Cybersecurity experts raise concerns over contact tracing apps and privacy
Smartphone applications meant to assist in the COVID-19 contact tracing process must face a review to ensure they respect Canadians’ privacy, a group of nearly 100 Canadian cybersecurity experts said in a joint statement Friday.
According to Ken Barker, a director of the National Cybersecurity Consortium (NCC) at the University of Calgary, all Canadian contact tracing apps that academics in the group have reviewed have failed to prove they meet privacy standards.
“None of the apps have convinced us that they were actually privacy conserving, and in fact many of them have purposes that went beyond contact tracing,” Barker said. “None of them had any real plans about how they would go about managing and looking after the data that they had been collecting as a result of letting people download and use the app.”
Barker said the privacy shortcomings may be the result of a lack of understanding of best practices by developers. In its statement, the NCC detailed 10 principles that all contact tracing apps, including Alberta’s Abtracetogether app, should follow in order to adhere to privacy standards.
But Barker said there are two points that are the most important. First, the app has to work, successfully logging potential COVID-19 transmissions without putting excessive strain on the phone’s batteries or storage space. As well, the app should have no other purposes.
“If it can do or does do anything else, then you have a potential issue,” he said. “We know we could potentially be trying to trace hundreds of thousands of potential contacts. We’re looking for a mechanism that would allow us to do that in a safe way, but in exactly the same way that confidentiality is protected in a human (contact tracing) system.”
The Abtracetogether app is currently under review by Alberta’s Office of the Information and Privacy Commissioner (OIPC).
According to OIPC spokesperson Scott Sibbald, the review is ongoing and the privacy commissioner is awaiting responses from Alberta Health to some outstanding privacy questions, particularly on whether data will be used for any purposes other than contact tracing and whether the province would release a copy of the app’s privacy impact assessment.
“There are positive components of this app. The commissioner appreciates that Abtracetogether is a tool to supplement the important contact-tracing work being done by Alberta’s public health officials during the pandemic,” Sibbald said. “The commissioner appreciates the cross-disciplinary attention that technological approaches to contact tracing has received.”
Barker said that it’s important to note that the privacy commissioner’s office likely will not endorse the Abtracetogether app but will instead offer advice on the privacy implications of the app.
In a statement, Alberta Health spokesman Tom Mcmillan said source code for Abtracetogether is publicly available online and that the province welcomes the OIPC assessment of the app.
“The AB Tracetogether application is designed to ensure the protection of Albertans’ privacy,” Mcmillan said. “Data is stored on the user’s phone in encrypted form for only 21 days and will not be accessed unless you test positive for COVID -19 and provide consent to (Alberta Health Services).”
In his daily news conference Friday, Prime Minister Justin Trudeau said Canada is working with Google and Apple on a mobile contact tracing app to help with contact tracing.
As of Friday, about 186,000 Albertans had downloaded the app.
None of the apps have convinced us that they were actually privacy conserving... many of them have purposes that went beyond contact tracing.