UPDATE (27/08/2020): Since publishing this analysis, we have followed-up with Health Canada and Canada Digital Services. Information is added below. We are still waiting for some final information from Health Canada and will update the post further when we have received it.

UPDATE (03/09/2020): We have received more clarifications from Health Canada. Update is below.

We’ve seen several people on our social media feeds advocate for downloading the new federal COVID Alert application, based on arguments including the fact our privacy is already violated by Facebook. We don’t believe this should be an argument for using the app: it isn’t because governments have failed to protect our data and privacy while we use Facebook – a very important platform, including for activism – that we should accept other possible privacy violations, especially when the Office of the Privacy Commissioner (OPC) of Canada has published a privacy assessment of the app.

Important links

Short version of the OPC’s assessment: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/nr-c_200731/

OPC’s full analysis (it’s not that much longer, we encourage everyone to read it): https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/health-emergencies/rev_covid-app/

Government webpage for the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert.html

Government privacy notice on the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy.html

Our analysis

Here is our understanding of the app based on all the info provided in the links above:

• From the Privacy Commissioner’s analysis: “Participating provinces [right now it’s only Ontario] will be required to distribute one-time codes to users of the app who have tested positive, which allows them to share their exposure notification info from the app with other users in a de-identified fashion. Certain individuals at the provincial level will be aware that a person has received a positive test result, but individuals will not have access to the exposure notification information.”
• The app does not track location, does not collect your name or address or contacts in your phone, according to the Privacy Commissioner. The OPC states that strong encryption is used in the creation and sharing of these one-time codes, and most data used by the app will be stored directly on your phone and deleted after 15 days. All data sent and received is de-identified and anonymized, meaning you won’t be able to know who has tested positive or where, and if you test positive, people notified won’t know it’s you or where the contact occurred. The Privacy Commissioner notes that it’s not impossible to re-identify data, but that the risk is very low.
• The Privacy Commissioner is happy with the level of cooperation and transparency of the government, and reviewed the design of the app and how it interacts with federal servers. The code is public (links here), but of course only experts can understand it. The app is not supposed to use any data for purposes other than notifying people they have been in close proximity with someone who tested positive for COVID-19.
• It is not ideal that there was no law or parliamentary process to roll out the app but we are definitely happy the government delayed the roll out until the Privacy Commissioner of Canada finally had a chance to examine it.
• Use of the app is voluntary, which is positive. We were also happily surprised to learn that a study from epidemiologists at Oxford University shows that contact tracing and notification apps could be effective in preventing some spreading even if it’s not used by most people. It could prevent one new infection per one or two persons using the app. In any case, the app is only effective in preventing spreading if used in pair with other preventative measures such as testing, manual COVID-19 contact-tracing, the use of masks, physical distancing and hand washing.
• We are also happy that there will be an evaluation of the effectiveness and privacy impact of the app in the last quarter of 2020, and pleased to see the creation of an advisory council of outside experts to provide advice and guidance to ensure the effectiveness of the app.
• As the Privacy Commissioner has said, it would be important for the government to forbid businesses from requiring customers to show proof that they have the app and that they have not tested positive or have not been in contact with people who are positive, otherwise the voluntary nature of the app goes out the window.
• Health Canada committed to shutting down the app – which will erase the random numbers shared between phones and delete any data stored on the Government of Canada’s servers (unless IP addresses are being retained for a security investigation) – within 30 days after the pandemic is declared over. Even though the pandemic could last a long time, this is an important time limitation.

