Canada Announces National Contact Tracing App…. What Are The Security And Privacy Concerns?

Yesterday Prime Minister Justin Trudeau announced the federal government will begin testing a “completely voluntary” contact tracing app that can be used nationwide. You can get more details here. Every since that announcement concerns around security and privacy controls started to become top of mind. David Masson, Director of Enterprise Security for Darktrace shared with me his security concerns that are associated with contact tracing:

The debate over a centralized or a decentralized approach while using contact tracing apps continues. A decentralized approach would mean that the data stays on an individual’s phone, while a centralized one would mean that all the data from the app goes to one central body. Both approaches have their own merits.

In Canada, a unified approach to contact tracing led by the Federal Government, rather than by the individual Provinces and Territories, will relieve the Provinces and Territories of some legal and financial ramifications. A unified effort would also ensure a more collaborative process for building in security and privacy controls, and it would be more efficient for decision making. As the Federal Government makes declared decisions about the app and its development, security needs to remain a priority.  A centralized approach, however, needs to come with caveats and protections.

If it is the Federal Government ensuring that a sick person remains isolated and enforcing quarantine, there will be privacy trade-offs. We must be prepared for the future: what should we do with the data after this crisis is finally said and done? Sunset clauses should be put in place to assure the Canadian public that the highest consideration will be taken and that there will be transparency about what happens once the data is no longer needed. 

With regard to the collection of data centrally, scientists and health officials could leverage the data for good. They could use data from the apps to analyze how the virus spreads, how it impacts society, and more, which would improve our ability to deal with the outbreak. However, the Federal Government will need to ensure that any data shared for research is secure.

There will also need to be the ability to have some form of open and transparent redress for all citizens with regard to any contact tracing approach in Canada.

I then asked about the fact that this app will utilize the Apple/Google Exposure Notification API. You can find out more info about that here. The Apple/Google API is billed as best in class when it comes to privacy.does So my question was if the usage of this API made things safer? 

I think the question isn’t is it ‘safe’, but does it makes things more secure? Maybe, maybe not.

Privacy and security are not the same things. Privacy is about personal control of your own data, in particular your identity. Security is the tools that will help you control your data and some tools are better than others. Quite frequently when tools or applications are rushed to market without adequate testing, security vulnerabilities subsequently appear.

When rolling out an application that could be used by so many members of the population, governments should use the best available technology with the lowest risk for security or privacy concerns. However, even then it’s impossible to say that without a doubt an application is or is not safe and important to remember that ‘safe’ can mean different things in different contexts. 

For it to be a ‘safe’ application, the technology needs to be implemented correctly, and the app needs to be shut off when the pandemic is over. History has shown that both of these assumptions could prove to be flawed.

That’s an interesting view as reading over the details related to the Apple/Google Exposure Notification API would have had me assume that there was nothing to worry about. But clearly from what David Masson has said, I clearly hadn’t considered all the implications of what a contact tracing app like this one are. Thus I thank him for his insights on this. It’s given yours truly, as well as a lot of you a lot to think about.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: