News from ICLMG

Our analysis of the COVID Alert app

UPDATE (27/08/2020): Since publishing this analysis, we have followed-up with Health Canada and Canada Digital Services. Information is added below. We are still waiting for some final information from Health Canada and will update the post further when we have received it.

UPDATE (03/09/2020): We have received more clarifications from Health Canada. Update is below.


We’ve seen several people on our social media feeds advocate for downloading the new federal COVID Alert application, based on arguments including the fact our privacy is already violated by Facebook. We don’t believe this should be an argument for using the app: it isn’t because governments have failed to protect our data and privacy while we use Facebook – a very important platform, including for activism – that we should accept other possible privacy violations, especially when the Office of the Privacy Commissioner (OPC) of Canada has published a privacy assessment of the app.

Important links

Short version of the OPC’s assessment: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/nr-c_200731/

OPC’s full analysis (it’s not that much longer, we encourage everyone to read it)https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/health-emergencies/rev_covid-app/

Government webpage for the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert.html

Government privacy notice on the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy.html

Our analysis

Here is our understanding of the app based on all the info provided in the links above:

  • From the Privacy Commissioner’s analysis: “Participating provinces [right now it’s only Ontario] will be required to distribute one-time codes to users of the app who have tested positive, which allows them to share their exposure notification info from the app with other users in a de-identified fashion. Certain individuals at the provincial level will be aware that a person has received a positive test result, but individuals will not have access to the exposure notification information.”
  • The app does not track location, does not collect your name or address or contacts in your phone, according to the Privacy Commissioner. The OPC states that strong encryption is used in the creation and sharing of these one-time codes, and most data used by the app will be stored directly on your phone and deleted after 15 days. All data sent and received is de-identified and anonymized, meaning you won’t be able to know who has tested positive or where, and if you test positive, people notified won’t know it’s you or where the contact occurred. The Privacy Commissioner notes that it’s not impossible to re-identify data, but that the risk is very low.
  • The Privacy Commissioner is happy with the level of cooperation and transparency of the government, and reviewed the design of the app and how it interacts with federal servers. The code is public (links here), but of course only experts can understand it. The app is not supposed to use any data for purposes other than notifying people they have been in close proximity with someone who tested positive for COVID-19.
  • It is not ideal that there was no law or parliamentary process to roll out the app but we are definitely happy the government delayed the roll out until the Privacy Commissioner of Canada finally had a chance to examine it.
  • Use of the app is voluntary, which is positive. We were also happily surprised to learn that a study from epidemiologists at Oxford University shows that contact tracing and notification apps could be effective in preventing some spreading even if it’s not used by most people. It could prevent one new infection per one or two persons using the app. In any case, the app is only effective in preventing spreading if used in pair with other preventative measures such as testing, manual COVID-19 contact-tracing, the use of masks, physical distancing and hand washing.
  • We are also happy that there will be an evaluation of the effectiveness and privacy impact of the app in the last quarter of 2020, and pleased to see the creation of an advisory council of outside experts to provide advice and guidance to ensure the effectiveness of the app.
  • As the Privacy Commissioner has said, it would be important for the government to forbid businesses from requiring customers to show proof that they have the app and that they have not tested positive or have not been in contact with people who are positive, otherwise the voluntary nature of the app goes out the window.
  • Health Canada committed to shutting down the app – which will erase the random numbers shared between phones and delete any data stored on the Government of Canada’s servers (unless IP addresses are being retained for a security investigation) – within 30 days after the pandemic is declared over. Even though the pandemic could last a long time, this is an important time limitation.

