Questions and answers for the Standing Committee on Industry, Science and Technology (INDU) appearance on digital contact tracing

May 29, 2020

DIGITAL CONTACT TRACING

Key Messages

• The urgency of limiting the spread of the virus is a significant challenge for government and public health authorities.
• In this context, we are prepared to adopt a flexible and contextual approach in the application of privacy laws.
• We believe that it is possible to use technology to both protect public health and privacy.
• Design is key.
• The choices that our governments make today about how to achieve both public health protection and respect for our fundamental Canadian values, including the right to privacy, will shape the future of our country.
• The government has a crucial role for ensuring measures are necessary and proportionate and, therefore, be science-based, necessary for a specific purpose, tailored to that purpose, and likely to be effective.

Voluntary vs Mandatory: Link to Effectiveness

• Effectiveness is linked to uptake. This has led to some questioning whether the use of tracing apps should be mandatory.
• I do not think it would be practical to make use of the apps mandatory. In addition, it may require special legislation.
• In my view, the better way to increase uptake is to improve trust.
• This is what led privacy commissioners across Canada to say in our Joint Statement of May 7 that the use of apps must be voluntary.
• Trust will also require that governments demonstrate a high level of transparency and accountability.
• Individuals need to be fully informed as to what their information will be used for in order for their consent to using the app be meaningful.
• PIAs should be completed and reviewed by privacy commissioners. In some countries, they have been published in full. The source code should be published so it is available for public review and scrutiny by experts – this has also been done in other jurisdictions.
• As mentioned in my statement, accountability to an independent third party would also enhance trust and adoption.

Other Limits on Effectiveness

Key Messages

• Effectiveness is one of the elements of the necessity and proportionality principle.
• This means privacy impactful measures such as tracing apps must likely be effective. However, effectiveness must be assessed in context.
• Tracing apps are not a panacea, but if there is evidence that leads public health experts to believe they can effectively contribute to the solution, then the effectiveness requirements would likely be satisfied.

Other Factors Impacting Effectiveness

• Availability of testing to detect who has the virus.
• Technological limitations: For example:
  • Bluetooth, can be vulnerable to interference by environmental or physical obstacles.
  • GPS is good at tracking location, but is not as accurate for detecting proximity in densely populated areas.
• Social impacts: Over-reliance on digital solutions could create false sense of security, and may influence adherence to social distancing requirements (e.g. asymptomatic individuals could still spread the virus, so other measures remain important).

Bluetooth (proximity tracing) vs GPS (Location tracking)

• Digital contact tracing tools currently rely on two different technologies: mainly Bluetooth which could be supplemented with GPS.
• Bluetooth provides proximity tracing (i.e. “have I been in close contact with someone?”) whereas GPS provides location tracing (i.e. “have I been to a facility with a known outbreak?”). Each technology has its own features, advantages and disadvantages.

Technology: features, advantages and disadvantages

Bluetooth (proximity tracing)	GPS / AP / Cell (Location tracking)
Range to about 1.5 meters	Accuracy to about 5 meters.
Most Bluetooth-based protocols will use rotating keys that do not identify a device or individual; these keys change based on an elapsed time set by a contact tracing app.	GPS records could also be tied to rotating keys.
Bluetooth does not know where the contact occurred, only that it happened for a certain duration.	GPS will show where an infection contact point may have occurred and when, if associated with a timestamp.
No location-based statistical information can be generated.	Location-based statistical information can be generated to show where infection hot spots occur.
Cannot easily be used to verify self-isolation practices.	Can be used to verify self isolation practices.
The accuracy of distance measured is not always high. If the signal strength is low due to transmitter, receiver or antenna used on the device. People and buildings can also interfere with signal strength.	The accuracy of a GPS signal is not always guaranteed. GPS interference can occur if radio emissions are in a nearby signal band, through intentional jamming, and as a result of naturally occurring weather (in space and on Earth).

Centralized vs De-centralized Matching

• Centralized or decentralized models are means to support the matching process. Both methods have risks associated with collection use and disclosure as both contain database metadata and server logs that could be used to link records to an individual’s IP address.
• A centralized system will process risk of infection on its servers while a decentralized one will perform the function on the user’s phone.
• A centralized system may store more information in its database than a decentralized one.
• NOTE: it is important to understand that digital contact tracing apps can be configured to use centralized or decentralized matching *and* a complementary centralized database that stores additional information about users (e.g. a user’s age, gender, health conditions or postal code).

