Teresa Scassa - Blog

 

Early in the COVID-19 pandemic, as discussions swirled around the adoption of exposure notification or contact-tracing apps (CT/EN apps), Jason Millar, Kelly Bronson and I, and our outstanding students, Tommy Friedlich and Ryan Mosoff, began to explore the privacy and socio-ethical implications related to the creation, adoption and deployment of these apps. As part of this research we gathered data about contact-tracing apps around the world. This week we are launching a website – Global Pandemic App Watch (GPAW) – that uses some of the data we have gathered to provide a global look at the state of adoption of CT/EN apps. The website hosts three main maps; each focuses on different issues. There is also a series of country pages providing additional information about CT/EN apps adopted in different countries. GPAW is a work in progress. Gaining access to meaningful data on use and adoption of apps has been difficult, in part because in many jurisdictions good data is not being collected or, if collected, is not shared. Language has been a barrier to obtaining information in some cases. This is also a rapidly evolving area so that it is possible to miss or be behind with respect to new developments. Our focus is on apps, and not on more complex multi-technology disease and human surveillance strategies; these latter are not represented on the map. However, we believe that GPAW offers an interesting perspective on CT/EN apps.

One issue facing governments that adopt contact tracing or exposure notification apps is what underlying technology to use. Singapore’s early TraceTogether app offered a centralized model that proved interesting to other governments. Australia has been its most notable adopter. The province of Alberta in Canada adopted an app based on TraceTogether, although its future is now in doubt. Other countries considered the development of their own apps, exploring options – usually with local developers – that would integrate in different ways with public health agency needs. Some of these countries have proceeded with their own apps (e.g. France). Others faced public pressure and backed away from apps that might collect and store data centrally (e.g. Germany). The Google-Apple Exposure Notification (GAEN) API, which evolved in this period, offered a model of decentralized data storage that was touted as more privacy-friendly. GAEN (and particularly the more recent Exposure Notification Express) also streamlines the app development process making it easier to adopt. Nevertheless, because of the fully decentralized model, it is more difficult to integrate GAEN with broader goals or data needs of public health authorities.

Although the GAEN garnered considerable attention, a glance at our first map shows that its adoption is far from universal. Many other countries have chosen different options. We are interested in this diversity of apps. As noted above, there may be reasons to choose a more centralized model in order to better integrate a CT/EN app with public health agency activities. We suspect that there is also interest in many jurisdictions in using a CT/EN app as a vehicle for supporting local IT developers. The GAEN model perhaps responds best to concerns over privacy and civil liberties; it is interesting to see that its adoption is strong in the EU and in Canada where such concerns may be heightened. Several US states have also adopted or are in the process of adopting GAEN-based contact tracing apps.

Another feature of the first map that we wish to highlight is the interesting challenge posed by federal states. Canada is shown as uniformly adopting a GAEN model, but this does not reflect the story of how it moved in this direction. As noted earlier, Alberta was an early adopter of a different sort of app based on Singapore’s TraceTogether API. Ontario was the first to adopt the federal COVIDAlert. Other provinces have since announced that they will follow suit, including Alberta, but adoption is not yet universal across the country. The US is represented on the map as “various” because it too is a federal state, and no national app has been adopted. Some states have begun to adopt or develop their own apps (these developments are reported on a separate US Map.) Suffice it to say – federalism presents unique challenges. Where different apps are adopted in a single country or region, there can be issues of interoperability. This pits broader concerns about functionality against issues of regional autonomy. The Canadian and US stories around app adoption would make an interesting comparison. The EU, with its multiple apps and free movement of citizens within the EU is similarly an interesting case study in this regard.

