Site icon IT World Canada

Privacy expert says flawed Alberta COVID-19 contact tracking app shouldn’t have been released

The Android version of Alberta's contact tracking app ready for download

Alberta’s new COVID-19 mobile tracking app ABTraceTogether is so flawed it shouldn’t have been introduced, says a privacy expert from Alberta.

“There is nothing in any of this as to how long the app will be around, how long any information collected from it will be used or by whom in the world, except the [Alberta] Health Information Act allows it to be used for research anywhere,” said Sharon Polsky, president of the Privacy and Access Council of Canada and CEO of Calgary-based Amina Corp., which advised organizations on privacy and data protection strategy.

ABTraceTogether was released on Friday as the province starts to slowly allow private and public sector organizations to resume offering some services. For example, today health-care providers including dentists, physiotherapists, speech-language pathologists, respiratory therapists, audiologists, social workers, occupational therapists, dietitians can resume business as long as they follow distancing guidelines.

The Android version of the app needs access to the device’s location data, she said, but the app itself doesn’t collect location data. “Well, if it doesn’t need location information why are you being compelled to provide consent?

“The consent is fairly broadly worded,” she added. “The liability section of the Alberta government waives all responsibility, whether something happens to your device or as a result of sharing information… they wash their hands. They absolve themselves of any liability.”

Above all, she said, it would have been wiser for the government to hold off until Alberta privacy commissioner Jill Clayton has publicly released her analysis of the provincial privacy impact assessment of the app. Clayton’s office issued a statement saying some elements of the app are positive, including ensuring this app is voluntary, collects minimal information, uses decentralized storage of de-identified Bluetooth contact logs, and allows individuals to control their use of the app. However, she has asked the province for more information.

According to the Calgary Herald, Alberta Health says a summary of the commissioner’s analysis of the impact assessment will be made available online once it has been accepted. UPDATE: In a statement this morning an Alberta Health spokesperson said the department has briefed the privacy commissioner and submitted a privacy impact statement. “We are confident in the technology and the measures we have taken to protect Albertan’s privacy in the development of the app.”

Polsky isn’t convinced. “It undermines the trust people have in their governments. Get it right. Launch it with the Good Housekeeping Seal of Approval” (from the privacy commissioner). Don’t do it after the fact.”

[Breaking – May 4, 11:00 am EST]: This morning the Public Interest Advocacy Centre asked the Canadian Radio-Television Commission (CRTC) to regulate pandemic contact-tracing apps and network services that may be offered for Canadians to download to their smartphones.

In a statement, centre executive director John Lawson said it is “seeking oversight, clarity and transparency from the CRTC so that Canadians know what role their mobile wireless service providers and home internet providers may play in COVID-19 tracking and that they appropriately safeguard privacy while not in any way impeding appropriate public health measures.”

The CRTC should remind telecom service providers that they have to follow the privacy requirements of the Telecommunications Act, says the application. The commission should also forbid providers from using any existing consumer consent to location track mobile devices or to provide databases previously gleaned from these programs to any private or government entities to build, improve or test COVID-19 tracing tools without new, explicit, prior individual consent for this new use or disclosure.

“PIAC believes the Commission’s oversight role is crucial and that absent leadership and dedication to the rule of law, that there is a risk of corporate and governmental intrusion via Canadians’ essential communications,” the application says.

Other provinces and the federal government are evaluating contact tracing apps. Meanwhile, Google and Apple are expected to shortly release an API so developers can build contact tracing apps that easily exchange encrypted contact data between Android and iOS devices. At the same time a group of tech companies from around the world have formed the TCN Coalition to create a standard other countries can adopt so apps will be globally compatible.

UPDATE: This afternoon Ontario Premier Doug Ford said that at a conference call with other premiers, territorial leaders and the federal government he will call for a national plan for contact tracing apps.

Related:

 

Experts say trust is key to the widespread adoption of a contact tracing app. Some estimate at least half of a population needs to have an app if it’s to be useful.

According to Google Play, the Android version of ABTraceTogether has been downloaded more than 10,000 times as of this morning. One reviewer complained it worked with his Samsung Galaxy S8 but not his mother’s S6.

