When the prime minister, premiers and territorial leaders hold an online meeting later this week the agenda will include pressure by Ontario Premier Doug Ford for a national plan for contact tracing, which could include the use of contact tracing mobile apps.
A national strategy for contact tracing apps is a good idea, says former Ontario privacy commissioner Ann Cavoukian, executive director of the Privacy & Security by Design Centre, and Teresa Scassa, who holds the Canada Research Chair in Information Law and Policy at the University of Ottawa. They were commenting after Ford on Monday told reporters a national plan is “critical.”
According to a federal source who asked not to be identified, the three levels of government have been looking for some time at about a dozen proposed apps.
“We want to find solutions that meet the distinct needs of the provinces,” they said, “but do so in a shared way. That could require operability across approaches for consistency and not [having] fragmented data.”
The source couldn’t say how close the three levels of government are to deciding on approved apps. It “depends on how quickly we’re able to address privacy protections and safeguards,” the source said. That’s Ottawa’s “number one focus.”
Jurisdictions are already starting to go their own way. Last week Alberta released its tracking app, called ABTraceTogether. According to Cavoukian, New Brunswick has decided its app will be built around an emerging standard set by Google and Apple. Meanwhile, Scassa said, news reports suggest the city of Ottawa is about to approve an app for those who live in the municipality.
That doesn’t mean these and other apps authorized by provinces and territories will be incompatible. But, Scassa said, there has to be some technological and privacy interoperability. “Think about Ottawa, where you have the city, the province and Quebec [adjoining]. If Ottawa adopts one app, the province of Ontario adopts a different app and Quebec adopts its own app and people are moving across the borders every day and they’re not interoperable, they’re not collecting complete or reliable data about contacts.”
Because provinces and territories have the constitutional responsibility to deliver health care, can the federal government get all sides to agree on at least minimum standards? Scassa admits the prime minister doesn’t have a lot of leverage. However, she adds the federal government can play a useful coordination role.
The provinces and territories will have to keep in mind broad privacy guidance issued last week by federal privacy commissioner Daniel Therrien on privacy obligations for any coronavirus initiatives. No matter whether a jurisdiction falls under federal or provincial privacy law, he reminded the country, privacy legislation isn’t suspended because of the pandemic.
Contact tracing apps are considered an important part of allowing relaxation of rules making people stay at home. Apps are considered a supplement to the manual contact tracing that’s been done for decades by health authorities for infectious diseases.
Briefly, because most people have smartphones mobile apps can be used to detect persons who are too close to each other. What the app detects is a randomly-encrypted number for privacy. Depending on the solution, that number may be linked to the device’s phone number and later used by a health authority for contact tracing.
Decentralized vs centralized solutions
Most solutions suggest leveraging the short-range Bluetooth wireless technology with either:
- The app generating random, encrypted ID numbers (the Google/Apple decentralized approach), which Cavoukian enthusiastically endorses
- Or a central server controlled by the app developer or health authority generating numbers and regularly downloading them to the app (the Alberta/Singapore/Australia/U.K. approach).
Some cybersecurity and privacy experts believe a decentralized app is more secure from attack. According to news reports, European countries had been leaning towards centralized solutions, but decentralized solutions are gaining more support.
However, Scassa notes the decentralized approach means no data is shared with a government body (see below) for contact tracing. That also means governments have less data for understanding where there may be outbreaks of the virus and how it spreads.
Venture too close to someone for a set period of time and each phone with the approved app captures one of those random IDs. (Alberta’s app standard is 15 minutes proximity to a person within two metres over 24 hours. That could be one long 15-minute encounter, or three five-minute meetings.). The app holds a list of encrypted IDs for a set number of days (Alberta’s app holds 21 days worth), adding a new day and dropping the oldest as time goes on.
If a person tests positive for COVID-19, they agree to tell the local health authority. What happens next can vary:
- A decentralized app has the user press a button that notifies those on the most recent list on the device that someone near to them in the previous X days tested positive, and they should seek medical advice. However, the people who do contact tracing for the health authority wouldn’t know whether those people are ever tested.
- A centralized app, like Alberta’s, sees the infected user upload their encrypted list of ID numbers to the provincial health authority, which has the ability to decrypt the random IDs and their attached phone numbers. Then it can notify and follow up with possibly infected contacts, without telling them who the person was that tested positive.
Canadian privacy experts agree apps shouldn’t collect any personal or location data. But some proposed apps allow users the ability to enter their symptoms as a way of individually keeping track of their health.
There’s also a controversial third proposed approach, from Montreal’s Mila Institute. Its app would use artificial intelligence to predict which people are at risk based on their contact and medical history users enter into the app.
Other important questions:
- Who holds the uploaded data? One Toronto app developer called Facedrive, whose COVID app is called TraceScan, has proposed it hold the user phone numbers and uploaded random IDs for matching, although health authorities could also hold data. Other apps have the data only going to health authorities. It is assumed in Canada adoption of the app will be voluntary (and users can decide to delete the app). As a condition to download and install an app a user has to register their mobile phone number, which then gets linked to any random IDs the app collects.
- How long will data be held? Until a declared state of emergency ends? Or, as Alberta suggests until a COVID-19 vaccine is perfected?
- What will provincial governments do with the data apps generate? One goal may be to help understand how the virus spreads. But will data be used to allow some people to go back to work and not others?
- When apps are approved will the public get to see provincial privacy impact assessments (PIA) before they are deployed? Scassa notes that Alberta released its app with a promise to soon publish its PIA.
- What about people who don’t have smartphones? Facedrive proposes creating low-cost wearable devices that can use its app.
- Can hackers deploy Bluetooth beacons in an area to capture and decrypt random IDs to follow people with the app?
The app issue was sparked Monday when during his daily press conference Ford mentioned that earlier in the day he talked about a national standard with Deputy Prime Minister Chrystia Freeland. “I’m going to follow up with the premiers,” he added. “We need a national plan for contact tracing. Right now each individual province is doing it, but we need a national plan … It’s absolutely critical,” for many reasons, Ford added, including helping COVID-19 research.
Asked for comment a spokesperson for Freeland said the deputy prime minister and the Ontario premier discussed “the need for a truly national approach when it comes to testing and contact tracing. We appreciate our close collaboration with Ontario, and all the provinces and territories, as we tackle COVID-19 together.”