Some concerns to note

• • In April, with OpenMedia, BCCLA, CIPPIC and BC FIPA, we put together 7 principles to follow for contact-tracing apps to protect human rights. The new app meets some principles but not all of them: the app is not regulated by a law and didn’t go through a parliamentary process; there is no stated recourse if there is a breach of privacy or other issues or rights violations; and there is no commitment from the government to discontinue the app if its found to be ineffective (or there are privacy issues with it) – only a commitment that they will take the recommendation of the Advisory Council into consideration.
  • From the Privacy Commissioner’s analysis: “IP addresses accompany attempts to verify one-time codes to the server. The server retains the user’s IP address for 60 minutes if the one-time code is not valid; this retention is meant to help prevent fraudulent uses of one-time codes [like fake exposure notifications, which the government is transparent about on their webpage]. In addition, system logs will retain users’ IP address every time there is a request made to the server (one-time code verification, diagnosis key upload, etc.) for up to three months in normal conditions. In the event of suspicious activity, the system will retain a user’s IP address for up to two years. In this scenario, the relevant system logs may be shared with law enforcement agencies to facilitate an investigation. These security features present a risk of re-identification because, when combined with other information, IP addresses can be used to identify individuals. But, again, due to the adoption of strong safeguards, we believe the risk of identification is low. The Government of Canada indicated to our Office that access to these logs is restricted to authorized users who are bound by security obligations to protect this information and not to access or use it for nefarious purposes.”
  • It would seem that it should not be necessary to keep IPs beyond one hour, just long enough to verify the validity of the codes are being verified. “Suspicious activity” and the type of investigation that could be launched, and for which our IP addresses could be shared with law enforcement, should also be defined. Currently, the government’s privacy assessment states, “IP addresses may be disclosed to law enforcement in the event a malicious actor attempted to gain, or gained, access to the server where they are stored.” However, we lack information about what kind of “suspicious activity” would trigger the longer retention of IP addresses, as well as whether the disclosure of IP addresses to law enforcement is strictly bound to malicious attempts to access servers. 
  • Furthermore, we maintain even deeper concerns about the need to store for three months the IP addresses of individuals who merely receive keys to verify whether they came in contact with anyone who tested positive, and have not submitted any codes through the app. This seems to us to be unnecessary, but we have reached out to the government for more information. We do note, at least, that IP addresses will be stored on a separate server from the key server, providing one more layer of privacy security.
  • UPDATE (27/08/2020): After speaking with Health Canada and Canadian Digital Service officials, some of our concerns have been clarified and/or addressed:
    • Regarding the retention period of three months for all IP addresses, we were informed that this time frame was reached after deep deliberation among staff involved both in cybersecurity and in privacy issues. In fact, the original proposal was to possibly keep IP addresses for a longer time period. We were told that the retention of IP addresses over a three-month time frame is to ensure the application is functioning normally and to ensure that activity can be properly tracked in order to monitor for patterns that demonstrate suspicious activity. Officials have also committed to reviewing and potentially reducing this retention period if it becomes clear that a shorter time frame is adequate to ensure the security of the system. This is also explained online here, including the commitment to reviewing the retention period. 
    • In our conversation, officials also reaffirmed that they are monitoring for suspicious activity that would undermine the security or integrity of the system and users. The activity considered suspicious, and the steps to be taken, are laid out in the Government of Canada Cyber Security Event Management Plan (GC CSEMP), including under what circumstances activity must be reported to either the Canadian Centre for Cyber Security or to law enforcement. More details are found in sections 5.2.3 and 5.2.4 of the GC CSEMP. While we would still prefer to see specific legislation regarding the handling of information related to COVID Alert, this provides clear, written guidelines regarding potential cyber-security incidents.
    • We have also re-confirmed that IP addresses are kept on a separate server than that which handles one-time codes and keys. This is positive. However, we agree with the OPC and maintain our concern that IP addresses still presents a risk of re-identification. This is particularly true since the IP server also maintains logs of the activity associated to that IP address. Therefore, when the activity of uploading a one-time code to the application is associated with an IP address, it can be inferred that the owner of that IP address has tested positive for COVID-19. We recognize that important and significant steps have been taken to protect this information, including strict limits on access and strong cybersecurity protections. However, we have also asked whether there has been consideration of further limiting the kind of information stored alongside IP addresses by, for example, not associating a type of activity (such as uploading a one-time code or downloading keys) with an IP address, and solely noting if there was an attempt to upload a fraudulent code from an IP address (or if everything is normal). We will update when we have a response.
    • Finally, we were also informed that officials are in the process of putting together documentation to add to the government’s COVID Alert page that would further explain security and privacy measures. This is positive for transparency and accountability, and we will link to it once it has been published.
  • UPDATE #2 (03/09/2020): We have received further clarifications and information from Health Canada regarding our concerns:
    • They have confirmed that sharing information with law enforcement “would be specifically in the event of a cybersecurity attack on the exposure notification system (e.g. enlisting law enforcement to help respond), rather than situations where law enforcement is looking for some kind of information from CDS/HC to pursue some other investigation.”
    • Also confirmed is that any disclosed information – including IP addresses – would be considered “personal information” and they would therefore act in accordance with the Privacy Act and the Charter of Rights and Freedoms.
    • Finally, they are open to reducing the amount and kind of information retained on the IP server, but do not have plans to make any changes. There may also be limitations to what can be modified on the AWS system where the IP addresses and logs are stored. While these systems have strong security measures in place, this still leaves room for some privacy concerns. We will look to follow-up again with officials in the coming months to ascertain whether they are open to further minimizing the amount of information retained.
  • The cloud services used by the government of Canada are owned and operated by Amazon. There are Amazon servers located in Montreal and this is most likely where data will be stored since it’s a Canadian app. For what it’s worth, many businesses, such as the National Bank of Canada, use those servers as well. The Privacy Commissioner says: “Amazon Web Services were procured through existing Shared Services Canada cloud framework agreement. Our preliminary assessment of this agreement suggests measures are in place to protect the information stored in the server. However, considering the complexity of the agreement and our limited time for review, we reserve the right to further review this agreement as part of the Government of Canada’s broader cloud-first strategy.”
  • Finally, the Privacy Commissioner says: “In addition to looking at the design of the app and how it interacts with the federal servers, we reviewed publicly available information about the API [Application Programming Interface, which is a software intermediary that allows two applications to talk to each other] designed by Google and Apple. However, we were not able to review the entire API code, which is not publicly available. A thorough evaluation of the surrounding technical ecosystem in which the app operates is beyond the reach of this review. We are aware of concerns related to this uncertainty about the environment in which the app and API interact.” The Privacy Commissioner’s recommendation: “The Government of Canada should continually monitor and assess the potential risks related to the Google and Apple operating systems in relation to COVID Alert. To maintain the same level of transparency, the Government of Canada should communicate to the public any potential new privacy risk related to that component of the COVID Alert app.”

We hope this will be helpful in informing your decision on whether or not to use the app. We are still discussing our concerns with colleagues within the civil liberties and privacy fields, and are waiting to hear from the OPC and the government on our concerns, and may take additional action at a later date.

Here is some extra information from the government about the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy/assessment.html

PS: We haven’t touched on considerations of the application’s efficiency and necessity as it is outside the scope of our mandate and expertise. We encourage to seek out that information as well to make a completely informed decision whether to use it or not.