Sunset clauses are needed in government-approved COVID contact tracing apps and emergency powers to ensure they aren’t turned into permanent public surveillance, says Ontario’s former privacy commissioner.
“What I want to make sure is here in Canada … we do not have these tools of surveillance that continue long after this pandemic ends,” Ann Cavoukian said Thursday during an Identity North online panel on privacy.
Under a sunset clause or law, a contract tracing app would expire and be removed from app stores, and all government-held data that had been collected would be destroyed.
“We can do this,” she said of tracing apps. “But there have to be clear, strong sunset clauses associated with all the emergency powers that are being exercised by governments.”
Whenever there’s a crisis, governments step up public surveillance, Cavoukian said. But when the crisis ends, often surveillance continues. One of the latest examples was the 9/11 attack in the U.S., she said, which led to the U.S. Patriot Act allowing warrantless surveillance under certain circumstances, which, Cavoukain added, was recently renewed.
Coincidentally, Cavoukian made her comments shortly after Ontario announced it will start testing an exposure notification app on July 2. That app doesn’t store data in a central database or upload data to a government body.
During the current discussion here on COVID tracing apps Cavoukian said it broke her heart to hear a member of Parliament — who she didn’t identify — say privacy is a secondary concern compared to saving lives and tracking the spread of the virus. “No,” she said. “Privacy forms the foundation of our freedom. Privacy capabilities need to be built into tracing apps.”
She again repeated her approval of the Apple/Google framework for building exposure notification apps, a model that doesn’t upload data to a centralized server that can be accessed by health authorities or governments. The Ontario app — which the federal government is encouraging other provinces to adopt — uses the Apple/Google framework.
Cavoukian is now executive director of the Global Privacy and Security By Design Centre. Ironically, panellist George Tomko, the centre’s technical director, disagrees with her on the need for sunset clauses on technology.
“I’m not in favour of sunset clauses — this is a debate Ann, and I constantly have — because you have a technology or policy that is not quite right. So you want to sunset it because it might do damage. I’d rather be innovative and work on the technology so we don’t need sunset clauses.”
For example, he said, some worry that increasing anonymity [through encryption] on the internet will be used by child predators and criminals. The answer is to find ways to not infringe on people’s freedoms because of a minority of bad people. “Work with the police, not politicians,” he explained, adding “they know what they need” for prosecutions. “It’s not easy stuff but it’s so important for our freedoms that we do this.”
“I’m a realist, having been a privacy commissioner,” responded Cavoukian. “Governments will go to great lengths to try to control data. And the reason I want a sunset clause in this situation on COVID-19 pandemic is because they have relied on emergency powers and privacy laws to enable them to collect far more information than they would be allowed to do. So even though innovation is brilliant and I would love it to work, the government is taking advantage of emergency powers now. And if we don’t have sunset clauses and firm dates as to when it can no longer exercise those emergency powers, this is going to continue. I will not allow that to happen.”
Panel host and futurist Jess Hirsh noted many epidemiologists oppose tracing apps and prefer health authorities stick to manual contact tracing.
The other panellist, Alex Laws, chief technology officer of Identos, a Toronto-based mobile identity and access management provider, complained about the long, complicated and one-sided terms of service policies internet users have to agree to for service and applications. “There’s a huge power imbalance between companies who set the terms [and users],” he said. “I have no real ability to know what’s going to happen when I make an agreement with a company, what’s going to happen with my data downstream.”
Everyone has some catching up to do in order for companies and consumers to win, he added.
“You see so many terms of service that say ‘this may change at any time’ … We really need to have [government] policy and technology to catch up to where technology is leading us.”