Our second map visualizes uptake. CT/EN apps require significant levels of adoption to be useful, although there are differences of opinion as to what level of adoption is optimal. We have found it challenging to get accurate data about adoption levels and our map reflects this. Where data is available, numbers tend to be relatively low, although it will be interesting to see if a second wave (or third in some countries) pushes adoption to higher levels – and at what rate. It is interesting to consider what may lie behind poor access to adoption data. A lack of transparency about the metrics for evaluating the success/failure of these rapidly deployed technologies is worrisome. It may be that providing such data is a low priority in a pandemic; it may also be that governments do not wish to potentially discourage adoption by revealing low uptake numbers. Some countries, have had much better adoption rates than others. It would be interesting to consider why this might be the case. Are higher adoption rates related to greater trust in government? Greater concerns about the pandemic? Better government messaging?

Our final map looks at whether CT/EN apps have been made optional or mandatory in the countries in which they have been launched. This has been a hot button issue. Some groups or individuals have argued for making such apps mandatory in order to meet public health objectives. Others have raised civil liberties concerns. Underlying this, of course, is the reality that the technology on which these apps operate is not universally available. It would be difficult to make mandatory an app if not everyone could comply because they did not have a smart phone with a compatible operating system. Some jurisdictions have begun to explore the adoption of ‘fob’ technologies that could give greater access to contact tracing applications. Our map shows that currently only one country has adopted a mandatory CT/EN app. The overwhelming majority are voluntary. That said, we have begun to hear of cases in which the use of these apps is required by employers who are looking for tools to track exposure within the workplace, undermining their voluntary nature. As far as we are aware, only Australia has addressed this function-creep in specific app-related legislation.

The actual usefulness of CT/EN apps remains an open question. Concerns have been raised about their technological deficiencies leading to potential false positives and false negatives. It is not clear whether CT apps actually catch many cases not already caught by manual contact-tracing activities. Of course, when normal contact tracing starts to buckle under pressure from a second wave, as is the case now in Ontario, the app takes on a greater role. Nevertheless, with GAEN apps, there is no two-way interface with the public health system. It would be interesting to know how many people receive notifications through the app, and how many of those present themselves for testing – or take recommended actions such as self-quarantining. It would be useful to have a variety of data to assess the reliability and effectiveness of these technologies, but it is not clear that such data will be collected by governments or public health authorities or, if it is collected, whether it will be made readily available.

We hope that you will find our maps interesting and useful. The country pages, as they develop will provide additional information, as well as links to numerous articles and other materials about the apps that we have been collecting since the beginning of the pandemic. We think the project raises a number of interesting unanswered questions that will linger well into the future. Our current plan is to update the site weekly. There is space on the site to provide feedback, comments, and even data should you have it to share.

Our work has been generously supported This project is partially funded by the Scotiabank Fund for AI and Society at the University of Ottawa, SSHRC and the Centre for Law, Technology and Society at the University of Ottawa.

Published in Privacy
Monday, 10 August 2020 08:58

How Will COVID Alert Measure Up?

 

Canada’s new exposure notification app – COVID Alert has launched in Ontario. This shifts the focus from whether to adopt an app and what type to how we will know if the app is a success.

COVID Alert is built upon the Google Apple Exposure Notification System (GAEN) which is a completely decentralized model. This means that none of the proximity data collected via the app is shared with public authorities. GAEN apps must be entirely voluntary. Users choose whether to download the app and whether to upload positive test results for COVID-19. If a user is notified that they have been in proximity to someone who has tested positive for COVID-19 the app will advise what steps to take – but it will be up to the user to take those steps. Although there are privacy risks with any app (and here, they would be predominantly ones related to security and the possibility of malicious attacks), this could be the app on most users’ phones that collects the least personal data. COVID Alert has been vetted by the Privacy Commissioner of Canada and by Ontario’s Privacy Commissioner. It will also be reviewed by privacy commissioners in those provinces that choose to deploy it.

All of this is good news. As we start returning to workplaces, bars, restaurants and public transit, our daily lives will involve more and more moments of proximity with strangers. If nearly everyone is using COVID Alert – and if COVID Alert actually works the way it should – then it should help alert us to potential exposure to COVID-19 so that we can take steps to get tested and/or to isolate ourselves from those we might harm.

