June 18, 2020
A social experiment in technologically-assisted tracking for public health purposes is about to being in Canada, and we’re the data subjects (aka guinea pigs). The federal government today announced their support for a contact tracing app to roll out in Canada, and the province of Ontario will be the first to test it. The Premier of Ontario later claimed it as a “made inOntario” solution.
The COVID Alert app will be available July 2 in Ontario for voluntary download. The Ontario Digital Service worked with code developed by volunteers from the e-commerce giant Shopify with security audit help from Blackberry. It is built on the Apple/Google infrastructure that supports a decentralized form of proximity notifications.
It works by running all the time in the background of a smartphone, and recording “anonymized” identifiers every time you are in proximity for a defined period of time with another app user. If a user tests positive for the virus, others they have been in contact with will get a notification toget tested.
Details continue to emerge about the app. For now, we’re told the server that will hold the data collected by the app will be managed by Canadian Digital Services federally, while various provinces will manage the app interfaces. Data is kept for 14 days and then automatically deleted. It is said to be designed to work as a support for, rather than a replacement of, manual contact tracing, and indeed, the launch of the app was coupled with an announcement that Ontario will also double its manual contact tracing workforce.
But there are many unanswered practical questions for an app with a province wide rollout in a “testing” phase: What’s the false positive rate for the COVID Shield app? What’s the false negative rate? What assumptions are built into the app about how close you have to be for how long to get a notice and what public health evidence are they based on? How does a test differ from a launch? Are there additional risks to Ontarians in using the app “untested”, what are they, and how are they being mitigated?
There are also far larger questions about the utility of these apps in general. Technologically assisted contact tracing has been widely debated in Canada and globally. Elsewhere, it’s fair to say it’s mostly tanked, despite high hopes and hype. Countries like Iceland, who rolled out a national app quickly and got reasonably high citizen buy-in, has said it wasn’t “a gamechanger”. Norway recently recalled their app after their data protection authority said it failed to adequately protect privacy. Singapore’s much-vaunted app has peaked at about 25% uptake amidst concerns about surveillance creep. The UK just closed down their initial attempt after significant controversy about its design and implementation. The only province in Canada to launch an app up to now has been Alberta, and in mid-May it seemed to have failed to gain people’s confidence in its utility or privacy, with only an 11% uptake.
In this context, there’s a real question to be asked about whether an app can be sufficiently helpful to justify any privacy intrusions. Much has been made of the privacy protections built into the app, but we mustn’t lose sight of the reality that being asked by the state to allow our contacts with others to be traced pre-emptively is a significant, unprecedented ask.
Proportionality between the information collected and the public benefit can only be assessed with a full understanding of how the app is designed, how it works, and what the policy framework around it will be, and then ongoing audits to assess how it’s working in real life; in other words, as usual, the devil will be in the details and we’re going to need some proof it’s working. Anything less than full transparency about how it works, and if it works, is insufficient. At first glance, the design of this app aligns with many of the recommendations experts have been making about such tools from a technical privacy perspective, but that alone is not enough.
It’s widely acknowledged that a precondition for uptake will be public trust, not just in the built-in privacy protections but in the governments collecting and using the information. The foundation for that trust is looking a little shaky.
The emphatic statement from Premier Ford, who said “personal privacy was our #1 priority” is probably one of the best indicators of political awareness that privacy has been a huge concern for people when it comes to these apps. There’s a red flag, however. Prime Minister Trudeau stated today that “the Privacy Commissioner of Canada has been worked with on this app”; less than two weeks ago, the Commissioner speaking to the standing committee of parliament on Industry, Science and Technology (INDU) said only one app had been discussed with him directly, and it wasn’t this one, so it will be interesting to hear more from the Commissioner on this topic. It’s puzzling and concerning, given the clear acknowledgement of the importance of privacy, that the announcement didn’t come complete with the public release of a detailed privacy impact assessment and a review by the Privacy Commissioner.
Privacy is not of course the only civil liberties concern when it comes to integrating a contact tracing app into our public health system. Outside of the privacy context, there are also significant social considerations for the use of such apps that run on technology not all people in Canada can afford, and that raise concerns regarding creeping functionality . These apps will have social consequences. Here are just a few of the outstanding questions that we’re not talking about: How is the potential discriminatory impact of a tool that runs on expensive phones going to be addressed? What precautions are in place to ensure the voluntary use of the app can’t be co-opted by others, like employers, to demand its use in order to be allowed to come to work, or landlords, in order to access housing?
In addition, we haven’t talked at all about the social supports needed for a public health tool based on notifications to work: not just testing on demand, but also accommodations in the workplace for those who get a notice from their app that they need to get tested and stay home. If front line workers don’t have paid sick days or job protection, what impacts will a series of notices that they’ve experienced a contact event have on their ability to respond to the health risk but also keep their jobs? Without such supports, will they ignore the app? What impacts will that have on their mental health? What impact will that have on our collective health? How will the false sense of security people may feel if they have the app impact their behaviour—will they feel safe to slip up on masks, hand washing and distancing because if there’s a problem, the app will tell them? We need a plan for the social wrap-around policies that must be in place, and we need it now.
Inserting an untested technology into a complex public health system for a scared population without a solid, accountable plan to deal with all of the predictable impacts on people, and trying to imagine the unpredictable ones, isn’t a recipe for economic recovery, it’s a recipe for social harm.
CCLA’s wrote a letter to the Prime Minister and all the other first ministers across the country in April, where we laid out recommendations for COVID-related data surveillance, which included not just the need to technical privacy protections, but a set of social wrap-around protections, including: the need for independent oversight, measures to ensure the app won’t introduce new forms of discrimination into health measures to address the pandemic, and ahard stop to data collection—with no secondary uses by police or anyone else—when the health emergency is past.
As more information about the roll-out of COVID Alert emerges, we’ll be advocating and watching closely to see whether these necessary measures are in place.
Brenda McPhail – Director, Privacy, Technology and Surveillance Project
Back to all updates