Centralized vs De-centralized Matching

Centralized Matching	Decentralized Matching
Matching is performed on a server.	Matching is performed on the user’s phone.
A centralized database could pose a privacy issue if the data retained is in a format that can be used to identify individuals or track their movements.	A decentralized system could pose a privacy issue if the data is not maintained on a user’s smartphone in a secure format (e.g. they have not installed the most recent version).
Uses more power on user’s phone due to requirement to contact server more often.	Uses less power.

MILA

Description:

• COVI is a mobile application that uses artificial intelligence and contact tracing technology. It can predict the user’s risk level, record contacts, and retrieve the risk level information for recent contacts.
• It uses Bluetooth technology to determine contacts as well as a local GPS. The local GPS is an indirect feature for the risk predictor and for epidemiological modeling.
• COVI uses machine learning to locally compute risk levels, which estimate when a user may have been infected and what their contagiousness might be on different days in the recent past.
• The AI tool behind COVI is able to consider a range of factors including health conditions and symptoms to estimate a personal risk level for each user every day. The artificial intelligence tool will seek to understand how the virus spreads beyond what we currently know from clinical studies.

BA Consultation:

• The developers of this application approached our office to seek privacy advice and we had a number of communications with them as part of an advisory engagement with our Business Advisory services.
• Based on the information we were provided during the engagement, we found that several key privacy principles were being adopted by the developers. These included, for example:
  • The purposes for which personal information would be used are narrowly defined and limited to alleviating the public health crisis.
  • The app would be used for a limited time only, that is until the pandemic recedes.
  • Only aggregated and de-identified data would be shared with government authorities.
  • The app is based on consent and users would download it voluntarily.
  • The privacy notice we saw is clear.
• Our advisory engagement with Mila ended the first week of May. Our review of the app and the recommendations we provided were based on the information we had at the time.

GOVERNMENT CONSULTATIONS

• Government representatives initially put MILA in touch with us, which led to our Business Advisory engagement with them.
• To date, we have not been asked by Government to provide advice on a specific app.
• While we have offered our services, we have not been consulted yet. That may still happen. They are not required by law to consult. But we think this would enhance trust. Globally, many DPAs were consulted.

PRIVACY LAW

Legislation specific to digital contact-tracing

• In the absence of robust federal privacy laws in Canada, a law that provides a framework for ensuring adequate protection of privacy rights in the context of digital contact tracing would have its benefits.
• Australia for example, has passed a law specific to contact-tracing, and in Canada CIFAR recommended that Federal and provincial governments, in consultation with their privacy commissioners, consider a framework law so there is a common approach across jurisdictions.^{Footnote 1}
• One of the reasons FPT Privacy Commissioners felt it important to issue a common statement calling for respect for key principles, was due to a recognition that some of the privacy laws across Canada do not provide an effective level of protection suited to the digital environment. We also noted that explicit mandates for oversight and auditing these technologies will help ensure accountability and reinforce public trust.
• I note that CIFAR agrees that privacy commissioners should be explicitly empowered through framing legislation to govern the deployment of contact tracing apps, and that framing legislation for digital contact-tracing should be consistent with the OPC’s Framework.^{Footnote 2}
• CIFAR also suggests that framing legislation address the following issues:
  • The types of data that can be collected;
  • The purposes for which data is collected;
  • Who has access to the data;
  • Requirement to delete data after a specified period, or after specified criteria are met (e.g., a finding by public health agencies that the pandemic is over);
  • Provision for sunsetting the legislation after a specified time period;
  • Prohibitions and penalties addressing the use of the data for unauthorized purposes.
• I agree with these points in principle, and am open to further discussion as to whether framing legislation for contact tracing is needed in Canada.
• That said, digital contact tracing is only one of a range of potential measures that could emerge during this pandemic which could significantly impact privacy rights of Canadians. The best way to ensure there is appropriate recognition and protection of privacy as a fundamental right is therefore to modernize our federal privacy laws.
• Now, more than ever, citizens need assurance that their privacy rights are protected.