Some concerns to note

    • In April, with OpenMedia, BCCLA, CIPPIC and BC FIPA, we put together 7 principles to follow for contact-tracing apps to protect human rights. The new app meets some principles but not all of them: the app is not regulated by a law and didn’t go through a parliamentary process; there is no stated recourse if there is a breach of privacy or other issues or rights violations; and there is no commitment from the government to discontinue the app if its found to be ineffective (or there are privacy issues with it) – only a commitment that they will take the recommendation of the Advisory Council into consideration.
    • From the Privacy Commissioner’s analysis: “IP addresses accompany attempts to verify one-time codes to the server. The server retains the user’s IP address for 60 minutes if the one-time code is not valid; this retention is meant to help prevent fraudulent uses of one-time codes [like fake exposure notifications, which the government is transparent about on their webpage]. In addition, system logs will retain users’ IP address every time there is a request made to the server (one-time code verification, diagnosis key upload, etc.) for up to three months in normal conditions. In the event of suspicious activity, the system will retain a user’s IP address for up to two years. In this scenario, the relevant system logs may be shared with law enforcement agencies to facilitate an investigation. These security features present a risk of re-identification because, when combined with other information, IP addresses can be used to identify individuals. But, again, due to the adoption of strong safeguards, we believe the risk of identification is low. The Government of Canada indicated to our Office that access to these logs is restricted to authorized users who are bound by security obligations to protect this information and not to access or use it for nefarious purposes.”
    • It would seem that it should not be necessary to keep IPs beyond one hour, just long enough to verify the validity of the codes are being verified. “Suspicious activity” and the type of investigation that could be launched, and for which our IP addresses could be shared with law enforcement, should also be defined. Currently, the government’s privacy assessment states, “IP addresses may be disclosed to law enforcement in the event a malicious actor attempted to gain, or gained, access to the server where they are stored.” However, we lack information about what kind of “suspicious activity” would trigger the longer retention of IP addresses, as well as whether the disclosure of IP addresses to law enforcement is strictly bound to malicious attempts to access servers. 
    • Furthermore, we maintain even deeper concerns about the need to store for three months the IP addresses of individuals who merely receive keys to verify whether they came in contact with anyone who tested positive, and have not submitted any codes through the app. This seems to us to be unnecessary, but we have reached out to the government for more information. We do note, at least, that IP addresses will be stored on a separate server from the key server, providing one more layer of privacy security.
    • UPDATE (27/08/2020): After speaking with Health Canada and Canadian Digital Service officials, some of our concerns have been clarified and/or addressed:
      • Regarding the retention period of three months for all IP addresses, we were informed that this time frame was reached after deep deliberation among staff involved both in cybersecurity and in privacy issues. In fact, the original proposal was to possibly keep IP addresses for a longer time period. We were told that the retention of IP addresses over a three-month time frame is to ensure the application is functioning normally and to ensure that activity can be properly tracked in order to monitor for patterns that demonstrate suspicious activity. Officials have also committed to reviewing and potentially reducing this retention period if it becomes clear that a shorter time frame is adequate to ensure the security of the system. This is also explained online here, including the commitment to reviewing the retention period. 
      • In our conversation, officials also reaffirmed that they are monitoring for suspicious activity that would undermine the security or integrity of the system and users. The activity considered suspicious, and the steps to be taken, are laid out in the Government of Canada Cyber Security Event Management Plan (GC CSEMP), including under what circumstances activity must be reported to either the Canadian Centre for Cyber Security or to law enforcement. More details are found in sections 5.2.3 and 5.2.4 of the GC CSEMP. While we would still prefer to see specific legislation regarding the handling of information related to COVID Alert, this provides clear, written guidelines regarding potential cyber-security incidents.