Although it is likely to be useful, authorities are quick to point out it is only one tool among many. This is because there is much that is unknown about the actual performance of GAEN exposure notification apps. Such apps have only recently been launched in other countries. The threshold for recording a proximity event is one issue. For COVID Alert, a proximity event is recorded when two app users are within 2 metres of each other for 15 minutes or more. An EU guidance document describes this as “a starting point for the definition of a high-risk exposure contact”, but also indicates that “evaluation and calibration will be key to define the optimal time-and distance settings that adequately capture people at risk of infection.” The apps cannot detect whether people are separated by plexiglass or wearing masks or face shields, and may not function as well when phones are in purses or backpacks. These factors may impact the accuracy of the apps. People may receive exposure notifications due to contacts that are very unlikely to result in infection (on opposite sides of plexiglass, for example) but will experience stress and disruption (perhaps having to miss work while waiting for test results) as a result. These inconveniences might be disproportionately experienced by those whose work demands that they interact with the public or ride transit, and there may be problematic sociodemographic impacts as a result. On the other hand, for those who have to be out and about, the app may provide some level of comfort. There is much that we do not yet know, but that we need to learn. Noting some of the uncertainties around these types of apps, the Privacy Commissioner has recommended “that the government closely monitor and evaluate the app’s effectiveness once it is used, and decommission it if effectiveness cannot be demonstrated.”

One way to learn about the app and its impacts is to gather data and develop metrics to assess its performance. The highly decentralized GAEN model makes this more challenging, since no data is shared with governments via the app. The number of downloads can reveal how many people are willing to try the app. But it does not do much more than that. Useful data would include data about how many people who get tested do so because they received an app notification. It would be interesting to be able to correlate this data with positive or negative test results. In other words, what percentage of people who are prompted to get tested by the app actually test positive for COVID-19? It would also be useful to know how many of the people who receive exposure notifications are also separately contacted by contact tracers. Does the app amplify the reach of conventional contact tracing or does it largely duplicate it? Jurisdictions such as Australia, which has a centralized model, are beginning to collect and analyze such data. Alberta’s contact tracing app uses a centralized system and it might be particularly interesting to compare the domestic performance of a centralized app with the decentralized one. And, while the GAEN is fully decentralized, it does allow for additional data to be collected, with user consent, so long as this is separate from the exposure notification system. The Irish app, built on GAEN, has a voluntary user survey which allows consenting users to share data about the performance of the app. As provinces begin to deploy COVID Alert, both they and the federal government should be thinking about what data they need to evaluate this technology, and how they will gather it. According to the Privacy Commissioner’s assessment, the new Advisory Council established to oversee the use of the app will evaluate its effectiveness. Any such evaluation should be shared with the public.

As the app rolls out in Ontario, individuals will be asked to download it, and broad uptake will be important to its success. Using the app may provide individuals with added protection; it also means that they will be contributing to an experiment to assess the utility of this type of technology to assist in pandemic control. COVID Alert aims to help contain a disease which we know can spread wildly and at great personal and societal cost. Carefully calibrated metrics, and transparency about the successes or failures of the app should, and hopefully will, be part of this experiment.

Published in Privacy

 

Research for this article was made possible with the support of the Heinrich Boell Foundation Washington, DC.

This piece was originally published by Heinrich Boell Stiftung as part of their series on the broad impacts of the COVID-19 pandemic. The original publication can be found here.

 

 

A strong sense of regional sovereignty in the Canadian health care system may lead to different choices for technologies to track and contain the spread of the coronavirus. A multiplicity of non-interoperable apps could put their effectiveness in question and could create regional differences in approaches to privacy..

By Teresa Scassa

Canada’s national capital Ottawa is located in the province of Ontario but sits on the border with Quebec. As soon as restrictions on movement and activities due to the coronavirus begin to lift, the workforce will once again flow in both directions across a river that separates the two provinces. As with other countries around the world, Canada is debating how to use technology to prevent a second wave of infections. Yet as it stands right now, there is a chance that commuters between Ontario and Quebec could have different contact-tracing apps installed on their phone to track their movements, and that these apps might not be fully interoperable.

Innovation in contact-tracing apps is happening in real time, and amid serious concerns about privacy and security. In Canada, many provinces are on the threshold of adopting contact-tracing apps. Canadian app developers, building on technologies adopted elsewhere, will be offering solutions that rely on decentralized, centralized, or partially centralized data storage. At least one Canadian-built app proposes broader functionalities, including AI-enhancement. And, as is so often the case in Canada, its federal structure could lead to a multiplicity of different apps being adopted across the country. Similar challenges may be faced in the United States.

One app to rule them all?

Canada is a federal state, with 10 provinces and 3 territories. Under its constitution, health care is a matter of provincial jurisdiction, although the federal government regulates food and drug safety. It has also played a role in health care through its spending power, often linking federal health spending to particular priorities. However, when it comes to on-the-ground decision-making around the provision of health care services and public health on a regional level, the provinces are sovereign. Canadian federalism has been tested over the years by Quebec’s independence movement, and more recently by dissatisfaction from Western provinces, particularly Alberta. These tensions mean that co-operation and collaboration are not always top of mind.

When it comes to adoption of contact tracing apps, there is the distinct possibility in Canada that different provinces will make different choices. On May 1 Alberta became the first Canadian province to launch a contact tracing app. There have been reports, for example that New Brunswick is considering a contact tracing app from a local app developer, and the government of Newfoundland and Labrador has also indicated it is considering an app. Other governments contemplating contact tracing apps include Manitoba and Saskatchewan. The possibility that multiple different apps will be adopted across the country is heightened by reports that one municipal entity – Ottawa Public Health – may also have plans to adopt its own version of a contact-tracing app.

Although different contact-tracing apps may not seem like much of an issue with most Canadians under orders to stay home, as restrictions begin to loosen, the need for interoperability will become more acute. If non-interoperable contact-tracing apps were to be adopted in Ontario and Quebec (or even in Ontario, Quebec and Ottawa itself), their individual effectiveness would be substantially undermined. Similar situations could play out in border areas across the country, as well as more generally as Canadians begin to travel across the country.

On May 5, 2020, Doug Ford, the premier of Ontario, Canada’s most populous province, called for a national strategy for contact tracing apps in order to prevent fragmentation. His call for cohesion no doubt recognizes the extent to which Canada’s sometimes shambolic federalism could undermine collective public health goals. Yet with so many provinces headed in so many different directions, often with local app developers as partners, it remains to be seen what can be done to harmonize efforts.

Privacy and contact tracing in Canada

The international privacy debate around contact-tracing apps has centred on limiting the ability of governments to access data that reveals individuals’ patterns of movement and associations. Attention has focused on the differences between centralized and decentralized storage of data collected by contact-tracing apps. With decentralized data storage, all data is locally stored on the app user’s phone; public health authorities are able to carry out contact-tracing based on app data only through a complex technological process that keeps user identities and contacts obscure. This model would be supported by the Google/Apple API, and seems likely to be adopted in many EU states. These apps will erase contact data after it ceases to be relevant, and will cease to function at the end of the pandemic period.

By contrast, with centralized data storage, data about app registrants and their contacts is stored on a central server accessible to public health authorities. A compromise position is found with apps in which data is initially stored only on a user’s phone. If a user tests positive for COVID-19, their data is shared with authorities who then engage in contact-tracing. As an additional privacy protection, express consent can be required before users upload their data to central storage. This is a feature of both the Australian and Alberta models.

Decentralized storage has gained considerable traction in the EU where there are deep concerns about function creep and about the risk that user contact data could be used to create ‘social graphs’ of individuals. The European privacy debates are influenced by the General Data Protection Regulation (GDPR) and its shift toward greater individual control over personal data. In Canada, although the federal privacy commissioner has been advancing a ‘privacy as a human right’ approach to data protection, and although there has been considerable public frustration over the state of private sector data protection, little public sentiment seems to have galvanized around contact-tracing apps. Although Canadians have reacted strongly against perceived overcollection of personal data by public sector bodies in the past, in the pandemic context there seems to be a greater public willingness to accept some incursions on privacy for the public good. What incursions will be acceptable remains to be seen. The federal, provincial and territorial privacy commissioners (with the notable exception of the Alberta commissioner whose hands have been somewhat tied by the launch of the Alberta app) have issued a joint statement on the privacy requirements to be met by contact-tracing apps.

