COVID-19 and Government Surveillance: What Price Privacy?

, , Comments Off on COVID-19 and Government Surveillance: What Price Privacy?

                        “As we move forward with restarting the economy, we must keep working together to prevent the further spread of COVID-19. This new mobile app wlll put the privacy of Canadians first, and act as an extra measure of safety to help protect our families and our communities from the virus.” —Rt. Hon. Justin Trudeau

It was likely inevitable, and certainly no surprise. On June 16, 2020 Prime Minister Justin Trudeau announced that the government of Canada is promoting the use of a mobile app to notify individual Canadians of their possible exposure to Covid-19. According to Trudeau the app will be available nation-wide, free of charge, by early July.

The prime minister’s announcement followed nearly three months of well-publicized private sector research, expert consultations and federal-provincial negotiations. Shortly after Trudeau’s announcement, Ontario premier Doug Ford held his own press conference to confirm that his province would be the first to test the new cellphone app, whose stated purpose is to identify and isolate individual cases of infection more quickly, in order to limit the spread of the disease.

On the surface this would appear to be an extremely positive development. Given ongoing problems with two key elements of an effective containment strategy — insufficient testing rates and very slow contact tracing – Ontario in particular, and Canada in general, are perceived by many public health analysts to be patently unprepared for the second wave of the virus that everyone knows is coming. Using technology to speed up this crucial series of functions, therefore, would seem at first blush to be the ideal solution from a public health perspective.

Trudeau’s announcement also followed several weeks of growing demands by the private sector for governments to relax restrictions and re-open the economy on an urgent basis, in order to avoid ever-higher levels of business bankruptcies and unemployment. Meanwhile, increasingly dire predictions have been emerging from financial analysts about the negative effects of an extended lockdown on the government’s ability to sustain its panoply of bailout measures, or to regain fiscal stability in the foreseeable future. A June 18, 2020 report by the Parliamentary Budget Officer, for example, predicted that the federal government’s total expenditures to date would result in a $256 billion deficit for 2020 and a 6% decline in GDP. (Although these are huge numbers by any measure, it is worth noting that this projected deficit would need to double to reach levels last seen during World War II, and that current low interest rates make the cost of federal indebtedness less painful.[1]) Yet without better containment measures the opening up of the economy could also lead to a resurgence in the number of cases and renewed spread of the virus.  Once again, the adoption of a mobile surveillance app would seem to be an optimal solution.

In addition to these pressing public health and economic incentives to adopt some type of cellphone surveillance technology, many advocates have been trumpeting the use of such measures elsewhere. Countries as diverse as South Korea, Singapore, Taiwan and Israel, they noted, had all implemented some form of electronic surveillance app in the early days of the pandemic, and are attributing their relatively successful containment of the virus in large measure to this move. (Others countries, such as the U.K., have implemented a similar measure more recently, so the relative efficacy of this plan is not yet known.) However the mandatory use of such apps has already been responsible for changes in individual behaviour, (either reducing the practice of other precautionary measures, or increasing evasive measures) as well as significant cases of discrimination. Even the most ardent of proponents admits that none of the systems adopted is foolproof, and there are a number of practical problems to consider before implementation.

Currently there are two basic types of technology competing to perform this surveillance function. The first involves a centralized approach to contact tracing in which the mobile app identifies everyone’s location at all times through GPS. Apart from the obvious invasion of privacy, this approach is often unreliable since it cannot distinguish distances of less than 5-20 metres, or far more than required for physical distancing, leading to numerous false positives. The second technology involves a decentralized approach with an app based on Bluetooth, where cellphones are identified in terms of proximity to each other, and location is irrelevant. This system is considered more reliable and less invasive of privacy, but could lead to false negatives and could be more vulnerable to deliberate tampering.

Clearly the use of either technology requires a more significant invasion of privacy than most citizens in liberal democracies would accept in normal times, something that has not escaped the attention of legal and privacy experts. It also requires the consent of the population, which in democracies is something that must be based on public trust in authorities rather than coercion. In Canada, debate over the possible use of surveillance apps has in fact focused on this privacy consideration above all others. True, Canadians have already demonstrated a much greater tolerance for government limitations on their civil liberties during this pandemic than their counterparts in the United States, but some degree of resistance is inevitable.    