Privacy Law Reform

• It is positive that Governments have stressed the importance of privacy in the design of tracing applications. Privacy has even been qualified as paramount.
• However, it is important for parliamentarians to understand that several of the key principles from the FPT statement and our Framework are not currently legal requirements in our two federal privacy laws.
• Therefore, while governments say the right things and appear to say them in good faith, there is nothing in law that prevents governments and companies to use sensitive health information for purposes other than to address urgent public health issues, for instance for commercial purposes. This reportedly happened recently in the U.S., where information collected through an Apple platform was disclosed to a data broker and then to other companies for marketing.
• The current crisis has made clear that digital technologies can do a lot of good. Perhaps through contact tracing. Certainly with virtual medicine or e-learning.
• We urgently need rights-based privacy laws that allow technologies to produce benefits in the public interest without creating risks that fundamental rights such as privacy will be violated.
• As a former Obama advisor wrote in Foreign Policy, no one would think that freedom of assembly is at risk despite the temporary limitations imposed by the current health crisis. Because freedom of assembly is constitutionally protected. But privacy is at risk, and new laws are required to ensure it receives the protection it needs as a fundamental right.
• The growing role of public-private partnerships is becoming more apparent during the COVID crisis. These create additional complexity and risk.
• At a minimum, we need common privacy principles enshrined in our public and private sector laws.
• Even prior to the outbreaks, these trends had created a “tipping point” where privacy and democratic rights saw strain and reform was overdue. Now the pandemic, while posing its own privacy challenges, has driven home the urgency of law reform.

Other calls for law reform:

• On the two-year anniversary of the GDPR, the EU Commission^{Footnote 3} noted that strong EU privacy rules play a vital role in earning the trust of citizens in the context of digital contact tracing measures. Canada was lagging behind other countries, particularly the EU, even before the current crisis, which has only thrown into stark relief the need for rights-based privacy law.
• Similarly, Shoshana Zuboff has said this is an opportune moment for better-informed societies to create the legal framework they've lacked to master the power of technology for their benefits. She points out^{Footnote 4}:
  • Public health has always had an element of surveillance and tracking in it to monitor the spread of a disease, even before big-tech came along.
  • But there is a certain level of mistrust because we have failed over the last 20 years to create the institutions, legislation and regulatory paradigms that allow us to trust in this new invasive world.
  • We have a responsibility to society as well as to the privacy of individuals. And we can do both.

Legal framework for sharing health information

• It is often said that privacy laws are a barrier to sharing personal health information, for instance between provinces.
• After consultation, our understanding is that this is not the case. There are provisions in provincial laws that allow for the disclosure of personal health information to other jurisdictions in appropriate circumstances, namely for “public health purposes” or for the purpose of controlling or preventing the spread of communicable diseases.
• Impediments to information sharing would seem to find their origin other than in privacy laws.

Provincial Health Authorities access to third party records

• Our understanding is that in the context of a public health emergency, there are broad authorities in provincial legislation that allow for this.
• This question relates to oversight conducted by my provincial colleagues and I would defer to their assessment on the use of these authorities. Generally speaking however, if this is going to take place, the information collected should be necessary for the identified public health purpose, must only be used for that purpose, and the least intrusive option for achieving the intended purpose should be chosen.

Jurisdiction over contact tracing apps

• Whether PIPEDA would apply to a contract-tracing app would depend on whether it is being operated by an organization in the course of commercial activities (and whether it is collecting personal information?).
• My office could have jurisdiction over federal government institutions or commercial organizations if they were to collect, use or disclose personal information generated by a contact tracing app.

Apple/Google and PIPEDA

• In the case of Apple and Google’s API, our understanding based on public statements is that Apple\Google’s platform would be available to public authorities, who can then use it to develop their own apps.
• We also understand that Google and Apple have indicated that apps based on this API would not result in the collection of personal information by Google or Apple.
• If this is the case, then PIPEDA would not seem to apply to such apps; rather it would be federal or provincial public sector or health privacy laws that would likely apply to the collection of personal information via the apps.
• The situation is still quite fluid and we will continue to monitor how these apps are rolled out in practice and what functionalities they end up having.

INTERNATIONAL

Key Messages

• We note many countries are advancing similar privacy principles to those we released in our Federal-Provincial-Territorial Statement.
• For example, many EU states, Australia and New Zealand are actively debating or have adopted principles similar to ours.

Success of specific countries with containment and apps

• We should be wary of assessing any country’s progress too quickly, as the public health authorities have been clear to point out the risk of community spread continues to exist.^{Footnote 5}
• Even in countries with early successes, like Singapore and South Korea, there have also been outbreaks and setbacks in specific workplaces or popular public gatherings.^{Footnote 6}
• All that to say, while use of digital tracing apps may well be contributing to containment of the virus, it is still too early to point definitively to any clear stories attributing success directly to their use.^{Footnote 7}