Alberta app splash page on Google Play

The app, which needs Bluetooth to be left on all the time, was built by Deloitte Canada using the open-source code developed for Singapore’s contact tracing app. IBM Canada provides the infrastructure.

Briefly, the voluntary app is aimed at helping Alberta Health Services alert people who might have been exposed to a person who tests positive for the coronavirus. After downloading the mobile app an application server generates a series of random, encrypted numbers called temporary IDs, which are then periodically downloaded to the mobile app. CORRECTION: The original story wrongly said the app generates the temporary IDs. 

A mobile device’s Bluetooth captures a number if the device is within two metres of another device for at least 15 minutes over a 24-hour period. That creates a list of encrypted numbers on each device over the previous 21 days. If a user tests positive for COVID-19 they will be asked to voluntarily upload their device’s list of contact temporary IDs to Alberta Health Services, which will call those on the list for contact tracing. That allows the agency to advise them on what to do, including being tested for possible exposure to coronavirus.

Although the adoption of the app is voluntary and users don’t have to give their names or addresses, they have to give their mobile phone numbers. Users can at any time revoke the app; the government then has to delete the users’ mobile phone number and user ID.

According to an Alberta information page once contact tracing for the COVID-19 pandemic ceases users will be prompted to disable the app. UPDATE: A spokesperson for Alberta Health said in an email that there is currently no schedule for how long the app will operate. It is expected to be used until a vaccine is available to the general population.

AHS already employs tracers who try to find and notify people who have been in contact with victims of infectious diseases, the province emphasizes. The app, it says, is aimed at increasing the speed, accuracy and effectiveness of contact tracing.

Neither the Android nor the iOS versions collect geolocation data. But on installation, the Android version asks for permission to access location data. The government FAQ page says this is because Android/Google requires apps requesting access to Bluetooth also obtain location permission.

However, to Polsky this means that while AHS doesn’t know users’ locations, Google does.

Also, the iOS version of the app has to run in the foreground, meaning it runs all the time. In fact, the app automatically disables the numeric or fingerprint screen lock has to be disabled, which is a security risk if it’s lost. Users who open another app — including using the phone — have to make sure the other app is closed when finished so ABTraceTogether is in the foreground. To save battery power, iOS users can enable Power Saver mode. On Android devices, the app runs in the background.

The government says the app “doesn’t identify where COVID-19 exposure may have occurred. It only seeks to establish who else might have been exposed to the virus.”

Alberta Health will also be able to look at data to determine the total number of users, distribution of user registrations over time, total number of contacts by user, average contacts per user, distribution of contacts across users, total unique contacts, total number of contacts that have been contacted by a health care worker and average duration of exposure with contacts.

“To provide a better experience to application users” the app also collects device information (such as brand, category, model, OS version), as well as application information (application store, application version, country, language, time since installation).

None of this data is identifiable to a specific person or location, according to the government, and it’s always stored separately from any personal information used for contact tracing, such as phone numbers.

Kris Klein, managing director of the Canadian branch of the Information Association of Privacy Professionals (IAPP) and partner of the Ottawa privacy consultancy nNovation, said in an email that the Alberta app “seems to be well designed from a privacy perspective and the Alberta government has done a good job being transparent. For example, they are clear that the app will not collect geolocation data. At this point, it is a matter of trust. Do the people of Alberta have sufficient trust in their government (and the creator of the app) that the personal information their phones are going to collect and disclose is going to be protected?”

Polsky was one of several people invited by the province to a closed-door briefing on the Alberta app, and has read technical papers about it. There are still unanswered questions, she maintains. For example, while a provincial official said police do not have the power to require Alberta residents to show the app is running, Polsky notes the Alberta Health Information act allows a health data custodian — such as AHS — to disclose information to police for the enforcement of any federal or provincial law relating to health and safety.

Polsky admits she’s skeptical in general about the use of apps to help contact tracing. “Without adequate, reliable, robust testing of the majority of the population [for the virus] what purpose is there for me to be told I was close to you and you tested positive when I was close to 15 other people today who never tested and are positive?”

“It’s the biggest window dressing,” she says of contact tracing apps.

Exit mobile version