      • We have also re-confirmed that IP addresses are kept on a separate server than that which handles one-time codes and keys. This is positive. However, we agree with the OPC and maintain our concern that IP addresses still presents a risk of re-identification. This is particularly true since the IP server also maintains logs of the activity associated to that IP address. Therefore, when the activity of uploading a one-time code to the application is associated with an IP address, it can be inferred that the owner of that IP address has tested positive for COVID-19. We recognize that important and significant steps have been taken to protect this information, including strict limits on access and strong cybersecurity protections. However, we have also asked whether there has been consideration of further limiting the kind of information stored alongside IP addresses by, for example, not associating a type of activity (such as uploading a one-time code or downloading keys) with an IP address, and solely noting if there was an attempt to upload a fraudulent code from an IP address (or if everything is normal). We will update when we have a response.
      • Finally, we were also informed that officials are in the process of putting together documentation to add to the government’s COVID Alert page that would further explain security and privacy measures. This is positive for transparency and accountability, and we will link to it once it has been published.
    • UPDATE #2 (03/09/2020): We have received further clarifications and information from Health Canada regarding our concerns:
      • They have confirmed that sharing information with law enforcement “would be specifically in the event of a cybersecurity attack on the exposure notification system (e.g. enlisting law enforcement to help respond), rather than situations where law enforcement is looking for some kind of information from CDS/HC to pursue some other investigation.”
      • Also confirmed is that any disclosed information – including IP addresses – would be considered “personal information” and they would therefore act in accordance with the Privacy Act and the Charter of Rights and Freedoms.
      • Finally, they are open to reducing the amount and kind of information retained on the IP server, but do not have plans to make any changes. There may also be limitations to what can be modified on the AWS system where the IP addresses and logs are stored. While these systems have strong security measures in place, this still leaves room for some privacy concerns. We will look to follow-up again with officials in the coming months to ascertain whether they are open to further minimizing the amount of information retained.
    • The cloud services used by the government of Canada are owned and operated by Amazon. There are Amazon servers located in Montreal and this is most likely where data will be stored since it’s a Canadian app. For what it’s worth, many businesses, such as the National Bank of Canada, use those servers as well. The Privacy Commissioner says: “Amazon Web Services were procured through existing Shared Services Canada cloud framework agreement. Our preliminary assessment of this agreement suggests measures are in place to protect the information stored in the server. However, considering the complexity of the agreement and our limited time for review, we reserve the right to further review this agreement as part of the Government of Canada’s broader cloud-first strategy.”
    • Finally, the Privacy Commissioner says: “In addition to looking at the design of the app and how it interacts with the federal servers, we reviewed publicly available information about the API [Application Programming Interface, which is a software intermediary that allows two applications to talk to each other] designed by Google and Apple. However, we were not able to review the entire API code, which is not publicly available. A thorough evaluation of the surrounding technical ecosystem in which the app operates is beyond the reach of this review. We are aware of concerns related to this uncertainty about the environment in which the app and API interact.” The Privacy Commissioner’s recommendation: “The Government of Canada should continually monitor and assess the potential risks related to the Google and Apple operating systems in relation to COVID Alert. To maintain the same level of transparency, the Government of Canada should communicate to the public any potential new privacy risk related to that component of the COVID Alert app.”

