Health Canada has released its COVID Alert App in Ontario, with planned release through the country. In order for the exposure notification app to be most effective, the majority of Canadians will need to download it. Whether a person downloads the app will be a personal decision, but concerns about privacy should not be a barrier to adding the COVID Alert to the collection of apps already on your phone.
On July 31, the Office of the Privacy Commissioner of Canada (OPC) released the results of its COVID Alert app review conducted with the Information and Privacy Commissioner of Ontario (IPC). As the app is intended to be used throughout the country, the other provincial and territorial privacy commissioners were also consulted.
The OPC and IPC support the use of the app. Highlights from the review include:
- The use of the app is voluntary and has been developed with robust safeguards to protect the identity of users. Individuals should not be required to use the app or to disclose the information about their use of the app.
- The OPC will be involved in an audit of the app in the fourth quarter of 2020. The audit will include ongoing analysis of the necessity and proportionality of the app, including its effectiveness, and an assessment of respect for the federal, provincial and territorial joint statement principles in the design and implementation of the app.
- An External Advisory Council will provide expert advice on the implementation of the app to implicated federal, provincial and territorial Deputy Ministers.
- The privacy commissioners are satisfied that exceptionally strong measures have been adopted to ensure that the identity of users is protected and not disclosed to the Government of Canada. In light of the security and other safeguards adopted, the risk of re-identification is very low.
- The language upon which consent will be sought consists of a Privacy Notice and notifications during the sign up process. When an individual downloads the COVID Alert app, they are provided with an overview of how the app works, in clear and accessible language. The privacy commissioners are satisfied that the information presented to users will result in meaningful consent.
- The privacy commissioners are of the opinion, that while new and untested, the exposure notification app is likely to be effective in reducing the spread of the virus, as part of a larger set of measures. A study of epidemiologists from Oxford University found that any level of uptake could have a positive impact. Based on the researchers’ simulation, “one infection will be averted for every one to two users.”
- The Government of Canada has taken strong actions to prevent users’ identities from becoming known to other users, the federal, provincial and territorial governments or malicious hackers. The app does not collect or disclose any information that would directly identify the user. All the data in use and at rest is being protected by exceptionally strong encryption techniques and cryptographic hashing functions. The contact matching process takes place on the phone, with no personal data leaving the phone at any time. There is however a low possibility of identification as the user’s IP address is stored under certain circumstances. When combined with other information, IP addresses can be used to identify individuals. However, the privacy commissioners are of the opinion that due to the adoption of strong security safeguards, the risk of re-identification is low.
- While in operation, the app limits the retention of information – Temporary Exposure Keys are deleted on the device after 14 days. The app will be shutdown (deleting any information stored on the Government of Canada’s server) within 30 days after the pandemic has been declared over.
- The privacy commissioners were not able to review the entire API (application programming interface) designed by Google and Apple. It was recommended that the Government of Canada continually monitor and assess the potential risks related to the Google and Apple operating systems in relation to the COVID Alert.
- Based on the information provided to the privacy commissioners, they believe that the COVID Alert app has very strong safeguards in place. For example, data at rest and in transit are encrypted using strong methods. The one-time code process relies on one of the strongest cryptographic hashing functions, and supports an anti-spam mechanism to ensure that fake diagnosis keys are not accidentally or maliciously uploaded. The draft Memorandum of Understanding between the Government of Canada and the Province of Ontario reviewed by the privacy commissioners contained rigorous privacy clauses, including that the app does not collect or use location data and that the information transmitted by the app is designed to protect the user’s identify and location.
Privacy Commissioner of Canada, Daniel Therrien, stated: “Canadians can opt to use this technology knowing it includes very significant privacy protections. I will use it.”
The COVID Alert app has more privacy protections than most of the apps willingly downloaded onto a person’s phone. Despite most people having little concern for their privacy when downloading apps (remember Pokémon Go?), individuals can take comfort in knowing that exceptional measures have been implemented to protect their privacy with the Government of Canada COVID Alert app.