The country’s leaders must do more to convince skeptical Canadians that the national COVID Alert app protects their privacy and is worth downloading, says a leading technology lawyer.
“Even the very best of apps — and we have a good one in Canada — won’t achieve the level of success we need unless there is a vigorous effort to make sure people are aware of it and as many as people as possible install it,” Michael Geist, Canada Research Chair in Internet and E-Commerce Law at the University of Ottawa, told an online panel discussion on COVID apps Sept. 25.
Many experts praise the app, he noted, but there is a broad trust problem involving the pandemic, including people who refuse to wear masks and say they won’t take a vaccine if and when it is released. There’s also a general lack of trust in institutions over privacy, he added.
That, Geist said, is in part due to “years of relatively ineffective privacy legislation” in Canada and the abuse of personal information by organizations. As a result, asking the public to distinguish between “horror stories” of data abuse and the urging of politicians to trust COVID Alert is hard. So, he said, they “sit on the sidelines.”
“That highlights why we need effective leaders to speak,” he said, noting how that includes showing the public the app is being audited and is functioning as promised, and passing laws showing there will be penalties if the app is misused.
“I don’t think we can ever provide someone with absolute assurance nothing will ever go wrong,” Geist acknowledged. “Stuff does go wrong. But what matters is you take steps upfront to try to address as many of the issues as possible, you properly educate and then you verify along the way with real mechanisms to address where there may be harms. I think we’ve fallen short at times on that last piece.
“It falls to government to do more than say, ‘Here’s a good app.'”
Geist was speaking on a panel looking at Canada’s experience with COVID apps. The panel was sponsored by the Canadian chapter of the Cloud Security Alliance, a technology industry group.
Other panelists included Ann Cavoukian, former Ontario privacy commissioner and currently executive director of the Global Privacy & Security by Design Centre; Dr. Khaled El Emam, professor at the University of Ottawa’s faculty of medicine and director of the eHealth Information Laboratory; John Weigelt, national technology officer at Microsoft Canada; and moderator Tim Grayson, CEO of Ottawa-based Institute-X Inc., a digital transformation consultancy.
The COVID Alert app has been in use in Ontario since July 31. Since then New Brunswick, Newfoundland and Saskatchewan have signed on.
Those four provinces have a combined population of about 17 million people. That would include those who don’t have smartphones such as children, the elderly and the poor.
According to Health Canada, the app has been downloaded 2.9 million times.
UPDATE: A Health Canada official said that as of September 27th, 514 people in Ontario who tested positive for COVID-19 have entered their one-time key into the app to notify others they should be tested for possible exposure to the virus. So far no one-time keys have been entered by users from the other onboarded provinces. “Due to the strong privacy and security protections inherent in the app,” the spokesperson said, it cannot provide the number of people who were notified through the app they may have been exposed.
Experts differ on how many people need to use a COVID app for it to be effective (aside from the fact that the apps in various countries are different and therefore hard to compare). Some say at least 40 per cent of the population has to use it, others say more.
As a blog from MIT noted, in any community there is a large group of people who don’t have a smartphone and therefore can’t use the app.
Manual contact tracing by health authorities has been going on for decades for a variety of infectious diseases. Contact tracing or exposure notification apps are aimed at helping manual contact tracing.
Briefly, the goal of a COVID mobile app is to wirelessly record in some way (a random digital number is common) apps on smartphones of people who have been near others for an extended period of time (15 minutes is common, or a combined 15 minutes over 24 hours). Depending on the app the random numbers get used in two ways:
- After a person tests positive for the virus either health authorities directly access and decrypt the random/encrypted numbers into the phone numbers of those who have been in contact with that person so they can be notified. The health authority, therefore, knows who is being notified and can follow up, which is why these kinds of apps are called contact tracing apps.
- The user enables the app to notify others without any government authority knowing. Then it’s up to those notified to decide to get tested. This second approach is called a decentralized app. Strictly speaking, adherents say, this type of app is decentralized, so it’s called an exposure notification app because health authorities never know the identities of app users. Ultimately contact tracing is done indirectly: Anyone notified by the app to get tested who then tests positive gets pulled into the manual contact tracing.
The Canada COVID Alert app is this second type, which uses a framework created by Apple and Google. It doesn’t collect personal information — in fact, one of the rules that developers of the app using the framework have to agree to is to not collect personal information.
It’s still too early to know which approach is more effective, Geist noted. The real issue, he argued, is convincing people to use whatever app is approved in their jurisdiction.
All of the panelists praised the Canadian app. Cavoukain said people are “shocked” at her endorsement. Weigelt noted Cavoukian’s vaunted Privacy By Design principles are embedded in the app’s design. Users have a choice of enabling their app to notify others if they test positive. Health Canada and Ontario should be applauded for their plain language on web sites explaining how the app works, he added.
The problem, Cavoukian said, is “there is such a trust deficit everywhere about giving personal information to anybody. People are very nervous about it. They don’t want to share [personal] information.” Grayson agreed. “I have run into people in the last few weeks who are abjectly ignorant about what this whole thing (app) is about and immediately assume they will be tracked in every possible way,” he said.
If authorities can enhance trust in the app more will download it, Cavoukian said. “I fear that is lacking here and that’s why we have to get out there and get the word out that this can be trusted.”
By contrast, she added, in Germany — where the government is known for its sensitivity to privacy — 6.5 million residents downloaded its COVID app within 24 hours of release.
Unfortunately, said Emam, a few “bad actors” around the world get headlines for abusing data collection and privacy. At the same time, few leaders talk about the benefits of organizations sharing data, particularly anonymized health data.
Geist agreed that privacy worriers have been monopolizing the conversation, and has the front-line experience to show for it. He was chair of Waterfront Toronto’s digital strategy advisory panel for Sidewalk Labs‘ proposed smart community by Google’s parent, Alphabet Inc. There was very little effort to discuss possible benefits that might occur from data collection and places where there could be real privacy risks.
Instead, critics “tarred the whole thing with a broad brush, [alleging] ‘we’ve got a big evil company engaged, and the government hasn’t created the framework necessary, so this represents a significant threat.”” As a result, he said, important issues weren’t discussed.
This spring Alphabet abandoned the project, citing the uncertain economic situation.