COVID Alert app could result in some people being ID'd
Identification 'highly improbable' but not impossible, office of privacy commissioner says
The federal government's new COVID Alert app doesn't offer 100 per cent privacy and could allow some who test positive for the coronavirus to be identified, particularly those who live in small communities or who don't interact with many people.
When the government unveiled the app on Friday, it stressed that users' privacy is protected because it "has no way of knowing your location, your name or address," among other details.
Those who download the app and later test positive enter a special code to notify people who have been near them for at least 15 minutes sometime over the previous two weeks. The notification doesn't identify who tested positive and maintains their privacy, the government said.
The government employees who developed it say, in a blog, that they wanted to describe the app's handling of information as "anonymous."
But Privacy Commissioner Daniel Therrien's office disagreed.
"Anonymous' implies that there is no risk whatsoever that a person could be identified," they wrote. "However, and although we all agreed that while there's a very, very low risk that someone could be re-identified through the app, it isn't necessarily zero.
"Someone living in a remote area and only interacting with one or two other people could theoretically be identified by their neighbours if they received exposure notification alerts, for example."
Vito Pilieci, spokesman for Therrien, confirms that the privacy commissioner's office had concerns about the claims the government wanted to make.
"True anonymity, technically speaking, would require the complete and permanent impossibility of reversing the data processes at play, which could reveal sources of personal information and so re-identify individuals," he said.
"Our understanding of the situation is that while the identification of users would be highly improbable, it would not be impossible."
The government changed its claims and Therrien endorsed the app.
In its more detailed privacy review released last week, Therrien's office also warns that while use of the app is voluntary, some companies may try to force employees or clients to use it.
The report notes that some countries have made it against the law to force people to use a contact tracing or notification app.
The report says it is "another failing of our current laws" that this isn't possible in Canada.
Canada hasn't updated its privacy laws in decades.
Therrien's office also warned that some "commercial entities" will be able to determine who has downloaded and used the app.
"These entities should not be permitted to monitor their customers' use of the COVID Alert app."
While the app has "exceptionally strong encryption and cryptographic hashing functions," the system retains users' IP addresses, which the privacy commissioner's office said "may be shared with law enforcement to facilitate an investigation."
The report also questions how Ottawa plans to make the app available to those who receive health care from the federal government such as First Nations people living on reserves, Inuit, serving members of the military, eligible veterans and some refugee claimants.
"The Government of Canada has not yet determined how to onboard these groups," it wrote.
"Further, Health Canada has identified vulnerable populations including seniors, marginalized individuals, people without cell coverage, and First Nations, Inuit and Métis, who may benefit from targeted outreach strategies."
On the whole, however, the questions about the app have to be weighed against its potential to fight COVID-19, said Therrien's office.
"While exposure notification apps are new and untested, we believe that in context, the governments of Canada and Ontario have sufficiently demonstrated that COVID Alert is likely to be effective in reducing the spread of the virus, as part of a larger set of measures and subject to close monitoring for effectiveness once the app is in use."
Elizabeth Thompson can be reached at email@example.com