We’ve seen several people on our social media feeds advocate for downloading the new federal COVID Alert application, based on arguments including the fact our privacy is already violated by Facebook. We don’t believe this should be an argument for using the app: it isn’t because governments have failed to protect our data and privacy while we use Facebook – a very important platform, including for activism – that we should accept other possible privacy violations, especially when the Office of the Privacy Commissioner (OPC) of Canada has published a privacy assessment of the app.
Short version of the OPC’s assessment: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/nr-c_200731/
OPC’s full analysis (it’s not that much longer, we encourage everyone to read it): https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/health-emergencies/rev_covid-app/
Government webpage for the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert.html
Government privacy notice on the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy.html
Here is our understanding of the app based on all the info provided in the links above:
- From the Privacy Commissioner’s analysis: “Participating provinces [right now it’s only Ontario] will be required to distribute one-time codes to users of the app who have tested positive, which allows them to share their exposure notification info from the app with other users in a de-identified fashion. Certain individuals at the provincial level will be aware that a person has received a positive test result, but individuals will not have access to the exposure notification information.”
- The app does not track location, does not collect your name or address or contacts in your phone, according to the Privacy Commissioner. The OPC states that strong encryption is used in the creation and sharing of these one-time codes, and most data used by the app will be stored directly on your phone and deleted after 15 days. All data sent and received is de-identified and anonymized, meaning you won’t be able to know who has tested positive or where, and if you test positive, people notified won’t know it’s you or where the contact occurred. The Privacy Commissioner notes that it’s not impossible to re-identify data, but that the risk is very low.
- The Privacy Commissioner is happy with the level of cooperation and transparency of the government, and reviewed the design of the app and how it interacts with federal servers. The code is public, but of course only experts can understand it. The app is not supposed to use any data for other purposes than notifying people they have been in close proximity with someone who tested positive for COVID-19.
- It is not ideal that there was no law or parliamentary process to roll out the app but we are definitely happy the government delayed the roll out until the Privacy Commissioner of Canada finally had a chance to examine it.
- Use of the app is voluntary, which is positive. We were also happily surprised to learn that a study from epidemiologists at Oxford University shows that the app could be effective in preventing some spreading even if it’s not used by most people. It could prevent one new infection per one or two persons using the app. In any case, the app is only effective in preventing spreading if used in pair with other preventative measures such as testing, manual COVID-19 contact-tracing, the use of masks, physical distancing and hand washing.
- We are also happy that there will be an evaluation of the effectiveness and privacy impact of the app in the last quarter of 2020, and pleased to see the creation of an advisory council of outside experts to provide advice and guidance to ensure the effectiveness of the app.
- As the Privacy Commissioner has said, it would be important for the government to forbid businesses from requiring customers to show proof that they have the app and that they have not tested positive or have not been in contact with people who are positive, otherwise the voluntary nature of the app goes out the window.
- Health Canada committed to shutting down the app – which will erase the random numbers shared between phones and delete any data stored on the Government of Canada’s servers (unless IP addresses are being retained for a security investigation) – within 30 days after the pandemic is declared over. Even though the pandemic could last a long time, this is an important time limitation.
Some concerns to note
- In April, with OpenMedia, BCCLA, CIPPIC and BC FIPA, we put together 7 principles to follow for contact-tracing apps to protect human rights. The new app meets some principles but not all of them: the app is not regulated by a law and didn’t go through a parliamentary process; there is no stated recourse if there is a breach of privacy or other issues or rights violations; and there is no commitment from the government to discontinue the app if its found to be ineffective (or there are privacy issues with it) – only a commitment that they will take the recommendation of the Advisory Council into consideration.
- From the Privacy Commissioner’s analysis: “IP addresses accompany attempts to verify one-time codes to the server. The server retains the user’s IP address for 60 minutes if the one-time code is not valid; this retention is meant to help prevent fraudulent uses of one-time codes [like fake exposure notifications, which the government is transparent about on their webpage]. In addition, system logs will retain users’ IP address every time there is a request made to the server (one-time code verification, diagnosis key upload, etc.) for up to three months in normal conditions. In the event of suspicious activity, the system will retain a user’s IP address for up to two years. In this scenario, the relevant system logs may be shared with law enforcement agencies to facilitate an investigation. These security features present a risk of re-identification because, when combined with other information, IP addresses can be used to identify individuals. But, again, due to the adoption of strong safeguards, we believe the risk of identification is low. The Government of Canada indicated to our Office that access to these logs is restricted to authorized users who are bound by security obligations to protect this information and not to access or use it for nefarious purposes.”
- It would seem that it should not be necessary to keep IPs beyond one hour, just long enough to verify the validity of the codes are being verified. “Suspicious activity” and the type of investigation that could be launched, and for which our IP addresses could be shared with law enforcement, should also be defined. Currently, the government’s privacy assessment states, “IP addresses may be disclosed to law enforcement in the event a malicious actor attempted to gain, or gained, access to the server where they are stored.” However, we lack information about what kind of “suspicious activity” would trigger the longer retention of IP addresses, as well as whether the disclosure of IP addresses to law enforcement is strictly bound to malicious attempts to access servers.
- Furthermore, we maintain even deeper concerns about the need to store for three months the IP addresses of individuals who merely receive keys to verify whether they came in contact with anyone who tested positive, and have not submitted any codes through the app. This seems to us to be unnecessary, but we have reached out to the government for more information. We do note, at least, that IP addresses will be stored on a separate server from the key server, providing one more layer of privacy security.
- The cloud services used by the government of Canada are owned and operated by Amazon. There are Amazon servers located in Montreal and this is most likely where data will be stored since it’s a Canadian app. For what it’s worth, many businesses, such as the National Bank of Canada, use those servers as well. The Privacy Commissioner says: “Amazon Web Services were procured through existing Shared Services Canada cloud framework agreement. Our preliminary assessment of this agreement suggests measures are in place to protect the information stored in the server. However, considering the complexity of the agreement and our limited time for review, we reserve the right to further review this agreement as part of the Government of Canada’s broader cloud-first strategy.”
- Finally, the Privacy Commissioner says: “In addition to looking at the design of the app and how it interacts with the federal servers, we reviewed publicly available information about the API [Application Programming Interface, which is a software intermediary that allows two applications to talk to each other] designed by Google and Apple. However, we were not able to review the entire API code, which is not publicly available. A thorough evaluation of the surrounding technical ecosystem in which the app operates is beyond the reach of this review. We are aware of concerns related to this uncertainty about the environment in which the app and API interact.” The Privacy Commissioner’s recommendation: “The Government of Canada should continually monitor and assess the potential risks related to the Google and Apple operating systems in relation to COVID Alert. To maintain the same level of transparency, the Government of Canada should communicate to the public any potential new privacy risk related to that component of the COVID Alert app.”
We hope this will be helpful in informing your decision on whether or not to use the app. We are still discussing our concerns with colleagues within the civil liberties and privacy fields, and are waiting to hear from the OPC and the government on our concerns, and may take additional action at a later date.
Here is some extra information from the government about the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy/assessment.html
Since you’re here…
… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity!