As a fan of the concept of contact tracing, I have been anxiously expecting an official review by Canada’s Privacy Commissioner (“OPC”). On July 31, the new app launched and with it, the OPC released their findings and recommendations. These were, to say the least, nuanced.
The OPC makes it clear that no hands-on testing was performed and that all comments are based on Health Canada’s self-assessment of its app. Although some of the responses indicate a relatively low level of technical sophistication by the latter, I find their attitude to be genuine and that will go some ways towards building public trust.
My reader will however note that while Health Canada did adopt a couple of the OPC’s recommendations, others remain unaddressed as far as I can tell.
Those looking for a brief statement will be disappointed, but the report itself is an informative read and at 6800 words, it’s not excessively verbose. I recommend it to anyone interested in the privacy of contact tracing apps, or who may be struggling with insomnia, but not both.
Before you dig in, know that your mileage will vary depending on your expectations and attention span. The report gets better as it goes along, but it will take some resilience to see it through.
To that end, I highlight the following excerpts that caught my eye. These will likely be different from yours or anyone else’s, but at the very least they serve to punctuate your own consumption of the content:
The OPC starts out by indicating that their review is based on a Health Canada self-assessment of the app:
“ our review of the app is based on the information provided to us”
“ the technology is untested” (referring to the concept of contact tracing as a medical and social tactic for reducing the spread of contagious diseases as an information-based strategy)
“ we recommended that the government closely monitor and evaluate the app’s effectiveness once it is used, and decommission it if effectiveness cannot be demonstrated”
“ Health Canada will invite the OPC to participate in a joint audit of the app, starting in the fourth quarter of 2020”
“in light of the security and other safeguards adopted, the risk of re-identification is very low.”
“ we understand that individuals will not have access to the exposure notification information”
“ it is unclear whether the law would prohibit organizations from seeking information residing in the app”
“ the information shared between phones and the servers is a series of numbers that on their own do not identify individuals themselves” (The app operates by connecting with a federal server, which in turn must interact with provincial or territorial systems)
“ we noted an element in the Notice and notifications which, in our opinion, was not accurate, and therefore would not result in meaningful consent”…” use of the app should not be characterized as entirely anonymous. Personal data is being de-identified, at certain points, and users rendered pseudonymous, at certain points, but such techniques across the system should not be described as offering anonymity.” (Health Canada and the Government of Canada accepted te recommendation and removed those references)
“ The (Health Canada) Privacy Assessment affirms that COVID Alert does not collect any personal information, which suggests that the federal Privacy Act does not apply. This is because, according to the Government of Canada, the app relies on random codes and there is no “serious possibility” that an individual could be identified from the data elements, either alone, or in combination with other information.
This deserves a pause. While it is not necessary for the purpose of this review to opine on the validity of the government’s assertion, which may be correct at law, it bears noting that an app, described worldwide as extremely privacy sensitive and the subject of reasoned concern for the future of democratic values, is defended by the Government of Canada as not subject to its privacy laws. This is again cause for modernizing our laws so that they effectively protect Canadian citizens.”
“ The (Health Canada) Privacy Assessment further indicates that, “Nevertheless, should a different conclusion be reached regarding the assessment of whether any data element could be considered personal information, all requirements of the Privacy Act and Treasury Board of Canada Secretariat (TBS) Privacy Policies have been met in order to ensure user privacy is protected.” Here the government is saying that even if in its view the Privacy Act does not apply, it will act as if the Act applied and all its requirements will be met. However, when asked whether certain specific rights enacted by the Privacy Act would apply, such as the right of access and protection from certain disclosures, Health Canada said no because the initiative does not involve the collection of personal information. Consequently, without a confirmation that all Privacy Act and TBS policy requirements are met, we believe the statement could be confusing and could give false assurances to Canadians.”
OPC Recommendation: Health Canada should remove from the Privacy Assessment and any other documentation references indicating that the Government of Canada complies with the Privacy Act and with TBS policies on privacy.
“ When asked to confirm that making the app available for use by Canadians had a scientific basis, Health Canada stated its view that the app will likely be effective in achieving its defined purposes. We also note the views of the World Health Organization that “digital proximity tracking applications can only be effective in terms of providing data to help with the COVID-19 response when they are fully integrated into an existing public health system and national pandemic response. Such a system would need to include health services personnel, testing services and the manual contact tracing infrastructure.”Footnote10 Additionally, while the level of uptake for the COVID Alert app remains hard to predict, we note that a study by epidemiologists from Oxford University found that any level of uptake could have a positive impact. In fact, the researchers stated that based on their simulation, “one infection will be averted for every one to two users.”
“several commercial entities will be able to determine whether individuals have downloaded and used the app. These entities should not be permitted to monitor their customers’ use of the COVID Alert app.”
IP addresses accompany attempts to verify one-time codes to the server. The server retains the user’s IP address for 60 minutes if the one-time code is not valid; this retention is meant to help prevent fraudulent uses of one-time codes. In addition, system logs will retain users’ IP address every time there is a request made to the server (one-time code verification, diagnosis key upload, etc.) for up to three months in normal conditions. In the event of suspicious activity, the system will retain a user’s IP address for up to two years. In this scenario, we understand that the relevant system logs may be shared with law enforcement agencies to facilitate an investigation. These security features present a risk of re-identification…
“considering the complexity of the (Shared Services Canada) agreement (with Amazon AWS) and our limited time for review, we reserve the right to further review this agreement as part of the Government of Canada’s broader cloud-first strategy”
Having reviewed the documentation provided by the Government of Canada to date, we are satisfied that the design of the COVID Alert exposure notification app meets all the privacy principles outlined in the joint FPT statement.
Those who manage to complete a read-through may be surprised by the sections and statements I chose to exclude from the above (such as “the Government of Canada will be using a “privacy-first approach”) but you will ultimately have to draw your own conclusions.
Three additional points are worth making here:
- Reform: the Privacy Commissioner really makes it clear that Canadians are not well served by their current privacy legislation.
- Dependencies: the app ultimately depends on the platform it runs on, with some opacity as to the use of information by commercial third parties. The Android version of the app, for instance, requires Location Services to be turned on for the app to function, even though the app itself does not collect location information.
- Perspective. As you can see from this snapshot of web page trackers, there is much more tracking and collection of personal information during the course of reading an article about the contact tracing app on a media website than there is within the app itself.
Do I have any concerns about this review? Some. For instance, there is a risk that the OPC’s concluding statement may conflate privacy with security, or at least confuse a public that does not know how to articulate questions about the difference:
Canadians who choose to use the app can do so knowing it includes very significant privacy protections. While experts generally agree that there is no such thing as zero risk of the re-identification of de-identified data, we are satisfied that exceptionally strong technical security safeguards have been put in place.
Despite the occasional ambiguity however, it is encouraging to know that the Privacy Commissioner did step up and conduct an impartial privacy review while taking the opportunity to also note the need for stronger legislative protections.
While wrapping up this article, I receive an SMS from the Government of Canada: “Download the COVID Alert app for free, and help protect yourself and your community. The COVID Alert app lets users know if they have been exposed to COVID-19. Available now in Ontario in the Apple App Store or Google Play. Free message.”
Would I install the app? Yes. It was designed by people who care about privacy and believe in an important cause. if Health Canada chose to make it available for my phone, which is not currently the case, I would definitely install it. In the meantime, I will enjoy reading your comments and welcome any feedback you have to offer.