We hope this will be helpful in informing your decision on whether or not to use the app. We are still discussing our concerns with colleagues within the civil liberties and privacy fields, and are waiting to hear from the OPC and the government on our concerns, and may take additional action at a later date.

Here is some extra information from the government about the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy/assessment.html

PS: We haven’t touched on considerations of the application’s efficiency and necessity as it is outside the scope of our mandate and expertise. We encourage to seek out that information as well to make a completely informed decision whether to use it or not. 

Since you’re here…

… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.panel-54141172-image-6fa93d06d6081076-320-320You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity!
make-a-donation-button

What we’ve been up to so far in 2020! Help us continue protecting civil liberties

The first half of 2020 has been very difficult given the impact of the pandemic, but we continued working hard to protect our civil liberties. Below you can see what we have accomplished so far this year, but first here is a sneak-peek into what we plan to do for the second half of 2020:

  • We will continue to protect our civil liberties and human rights against the threat of digital surveillance in the response to COVID-19, as well as the growing dangers of facial recognition technology.
  • We will continue to fight to abolish security certificates and end deportation to torture. Central to this is our work to stop Mohamed Harkat’s deportation to torture.
  • We will continue to monitor the implementation of the National Security Act, 2017 (formerly Bill C-59), especially around mass surveillance and immunity for CSIS employees.
  • We will continue to push for greater accountability and transparency for the Canada Border Services Agency (CBSA), including the establishment of a strong, effective and independent review mechanism.
  • We will continue advocating for the repeal of the Canadian No Fly List, and for putting a stop to the use of the US No Fly List by air carriers in Canada for flights that do not land in or fly over the US.
  • We will continue to call for justice for Dr. Hassan Diab and for the reform of the Extradition Act.
  • We will continue to pressure lawmakers to protect our civil liberties from the negative impact of national security and the “war on terror”, as well as keeping you and our 47 member organizations, informed via the News Digest.

Help us achieve our goals!


What we’ve been up to from January to July 2020!

Fighting COVID-19: Seven Principles to Protect Our Privacy COVID-19 and digital surveillance
  • We co-wrote a statement listing our seven principles, launched a letter-writing campaign, and created a video to protect our rights if digital surveillance is used to fight COVID.
  • We met with the Justice Minister to discuss our principles.
  • We helped draft an open letter calling on the federal government to delay the release of a national contact tracing app as the Privacy Commissioner should examine it first. The app’s release was delayed and no new date has been set.
  • We participated in an online panel on pandemics and civil liberties.
  • We’ve added our voice to 300 organizations and individuals to call on all levels of government to strengthen human rights oversight amid the pandemic.

Letter to the Minister of Public Safety: Ban Facial Recognition Surveillance

The ICLMG, 30 other organizations and 46 individuals, all active in protecting privacy, human rights and civil liberties, issued a call for the federal government to ban the use of facial recognition surveillance by federal law enforcement and intelligence agencies, including the RCMP.
Facial recognition surveillance is invasive and inaccurate. This unregulated technology poses a threat to the fundamental rights of people in Canada. See the full letter, addressed to Public Safety Minister Bill Blair, and list of signatories here.

We need your help to continue fighting for justice and human rights!

Yasser Albaz is finally back in Canada!

Canadian Yasser Albaz spent 16 months without charge and in awful conditions in an Egyptian prison. Alongside his daughter, his wife, numerous individual supporters, NCCM and Amnesty International, ICLMG campaigned for his safe return home. Our National Coordinator, Tim McSorley, spoke at a press conference before the Foreign Affairs Minister’s visit to Egypt, and at recent rally in front of the Prime Minister’s office.

Stop the deportation to torture of Moe Harkat!

We continued our advocacy for Mohamed Harkat’s rights and life:
  • We sent a joint letter to the Public Safety Minister & rallied at his office.
  • 4000 more letters have been sent to the Minister urging him to let Mr. Harkat’s stay in Canada.
  • We met with MP Paul Manly and Green Party caucus staff, resulting in a letter to the Public Safety Minister.
  • We presented on security certificates and inadmissibility to a law class at the University of Windsor.

Criminalization and silencing of dissent

  • We co-organized & moderated a book launch on the targeting of anti-poverty groups by national security agencies in the 1960s & ’70s, which was live-streamed.
  • We issued a statement condemning the RCMP invasion of Wet’suwet’en territory, the use of national security concerns to criminalize land defenders, and the suppression of freedom of the press.

We published the News Digest

We continue to publish our now bi-monthly News Digest, which all of you receive and is distributed to thousands of people every two weeks. Check out the News Digest archive if you’ve missed some of our issues.
If you know anyone interested in national security and/or human rights, send them an invite to sign up!
Our parliamentary work
  • We monitored the implementation of the National Security Act, 2017 (Bill C-59).
  • We lobbied and strategized around Bill C-3, which would create an independent review body for the CBSA.
  • We had several meetings with lawmakers including the Policy Director for the Public Safety Minister.
  • We were invited to meet with the National Security and Intelligence Committee of Parliamentarians.
  • With other groups, we’ve sent a letter to the Prime Minister & filed access to information requests regarding the return of Canadians detained in North-East Syria.
… and more!
  • The Big Data Surveillance Project book we contributed a chapter to will come out in Fall 2020 and we are contributing to plans for the project’s final conference, to be held in Ottawa in 2021.
  • We participated in the Green Square campaign to mark the anniversary of the horrific attack on the Centre culturel Islamique de Québec.
  • We participated in three civil society roundtables with staff of the Privacy Commissioner of Canada.
  • We presented to the National Security Transparency Advisory Group.
  • We are in regular contact with the National Security and Intelligence Review Agency.
  • Our National Coordinator gave several media interviews.
  • Our social media accounts and live-streams reached tens of thousands.