Australia

• Just this month Australia passed a new law with strong privacy measures for its contact-tracing app, COVIDSafe.
• The Australian Privacy Commissioner has signaled approval for the app and legislation, which provides an expanded regulatory oversight role for the Commissioner.
• The privacy-related elements in the legislation overlap with the key privacy principles from the FPT Commissioners’ statement. Further legal measures include:
  • Offences re contraventions for collection, use, and disclosure of information, and decrypting and re-identifying the data – with imprisonment for up to 5 years or AUD 63,000 per offence
  • Penalties for uploading data without consent
  • Offence to require someone to download or use the app
  • Refusing to sell goods and services, discrimination in employment, or blocking entry because a person has not downloaded the app is criminalized

Singapore

• Their app (Trace Together) appeared to be an early success, and its design incorporated several of the principles we highlighted in our framework, including voluntary use, data minimization, strong encryption and purpose limitation.^{Footnote 8}
• However, the country is now experiencing a second wave of infections and reliance on tracing apps specifically has taken on less significance.
• As a result, health authorities have introduced “Safe Entry” measures for social distancing. These measures are not based on proximity alerts (via Bluetooth) but mobile-based location tracking, so that this program logs all individuals entering or exiting certain ‘safe zones’.
• This requires individuals entering high-traffic locations (e.g. schools, offices, grocery stores, malls, nursing homes, etc.) to register / check-in either with a recognized identity card, or by scanning a QR code on their smartphones.
• China, Hong Kong and South Korea adopted similar measures.

Co100 app (South Korea)

• Authorities have legislative powers to collect data if “necessary to prevent infectious diseases and block the spread of infection” (via the Infectious Disease Control and Prevention Act, Article 76-2).^{Footnote 9}
• Data sources have included medical records, GPS data from devices, smartcard transactions, and CCTV.
• Authorities in Korea released a public mobile app for tracking contacts (via a patient’s locations) in February to slow disease transmission.^{Footnote 10}
• Unlike Canada, however, Korea also developed a public alert system (CORONA-100M) to release information on infected individuals and their activities, broadcast via mobile to any users who have come into contact with them.^{Footnote 11} The detailed report broadcast includes a physical description (i.e. male, mid-50s) and movements (i.e. on a particular street at certain time).^{Footnote 12}

PROVINCIAL

Alberta App

• The Alberta government recently released the ABTraceTogether, contact tracing application.
• The development of this mobile application is based on the centralized contact tracing protocol Bluetrace/Opentrace, developed by the government of Singapore.

TAD Analysis of the App:

• The personal identifiable information that ABtraceTogether mobile application requires is the users’ mobile phone number. This is a requirement defined by the contact-tracing protocol, Bluetrace/Opentrace.
• Consent is required during the registration process and when uploading information to the servers, after a user has tested positive. Users can revoke consent at any time.
• The iOS version of ABtraceTogether requires the phone to be unlocked at all times. This is required to maintain Bluetooth interactions. This method could potentially put user’s information at risk if the phone is left unattended.
• The Android version requires various permissions in order to access the device’s precise location. If the user does not grant location permissions, the application does not operate. The developers of the application stated that access to location permissions is a requirement of the Android operating system (for applications that use Bluetooth services). Despite the requirement of location access, the developers also claim that the user’s location is never accessed or collected.

OTHER:

Immunity Passports

• This concept remains untested at this time, though various jurisdictions have reportedly considered the idea. We have had no formal discussion with any health authorities in Canada on the idea.
• As Dr. Tam has recently noted recently before the Commons Health Committee, it is not even evident to health authorities we have accurate tests to measure requisite immunity in individuals.
• The science is also unclear that reinfection after recovery is not a possibility. Therefore, in terms of issuing some form of passport or health certification, that raises clear ethical concerns, as inaccurate testing could lead to more exposures and outbreaks.

BC Serology Survey

• The BC Centre for Disease control launched a COVID-19 survey to measure the effect of COVID-19 and the level of “community immunity” to the virus. At the end of the survey, participants are asked if they are willing to take part in future antibody testing to help determine immunity across the population.
• Health Canada has approved an antibody test to measure immunity of people who have recovered from COVID-19, some of whom may not know they were exposed (other tests are under development).
• BC provincial health officer, Dr. Bonnie Henry, has cautioned that the tests are not 100% accurate and that there still isn’t a full understanding about what it means when you have antibodies, how long COVID-19 antibodies last in the system, and what level is required to provide immunity.
• To date, our office has not been engaged by Health Canada/PHAC on serological testing efforts nor on serological information sharing.

