Site icon IT World Canada

Alberta privacy commissioner finds security concerns with province’s COVID app

The Android version of Alberta's contact tracking app ready for download

There are security risks for users of the Apple version of Alberta’s COVID-19 contact tracing app because — unlike the Android version — it always has to be on, says the province’s information and privacy commissioner.

“Despite the positive aspects [of the app], I have ongoing concerns related to the functionality of ABTraceTogether on Apple devices,” Clayton said in her privacy impact assessment of the app, adding the app is based on code developed by Singapore. “We recognize the challenges Alberta Health has faced in this regard since the safeguards required are out of its control.

“Nonetheless, given the need to run ABTraceTogether in the foreground on Apple devices, there is a security risk. Running the app on Apple devices requires a device to remain unlocked, which significantly increases risk in case of theft or loss.”

That risk increases for employers in the public, health and private sectors that have obligations to reasonably safeguard health or personal information under Alberta’s three privacy laws – the Freedom of Information and Protection of Privacy Act, the Health Information Act and Personal Information Protection Act.

Overall the assessment acknowledges that Alberta Health has taken reasonable steps to protect privacy and the use of the app can continue. The report’s recommendations, which have been accepted by the province, include clarifying inconsistencies found between documentation provided during the review and what is made available publicly. Clayton also recommended Alberta Health continue to report publicly on the use and effectiveness of ABTraceTogether, and on its plans to dismantle the app when the time comes.

However, the report notes that acceptance by the province of the assessment is not a waiver or relaxation from legislated requirements.

The province asked Clayton’s office to start on a privacy impact assessment only days before the May 1st public release of the app, which is why the assessment was only released last week.

Like many COVID-19 apps, ABTraceTogether uses Bluetooth to detect when users are close together for a prolonged period of time — in this case a total of 15 minutes over 24 hours. The application’s server creates a random and encrypted user ID that links to a device’s mobile number. This user ID and phone number pairing are stored centrally by Alberta Health in the ABTraceTogether portal. This approach, used by other apps around the world, is called the centralized model, and differs from the model endorsed by the federal government (see below).

When devices with the app are within two metres of each other the phones exchange Bluetooth logs, or “handshakes.”  That data is held on each device for up to to 21 days. If a person tests positive for COVID-19 the user makes the app send a code via SMS to Alberta Health consenting to the uploading of the logs with a one-time passcode. The logs are transmitted to Alberta Health in an encrypted format, which then decrypts them to reveal the contacts’ phone numbers. Alberta Health contact tracers then call each person to advise them they may have been in contact with a person who tested positive and suggest further action.

This centralized model differs from apps using the Apple/Google framework. These have a decentralized model in which no data is held by a central server, nor does it collect location data. As a result, they are often called “exposure notification” apps, rather than contact tracing apps. If a user tests positive they are expected to trigger the app to automatically send a notice to other exposure notification apps and it will be up to those people to decide if they should seek medical advice. [Note under any model the number of days an app holds its list of devices it has shaken hands with data can vary. Most apps have a minimum 14 days].

The federal government has endorsed an app on the Apple/Google framework which has been built by the Canadian Digital Service and Ontario. Ottawa hopes all provinces will adopt it. Ontario says it’s ready to release the app for public beta testing, but Premier Doug Ford has said Ottawa is holding the release back until more provinces sign-on.

According to Sunday’s Calgary Herald, about 223,000 people in Alberta — which has a population of 4.4 million — have downloaded the app. The story quotes Alberta Health saying it’s hard to determine how many infections the app has detected.

Few voluntarily adopted contact tracing apps have achieved even a 50 per cent penetration rate, perhaps partly because some privacy experts have doubts about their safety and effectiveness. One Canadian survey in May found two-thirds of respondents said they wouldn’t download such an app, calling it still “too invasive.”

Related:

Vulnerability disclosure program needed for COVID app confidence

 

Over the weekend an Australian TV station quoted a politician declaring its centralized app, called COVIDSafe, a $2 million failure because the app apparently isn’t helping manual contact tracers.

The U.K. government has abandoned its centralized app for one designed around the Apple-Google framework after a dismal beta test in the Isle of Wight. Work on the new app started in May. The government has given no indication when it will be released.

The Alberta commissioners’ concern about the privacy of the Apple version of ABTraceTogether mirrors worries by privacy experts about this version of a contact tracing app because it has to always be in the foreground. The Calgary Herald quotes an Alberta Health spokesperson saying the province continues to work with Apple and Google to improve the app.

Meanwhile the CEO of a U.K. mobile data recovery firm says apps using the Apple/Google framework may take a while to get widespread acceptance because devices need to be running the recently-released iOS 13,5.

Exit mobile version