Anticipating the potential adoption of such technology in Canada, the privacy commissioners of provinces and territories, along with their federal counterpart, issued a statement on this issue in early May with specific recommendations to government on how to ensure the maximum level of individual privacy and public acceptance. In it they highlighted what they considered to be essential measures that should be incorporated in any such plan. These included:

*a voluntary rather than mandatory adoption of the technology by individuals;

*a clearly indicated rationale as to why the technology is necessary and proportional to needs;

*an explanation of its likely efficacy;

*clearly spelled out limitations on the use of the data accumulated and a clearly limited timeframe for its use;

*anonymization of data ( de-identified or aggregate);

*transparency and accountability of government in reporting the results;

*independent oversight; and legal safeguards, particularly with any private sector contractors.[2]

Similar concerns and lists of first principles were outlined by such well-known technology experts as Michael Geist[3] and legal experts such as Joel Reardon.[4]  Among the questions they posed are not only what data will be collected, but who will have access to the data, how it will be used and secured, and how long it will be stored.  

It is in this context, then, that we can evaluate the plan put forward by the prime minister on June 16, which appears to have taken into consideration these various privacy concerns.  To begin with, the plan announced by Mr. Trudeau, as he stressed repeatedly during his press conference, will be voluntary. In addition the app utilizes the less invasive and more effective Bluetooth technology. Although the software is based on work by Canadian private sector entities Shopify and Blackberry, and the Bluetooth technology has been made possible by a unique agreement between technology giants Apple and Google, the technology will be owned and operated by the government of Canada. Data collected by the app will be aggregated and anonymous. The prime minister emphasized that “at no time will personal information be collected or shared, and no location services will be used.” In addition an external advisory council will be established to ensure both transparency and accountability as the app is rolled out and beyond.

After examining the proposal, Florian Kerschbaum, director of the Cybersecurity and Privacy Institute at the University of Waterloo, stated that he believes the government’s app meets the privacy concerns he and others had identified, and that he will personally be installing the app on his cellphone.[5]

However two further hurdles remain. The efficacy of the app is obviously dependent on the level of take-up by citizens. Will most Canadians be willing to  trust their governments and politicians to the extent necessary for this admitted invasion of privacy? One recent survey suggested that less than half of Americans would install such an app voluntarily. And the available pool from which potential app users is drawn is much less than the total population. As one recent article in The Economist noted, not everyone has a cellphone.[6] This is especially true of the elderly and other most vulnerable groups. Epidemiologists estimate that at least 60% of a population must have the app installed if it is to be effective, and a much higher figure would be desirable. Yet only 76% of people in Europe have cell phone subscriptions to begin with. This number falls to roughly 70% in North America, and is much lower in the Asia Pacific and Africa. Nevertheless one possible encouraging sign for Canadian supporters of this technology is a May survey of 2,000 Canadians conducted by the Cybersecure Policy Exchange at Ryerson University, which found a majority of respondents would support the mandatory use of some type of anonymized app. Presumably a voluntary approach would appeal to far more.

A second hurdle, so familiar to Canadians, is that of federal-provincial relations. Although the prime minister indicated that the CyberShield app will be available nation-wide, not all provinces have agreed to participate actively in its distribution as yet. Ontario is an important first stage, but several other provinces – and notably Alberta – have been intent on introducing their own versions of this technology. If there is insufficient take-up of the “national” app, it will be hopelessly ineffective. 

At the end of the day the success of this new initiative will depend on the ability of politicians, privacy experts and public health officials to convince enough Canadians that the trade-off between privacy and a return to a more normal state of existence is one worth making.

[1]See for example Campbell Clark. “They’re World War deficit levels, but not the biggest or the baddest yet.” Globe and Mail. March 31, 2020.

[2] Office of the Privacy Commissioner of Canada. “Supporting Public Health, Building Public Trust: Privacy Principles for Contact Tracing and Similar Apps”. Joint statement by Federal, Provincial and Territorial Privacy Commissioners. Ottawa: May 7, 2020.

[3] Michael Geist. “How Canada Should Ensure Cellphone Tracking to Counter the Spread of Coronavirus does not Become the New Normal.” March 24, 2020

[4] J Reardon, E Laidlaw and G Hagen. “Covid-19 and Cellphone Surveillance”.

[5] Ivan Semeniuk. “Ottawa Urges Use of Contact-Tracing App”. Globe and Mail. June 19, 2020.

[6] Leaders. “Don’t Rely on Contact Tracing Apps”. The Economist. May 16, 2020