiable information) for long-term study. The Exposure Notification data expires automatically after 14 days and is not saved anywhere. De-identified non-PII information such the following may be archived and made available for the public welfare and for research in the future:

  • Percent positivity
  • Number of tests per day
  • Number of exposure notifications
  • Types of self-reported symptoms

No. The Safer Illinois app, and all of its features, will be retired when the Illinois Department of Public Health declares that the Covid-19 epidemic is over. All individual-level data associated with the Safer Illinois App will be deleted at that time. Note that individual users can remove all of their data from the system whenever they choose to do so.

Ready to get started? Download the app now!