EDMONTON, Alberta, July 14, 2020 (LifeSiteNews) — The privacy commissioner of one of Canada’s largest provinces says the provincial government’s coronavirus smartphone contact tracing application does indeed run “a security risk” for users of Apple devices.
Alberta’s information and privacy commissioner, Jill Clayton, stated the findings in a 66-page report released last week. The report reviewed the province’s privacy impact assessment (PIA) submitted by Alberta Health (A.H.) and endorsed by Alberta Health Services (AHS) regarding the “ABTraceTogether” coronavirus tracing app, which was launched in May.
Clayton concluded that the free and voluntary app is fine for Android users but poses a potential security threat for those using Apple devices.
To function as designed on an Apple device, users’ phones must be unlocked with the app visible on their screens and running in the foreground.
“I have ongoing concerns related to the functionality of ABTraceTogether, particularly on Apple devices,” wrote Clayton.
“We recognize the challenges AH has faced in this regard, since the safeguards required to effectively run the app are out of its control. Nonetheless, given the need to run ABTraceTogether in the foreground on Apple devices, there is a security risk (e.g.when running the app, the device is unlocked, which increases risk in case of theft),” wrote Clayton.
In early April, the premier of Alberta, Jason Kenney, stated that quarantine orders would be strongly enforced with the help of contact tracing apps in the name of combating the coronavirus.
The AHS “ABTraceTogether” was the first coronavirus contact tracing application launched in Canada, and it has been downloaded thousands of times since its launch.
After its debut, concerns were raised regarding the app for Apple users. Since then, A.H. has said it has been working on fixing this issue.
Monday, Kenney suggested that the reason the app could not be fixed properly for Apple users was that the federal government had told Apple and Google not to work with Alberta or “other provincial governments, on improving the Trace Together app.”
In June, Prime Minister Justin Trudeau announced that a voluntary and free “Made in Canada” national coronavirus contact-tracing app would be available to Ontario residents starting in early July and would follow in other provinces later in the month.
However, this app, which was developed in a collaboration among the Ontario government, BlackBerry, and Shopify, as well as the federal agency the Canadian Digital Service, has been delayed with no date set for launch.
ABTraceTogether was created from open-source software called BlueTrace, which comes from Singapore. The app uses the Bluetooth signal from a person’s cell phone, or other devices with the app installed, to track whom its user has been in close contact with.
PETITION: No to mandatory contact tracing and government surveillance for the coronavirus! Sign the petition here.
It works by storing information from users of the app on each other’s phones if they have been in the proximity of one another (around two meters) for more than 15 minutes. Data is stored for 21 days.
In the report, Clayton wrote that while she is “not in a position to endorse a particular technology solution,” she wanted to “highlight certain features of the app” which includes the security risk on Apple devices.
Clayton wrote that A.H. and AHS “have a legal responsibility to safeguard personal and health information in their custody or control” and that they have indeed “taken steps to provide information to individuals about functioning of the app.”
“We have recommended that AH make information about potential privacy risks public, and update this information as necessary,” wrote Clayton.
Clayton also said the risk mitigation that A.H. and AHS has put in place for “employees in the public, health and private sectors who are issued devices by their employer or use their own devices for work purposes,” is not “sufficient.”
“The risks represent a potential contravention of Alberta’s privacy laws by regulated entities for failure to safeguard if they were to allow or encourage employees or affiliates to run the app on enterprise-issued devices that store or make other health or personal information accessible (e.g. email or cloud service portals),” wrote Clayton.
Despite the warnings, Clayton offered praise for A.H., saying it has done an “excellent job being mindful of privacy and security in the deployment of ABTraceTogether.”
“The app’s clear purpose, guided by principles of consent and individual control, is commendable,” wrote Clayton.
Other concerns raised regarding ABTraceTogether by the privacy commissioner
When looking at whether or not A.H. has the “Authority to Collect, Use and Disclose Health and Personal Information,” the Alberta privacy commissioner’s report concluded that A.H. does indeed have this legal ability.
“In our view, the PIA establishes that AH and AHS have legal authority to collect, use and disclose health and personal information in ABTraceTogether,” concludes the report.
As a result of this, the report recommends that the app’s description be reviewed.
“We recommend AH review the description of the app available from the Google Play Store and Apple App Store to ensure it accurately describes the app,” concludes the report.
Another recommendation from the report is that ASH work towards limiting the collection of Bluetooth digital “handshakes” which the app logs.
“We recommend that AH work towards limiting collection of “handshakes” through any means available to them, to be transparent to the public regarding potential over collection, and to update the PIA, as necessary, if changes are introduced.”
One area of the Alberta privacy commissioner’s report concerns the eventual “decommissioning” of the app once there is no more need for it.
The report notes that A.H. was asked how it plans to decommission the app once it is not needed, and how any “privacy and security risks,” which could occur if the app is not properly decommissioned would be addressed.
The report notes that A.H. responded by saying it did not have a “decommissioning” strategy in place when the app was launched, as its goal was for fast deployment, but the department has since promised to “dismantle” ABTraceTogether once the coronavirus crisis subsides.