Covid-19 has risen unique privacy and security issues. As the world has adapted itself to new norms of living, with quarantining and working from home, it has seen a rise in privacy concerns ranging from phishing to hacking Zoom meetings, and now to apps gathering personal data for combating the virus.
There has been an increased concern in the collection and tracking of Covid-19 patients through an app. Data collection and usage by apps is not a novel issue, but given the current global pandemic, it has raised the question of when and how is it allowed to have the “intrusion of privacy” for the common good?
The pandemic has pushed the development of contact tracing, through private and governmental entities, and this has arguably lead to a new form of government surveillance.
In Canada, there have been federal and provincial discussions of using a contact tracking app. Alberta is the only province that is currently using such an app, called ABTraceTogether which Albertans can join voluntarily. The premise of the app is to let you know if you have been exposed to Covi-19 or you have exposed others. In order to relay this information, the app is working with the Alberta Health Services (AHS), who will contact individuals through the information they provide to the app.
Looking through the ABTraceTogether website, in the protected privacy section, it stated that a user’s personal data is only stored on their phone for 21 days in an encrypted format. The user’s information will not be shared with the AHS contact tracers without their permission. However, non-identifying information about the user will be kept for 18 months for the purpose of reporting and analytics. The website repeatedly mentioned the collection of “non-identifying information” but no further explanation was provided as to what this includes. There is also no explanation as to why this “non-identifying information” is required and helps to achieve the end goal.
In the “protecting your information” section of the website, it stated that privacy impact assessment and security threat risk assessment were conducted. Along with ongoing cybersecurity testing being conducted to “identify and address potential security weakness.” However, no further information was provided on how these tests were being conducted, and who is overseeing the project to ensure that the user’s privacy is protected and free for a possible cyber attack.
In order to ensure efficient privacy protection of users, there has to be transparency and accountability. And in order to achieve this there needs to be oversight of using such an application, be it government or non-government ran.
There is a lack of transparency as there is no detailed explanation of what information the app will be collecting, why it’s collecting it, and how it helps the mandate and purpose. As well, there is no clear plan on how the data will be protected.
Part 2 will continue this decision and explore ways that contact tracing apps can uphold users’ privacy while helping combat a pandemic.