The Alberta contact-tracing app has received the cautious endorsement of the province’s Privacy Commissioner who described it as a “less intrusive” approach (presumably than full centralized storage). She noted that she had reviewed the Privacy Impact Assessment (PIA) (a study done to assess the privacy implications of the app), and was still seeking assurances that collected data would not be used for secondary purposes. She also indicated that the government had committed to the publication of a summary of the Privacy Impact Assessment, although no date was provided for its eventual publication.

Given the attention already paid to privacy in Europe and elsewhere, and given that Australia’s similar app was launched in conjunction with the public release of its full PIA, the Alberta launch should set off both privacy and transparency alarms in Canada. In a context in which decisions are made quickly and in which individuals are asked to sacrifice some measure of privacy for the public good, sound privacy decision-making, supported by full transparent PIAs, and an iterative process for rectifying privacy issues as they emerge, seems a minimum requirement. The release of the Alberta app has also created a gap in the common front of privacy commissioners, and raises questions about the interoperability of contact-tracing apps across Canada. It remains to be seen whether Canada’s federal structure will lead not just to different apps in different provinces, but to different levels of transparency and privacy as well.

 

Published in Privacy

The COVID-19 pandemic has sparked considerable debate and discussion about the role of data in managing the crisis. Much of the discussion has centred around personal data, and in these discussions the balance between privacy rights and the broader public interest is often a focus of debate. Invoking the general ratcheting up of surveillance after 9-11, privacy advocates warn of the potential for privacy invasive emergency measures to further undermine individual privacy even after the crisis is over.

This post will focus on the potential for government use of data in the hands of private sector companies. There are already numerous examples of where this has taken place or where it is proposed. The nature and intensity of the privacy issues raised by these uses depends very much on context. For the purposes of this discussion, I have identified three categories of proposed uses of private sector data by the public sector. (Note: My colleague Michael Geist has also written about 3 categories of data – his are slightly different).

The first category involves the use of private sector data to mine it for knowledge or insights. For example, researchers and public health agencies have already experimented with using social media data to detect the presence or spread of disease. Some of this research is carried out on publicly accessible social media data and the identity of specific individuals is not necessary to the research, although geolocation generally is. Many private sector companies sit on a wealth of data that reveals the location and movements of individuals, and this could provide a rich source of data when combined with public health data. Although much could be done with aggregate and deidentified data in this context, privacy is still an issue. One concern is the potential for re-identification. Yet the full nature and scope of concerns could be highly case-specific and would depend upon what data is used, in what form, and with what other data it is combined.

Government might, or might not be, the lead actor when it comes to the use of private sector data in this way. Private sector companies could produce analytics based on their own stores of data. They might do so for a variety of reasons, including experimentation with analytics or AI, a desire to contribute to solutions, or to provide analytics services to public and private sector actors. There is also the potential for public-private collaborations around data.

Private sector companies acting on their own would most likely publish only aggregate or deidentified data, possibly in the form of visualizations. If the published information is not personal information, this type of dissemination is possible, although these companies would need to be attentive to reidentification risks.

In cases where personal data is shared with the public sector, there might be other legal options. The Personal Information Protection and Electronic Documents Act (PIPEDA) contains a research exception that allows organizations to disclose information without consent “for statistical, or scholarly study or research, purposes that cannot be achieved without disclosing the information, [and] it is impracticable to obtain consent”. Such disclosure under s. 7(3)(f) requires that the organization inform the Commissioner in advance of any such disclosure, presumably to allow the Commissioner to weigh in on the legitimacy of what is proposed. The passage of a specific law, most likely on an emergency basis, could also enable disclosure of personal information without consent. Such an option would be most likely to be pursued where the government seeks to compel private sector companies to disclose information to them. Ideally, any such law would set clear parameters on the use and disposal of such data, and could put strict time limits on data sharing to coincide with the state of emergency. A specific law could also provide for oversight and accountability.

The second category is where information is sought by governments in order to specifically identify and track individuals in order to enable authorities to take certain actions with respect to those individuals. An example is where cell phone location data of individuals who have been diagnosed with the disease is sought by government officials so that they can retrospectively track their movements to identify where infected persons have been and with whom they have had contact (contact-tracing).This might be done in order to inform the public of places and times where infected persons have been (without revealing the identity of the infected person) or it might be done to send messages directly to people who were in the vicinity of the infected person to notify them of their own possible infection. In such cases, authorities access and make use of the data of the infected person as well as the data of persons in proximity to them. Such data could also be used to track movements of infected persons in order to see if they are complying with quarantine requirements. For example, public authorities could combine data from border crossings post-spring break with cell phone data to see if those individuals are complying with directives to self-quarantine for 14 days.

The use of private sector data in this way could be problematic under existing Canadian privacy law. Telcos are subject to PIPEDA, which does not contain an exception to the requirement for consent that would be an easy fit in these circumstances. However, PIPEDA does permit disclosure without consent where it is ‘required by law’. A special law, specific to the crisis, could be enacted to facilitate this sort of data sharing. Any such law should also contain its own checks and balances to ensure that data collection and use is appropriate and proportional.

Israel provides an example of a country that enacted regulations to allow the use of cell phone data to track individuals diagnosed with COVID-19. A podcast on this issue by Michael Geist featuring an interview with Israeli law professor Michael Birnhack exposes some of the challenges with this sort of measure. In a decision issued shortly after the recording of the podcast, the Israeli Supreme Court ruled that the regulations failed to meet the appropriate balance between privacy and the demands of the public health crisis. The case makes it clear that it is necessary to find an appropriate balance between what is needed to address a crisis and what best ensures respect for privacy and civil liberties. It is not an all or nothing proposition – privacy or public health. It is a question of balance, transparency, accountability and proportionality.

It is interesting to note that in this context, at least one country has asked individuals to voluntarily share their location and contact information. Singapore has developed an app called TraceTogether that uses Bluetooth signals to identify the phones of other app users that are within two metres of each user. The design of the app includes privacy protective measures. Sharing personal data with appropriate consent is easily permitted under public and private sector laws so long as appropriate safeguards are in place.

A third category of use of personal information involves the public sharing of information about the movements of individuals known to be infected with the virus. Ostensibly this is in order to give people information they may need to protect themselves from unwanted exposure. South Korea offers an example of such measures – it has provided highly detailed information about the location and movements of infected persons; the detail provide could lead to identification. Given the fact in Canada at least, testing has been limited due to insufficient resources, a decision to release detailed information about those who test positive could serve to stigmatize those persons while giving others a false sense of security. Some have raised concerns that such measures would also discourage individuals from coming forward to be tested or to seek treatment out of concerns over stigmatization. In Canada, the disclosure of specific personal health information of individuals – or information that could lead to their identification – is an extreme measure that breaches basic personal health information protection requirements. It is hard to see on what basis the public release of this type of information could be at all proportionate.

A common theme in all of the debates and discussions around data and privacy in the current context is that exceptional circumstances call for exceptional measures. The COVID-19 pandemic has spurred national and regional governments to declare states of emergency. These governments have imposed a broad range of limitations on citizen activities in a bid to stop the spread of the virus. The crisis is real, the costs to human life, health and to the economy are potentially devastating. Sadly, it is also the case that while many do their best to comply with restrictions, others flaunt them to greater or lesser extents, undermining the safety of everyone. In this context, it is not surprising that more drastic, less voluntary measures are contemplated, and that some of these will have important implications for privacy and civil liberties. Privacy and civil liberties, however, are crucially important values and should not be casual victims of pandemic panic. A careful balancing of interests can be reflected not just in the measures involving the collection and use of data, but also in issues of oversight, transparency, accountability, and, perhaps most importantly, in limits on the duration of collection and use.

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law