What’s actually in Philly Fighting COVID’s privacy policy?
During most of the time the group collected names on its COVIDReadi site, it did so without terms and conditions or a privacy policy.
For the past few weeks, the start-up Philly Fighting COVID has been collecting data on tens of thousands of people in Philadelphia who want to get COVID-19 vaccines, as well as running a mass vaccination clinic at the Pennsylvania Convention Center. During most of that time, it did so without terms and conditions or a privacy policy on its website.
When PFC added a privacy policy to the site last week, it was extremely broad — likely because parts were generated by an algorithm, a cybersecurity lawyer told WHYY.
On Monday evening, Philadelphia Health Department spokesperson James Garrow said the city had decided to end the partnership partly because Philly Fighting COVID recently updated the online agreement in a way that could let the group sell pre-registration data.
“The city has not been notified of any of these data having been sold,” Garrow wrote in an email. “But for PFC to have made these changes without discussion with the city is extremely troubling. As a result of these concerns, along with PFC’s unexpected stoppage of testing operations, the Health Department has decided to stop providing vaccine to PFC.”
People worried about use of data they entered into the site can contact the Pa. Attorney General to complain and suggest an investigation, said DC privacy attorney Kirk Nahra.
Last week, the city launched its own vaccine registration site. In an interview last Friday, Garrow said the city will periodically ask for copies of the data from other sites — such as the ones run by Philly Fighting COVID, the Black Doctors COVID-19 Consortium, or Acme Markets — to add to the city database, which has the same terms of use and privacy policy as phila.gov.
Philly Fighting COVID did not respond to multiple Jan. 25 requests for an interview about the privacy policy. But late that night, the group hastily added a privacy policy tab on its site, along with a line saying the company will not sell data to any parties. It also removed sections from its recently-added policy that mention moving data as part of business transfers. The rest remains unchanged.
The city presumes anyone collecting registration data shares the city’s goal of getting as many people vaccinated as possible, said Health Department spokesperson Garrow, and that it would be “counterproductive” if Philly Fighting COVID were to refuse to hand over their data.
The privacy policy PFC published on Jan. 21 is very broad. That’s likely in part because it was created with a privacy policy generator, according to a cybersecurity attorney.
Kirk Nahra, who specializes in cybersecurity and privacy and is a partner at DC’s WilmerHale law firm, said the Philly Fighting COVID policy is so broad, there are items that don’t seem to refer to anything PFC does. For example, the agreement refers to “the performance of a contract”, which he said he does not understand in this context.
“That’s language that they probably borrowed from a website that the Gap had or … where you buy stuff,” Nahra said. “My guess is … the next 10 websites you went to … that weren’t like major media websites, if you looked at their privacy policies, they would look a lot like this.”
There’s also a line in PFC’s terms and conditions that neither Nahra nor Adam Schwartz, a lawyer at the Electronic Frontier Foundation, a digital privacy nonprofit, could understand.
It’s line four: “You, the USER, agrees to allow the storage within any person for which you are legally entitled to for such purposes as may be necessary to provide you with services and information through COVIDReadi.”
“The sentence is confusing not because it is dense with legalese but because there is a grammatical error,” Schwartz said. “Terms of service need to be more clear than this.”
He added that the EFF recommends everyone read the terms and conditions and privacy policy of any site that collects data, but acknowledged few people do.
Lack of posted policy: Early warning sign
It’s unclear what people can do if they registered with Philly Fighting COVID and are worried about how their data may be used.
Kirk Nahra said that to bring a lawsuit, someone has to prove a site did something bad with their data, like if a site was collecting information about people’s sexually transmitted diseases and posting it publicly. But he said that people can certainly contact the Pa. Attorney General to complain and suggest an investigation.
Some had been worried about the Philly Fighting COVID site weeks ago. For years, Sarah Wipperman, a scholarly communications librarian at Villanova University, has been reading terms and conditions and privacy policies on websites, and was disappointed to find that the Philly Fighting COVID site did not have one.
“This one to me screamed: I need a second look, because some of those basic things weren’t in place.”
She added that though she has been reading these policies for years, she does not enjoy it, but does it because she wants to know how websites are going to use her data.
“It’s mentally taxing, something that should be simple like signing up for a quick website or signing up for an account for something takes like half an hour, an hour,” she said. “I definitely don’t like it, I wish I didn’t have to do it.”
She has given up on products and services because she disagreed with the terms and conditions. For instance, when she was moving apartments last year, she found one that she liked and got an offer for, but the contract included mandatory arbitration, which means disputes have to be resolved out of court behind closed doors, and a line saying she was not allowed to have kitchen knives. She asked about the lines she objected to, and the landlord took back the offer.
Deciding whether or not to sign up for the Philly Fighting COVID vaccine registry was a harder decision, because there are alternatives for apartments, but earlier in the month, Philly Fighting COVID was the only site registering people for vaccines in Philadelphia.
“I (was) terribly divided as to whether or not I kind of want to put aside all of these issues I have with terms of service, privacy policies and just do it because I feel like it’s a good civic thing for me to do,” she said. “This is something that’s definitely beyond me, it’s something that impacts our entire city.”
She ultimately did not register with Philly Fighting COVID.
Get daily updates from WHYY News!
WHYY is your source for fact-based, in-depth journalism and information. As a nonprofit organization, we rely on financial support from readers like you. Please give today.