Canada can set the standard on contact tracing apps
Handwashing, mask-wearing, physical distancing — these are the everyday practices recommended by public health authorities that most of us have come to accept as we try to contain the spread of COVID-19. Soon another recommendation may be issued: download a smartphone app that will monitor every interaction you have and warn you if you’ve come into contact with someone who’s COVID-19-positive.
The commonly cited rationale behind contact tracing apps is that they increase the effectiveness of manual contact tracing conducted by public health staff. The apps overcome key problems with manual contact tracing — they do not rely on an infected person’s memory about who they’ve had contact with, and they can identify contacts that the infected person doesn’t know personally (the next customer in line at the store, for instance, or in the next seat on the bus).
But these contact tracing apps are being developed and deployed very quickly, and this has raised concerns that security and privacy risks will be overlooked in this rush. For example, there are concerns that this technology could become the “new normal,” leading to increased state surveillance, with the vulnerable and marginalized being most impacted.
Minneapolis police, for instance, claimed to use contact tracing on those demonstrating against police brutality and anti-Black racism, though the department later issued a statement that officials had misspoke and that no such technologies are used. In Ontario, personal information of COVID-19 positive cases has already been shared with police.
Concerns that sensitive information collected by a contact tracing app will be used for purposes unrelated to stopping the spread of COVID-19 — law enforcement, in particular — are real and not speculative. Such use of contact tracing apps would be an affront to Canadians’ civil liberties, would seriously undermine public trust in these apps, and would limit their adoption by a suspicious public.
Other important questions are being asked about the effectiveness of these technologies. Not everyone owns a smartphone, and smartphone ownership is lowest among those most vulnerable to the disease, including seniors and low-income individuals. As well, mobile device signals used to record interactions can be interrupted by users’ environments. Given these challenges, there are serious questions about whether the apps will produce meaningful contact results or be overloaded with false notifications.
We are living in a data-driven society.
Technology is often enthusiastically accepted to solve problems, and though technological solutions sometimes provide benefits, they also fail. Contact tracing apps are largely unproven and untested, and some jurisdictions are already claiming the technologies are unhelpful and even harmful.
While Canadian governments have insisted that contact tracing apps will be voluntary, they haven’t announced laws to prevent third parties (employers, for instance) from making the apps mandatory in order to access services, goods, employment or accommodation. Other jurisdictions have introduced such laws.
Opinion research conducted by the Cybersecure Policy Exchange in mid-May showed a majority of Canadians would support making apps mandatory in employment settings or to access public transit. These results suggest that the public may not fully understand the implications of such technologies. Canadians may be ready to accept some sacrifices, including to their own privacy, in order to speed the return to “normal.”
But privacy can be balanced with public health, and Canadians should not have to sacrifice one for the other. Should governments proceed to adopt contact tracing apps, they need to ensure that the highest privacy and security standards are met. Clear guidelines must be established by experts and regulators, and these guidelines must be followed.
Recently, a group of researchers from 32 Canadian universities, and supported by the National Cybersecurity Consortium, issued a series of recommendations on the safe development and deployment of contact tracing apps. These recommendations should be followed.
Using Bluetooth technology and keeping anonymous contact data on individual devices that is periodically deleted, rather than using location data or uploading data to a centralized server, would minimize — though not eliminate — privacy and security risks.
In addition, governments need to build trust in these apps through transparent procurement, independent review, enforcement of their voluntary use, ongoing oversight and the establishment of a clear sunset clause for their use. Our assessment of apps that have already been deployed in other jurisdictions shows that none currently meet these standards.
We in Canada can set the standard for privacy, security and trust in the development and deployment of contact tracing apps. We must ensure that the harms don’t outweigh the benefits.
Joe Masoodi is a policy analyst with the Ryerson Leadership Lab and Charles Finlay is executive director of the Rogers Cybersecure Catalyst at Ryerson University.