If you think our work is important, please support the ICLMG!

We do not receive any funding from any federal, provincial or municipal governments or political parties so your support is essential to our work.

We are counting on people like you.

Thank you for your support in protecting civil liberties!

— Anne & Tim

PS: For what we were up to in the second half of 2019, click here!

PPS: For what we’ve been up to since ICLMG was created in 2002, check out our Achievements page!

Open Letter: Canadian Government Must Ban Use of Facial Recognition by Federal Law Enforcement, Intelligence Agencies

ban-facial-recognition-surveillance-banner

Today, the ICLMG, OpenMedia and 29 organizations and 46 individuals, all active in protecting privacy, human rights and civil liberties, issued a call for the federal government to enact an immediate ban the use of facial recognition surveillance by federal law enforcement and intelligence agencies, including the RCMP.

The full letter, addressed to Public Safety Minister Bill Blair, and list of signatories is below, and available here [PDF].

Facial recognition surveillance is invasive and inaccurate. This unregulated technology poses a threat to the fundamental rights of people in Canada.

Studies have shown the racial biases in facial recognition surveillance, with leading technology mis-identifying Black, Asian and Indigenous faces 10 to 100 times more than white faces. As the letter points out, at a time when society is pushing to address systemic racism in policing, adopting a technology that is known for its racial biases is a move in the wrong direction.

Even if these biases could be addressed, though, the dangers posed by facial recognition surveillance to our rights would persist. Facial recognition surveillance undermines our freedoms of association, assembly, expression and movement, as well as the right to privacy and protection against unreasonable search and seizure.

Canada’s existing privacy laws do not regulate biometrics, including facial recognition, allowing the technology to be adopted by police forces across the country without any oversight or clear rules. For example, the RCMP has used the highly controversial Clearview AI facial recognition technology without consulting the Privacy Commissioner or issuing a Privacy Impact Assessment. The federal police force went so far as to publicly deny its use of Clearview AI’s technology, when it had actually been operating it for several months.

Along with the ban on the use of facial recognition surveillance by law enforcement and intelligence agencies at the federal level, the signatories are also calling on the government to:

  • Initiate a meaningful, public consultation on all aspects of facial recognition technology in Canada;
  • Establish clear and transparent policies and laws regulating the use of facial recognition in Canada, including reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act.

Even with a federal ban on facial recognition surveillance in place, it will be crucial to establish limits around other uses of facial recognition at all levels of government. For example, provinces and municipalities must act to halt the use of facial recognition by local and regional law enforcement.

Other jurisdictions are recognizing the dangers of facial recognition technology, with several US cities banning its use by law enforcement. Even companies that produce the technology have been forced to recognize its dangerous nature, with many halting sales to law enforcement. In Canada, the federal Office of the Privacy Commissioner is investigating the RCMP’s use of facial recognition technology, and OpenMedia has launched a petition calling for a country-wide ban on the use of facial recognition surveillance by law enforcement. You can take action here.

The federal government has the opportunity to be a leader on this issue by taking a firm stance on facial recognition surveillance. Minister Blair must enact a ban on its use now, before we see more harm done.

Since you’re here…

… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.panel-54141172-image-6fa93d06d6081076-320-320You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity!
make-a-donation-button

Page 3 of 6612345...102030...Last »