Canada’s COVID Alert App: A Privacy Win
Health Canada’s COVID Alert App, a Canadian smartphone app released on July 31, 2020, is intended to warn users if they have been in close contact with a person who tests positive for COVID-19. Ultimately, the purpose of the app is to help reduce the spread of the virus. Remarkably, the app does not capture a user’s location or use GPS. The app works by producing random codes and using Bluetooth technology to exchange these codes whenever two users are within 2 metres of each other for a period of 15 minutes or more. So, if a user reports that she has tested positive for COVID-19, the app sends a notification to anyone who came close enough to her to receive the code within the last 14 days.
Privacy concerns should not stop you from downloading the app which is stacked with robust privacy protections. The Privacy Commissioner of Canada, Daniel Therrien, clarified his comfort with the app and its safeguards when he said: “Canadians can opt to use this technology knowing it includes very significant privacy protections. I will use it.”
On the same day the app was released, the Office of the Privacy Commissioner of Canada (OPC) published its privacy review of the app. The OPC conducted the review in collaboration with the Information and Privacy Commissioner of Ontario (IPC) and consulted the other provincial and territorial privacy commissioners.
The review ultimately supports the use of the app and highlights numerous privacy protective measures including:
Use of the app is completely voluntary.
The app does not collect or disclose any personal information and includes strong safeguards to protect user identities. It does not collect or disclose any information that directly identifies a user (including location data), and all data is protected by strong encryption and cryptographic hashing functions.
The app allows users to provide meaningful consent. During the sign-up process, users receive a Privacy Notice. Upon downloading the app, users receive a clear, simple overview of how it works.
The app limits the retention of information. For example, Temporary Exposure Keys are deleted on the device after 14 days and the app itself will be shut down within 30 days of the declaration that the pandemic is over.
The app will be reviewed on an ongoing basis as the OPC will be involved in auditing the app later this year with a re-evaluation of both its effectiveness, and its privacy and security safeguards.
From a privacy perspective, Canada’s COVID Alert app is very low risk and the public health benefits are hopefully significant. If you haven’t already, I would encourage you to download the app. It’s a simple way for each of us to do our part in managing this pandemic.