Data Ownership

• Providing individuals with economic claims to their personal information becomes a privacy issue if the assertion is to recognize personal information as a good over which there can be ownership.
• Such an approach can carry unintended consequences, including alienating an individual’s claim to privacy over such data after their sale or transfer in ownership. This would be in contrast to a rights-based approach, where entrenching privacy as a quasi-constitutional right would reflect its innate role in personhood.
• This could lead to business models where individuals pay for privacy, and may be particularly exploitative of vulnerable populations.
• Our office views consent as a key mechanism through which individuals can exercise autonomy and control over their personal information.
• That said, in our current digital context, relying solely on consent can place too much responsibility on individuals.
• Advances in technology and the use of lengthy privacy policies have too often served to make the control that should be enabled by consent nothing more than illusory.
• To help address this, we have released guidelines on obtaining meaningful consent and have also advocated for the need for our privacy laws to be given a rights based foundation.
• While consent is important, it is unfair and not always effective to place much of the burden of privacy protection on the shoulders of individual consumers. It is the role of government and of independent regulators like the OPC to protect citizens and restore balance in their relationship with organizations.

Digital ID

• Depending on its design, a Digital ID can potentially streamline how individuals provide their identity and can limit the amount of personal information that is shared online.
• We have seen reports of how well-equipped certain jurisdictions that already have a Digital ID in place have been to deal with the impacts of the COVID crisis.
• While a Digital ID can offer a high level of assurance and accuracy in identification and authentication, there are risks associated with security breaches, identity theft and surveillance (if identifying information were to be correlated across databases).
• To combat these risks a digital ID system should:
  • Ensure privacy is embedded into the technical design
  • Have end to end security
  • Be user centric, ensuring user rights, including consent and other forms of user control
  • Be implemented under a comprehensive legal framework
• We know that the Canadian government has shown interest in the Estonian model, where robust privacy legislation preceded their digital identity registry. This is a critical feature.
• On Biometrics: Some governments are discovering the utility of biometrics to uniquely identify or authenticate individuals. Biometric information is inherently sensitive given both its permanence and its uniqueness in relation to identity. A breach of an individual’s biometric information can greatly increase risks to identity theft, fraud, and future security attacks for individuals.
• On SIN: As to whether the SIN would be appropriate as a Digital ID, the SIN is a form of an identifier, while a digital ID is an electronic representation of who you are. It therefore may not be the most appropriate to use as a Digital ID, but this warrants further study.

Temperature Checks

• Media articles have quoted Canada’s chief public health officer stating that temperature checks as a screening measure for COVID-19 are ineffective, especially when used on their own.
• Temperature checks involve the collection of sensitive personal information. Therefore, we expect any organization that launches such an initiative would ensure that it is necessary, proportionate and in accordance with direction and guidance from public health authorities.
• PIPEDA sets outs a number of obligations for organizations that may be at play in such a scenario. For example:
  • an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
  • there is also an obligation for organizations to collect only the personal information necessary for the identified purposes.
  • meaningful consent is generally required for the collection, use and disclosure of personal information.
• Our framework emphasizes that privacy impactful measures taken to address the COVID-19 pandemic must be necessary and proportionate, which means evidence-based, and necessary for the specific purpose identified and not overbroad.

Virtual medicine

• Virtual medicine has immense value, and serves the public interest, particularly for those who are vulnerable or who live in remote areas.
• However, there are high risks to personal information due to the nature of the patient-medical provider relationship and highly sensitive health information at play.
• These risks include the possibility that sensitive health information might be shared for commercial purposes by platforms.
• Therefore, in order to ensure public trust in this medical service, it is crucial to have a rigorous rights-based legal framework to adequately protect the privacy rights of patients.
• Infoway has been engaged in the discussion about virtual care because of their expertise in electronic records; and we participate in discussions with Infoway on a regular basis.

Facebook

• In April 2019 the OPC and Office of the Privacy Commissioner for British Columbia concluded a year long investigation into a complaint against Facebook that was well-founded. Facebook disputed the findings of the investigation and chose not to implement our recommendations to address deficiencies.
• On February 6^th the, the OPC initiated a Federal Court application against Facebook stemming from that investigation.
• The OPC and the Competition Bureau are different regulators. The Competition Bureau is tasked with issues pertaining to misleading or deceptive business practices. Our office is responsible for oversight of the Personal Information Protection and Electronic Documents Act (PIPEDA) which spells out the how organizations that engage in commercial activity may collect, use or disclose personal information.
• For many years, our office has been calling for legislative reform, including stronger enforcement powers for our office.
• Our office has also said that our interpretation of the law should be binding on organizations and that, to ensure effective enforcement, the Commissioner should be empowered to make orders and impose fines for non-compliance with the law.
• Powers to issue orders and levy fines would change the dynamic of our discussions with companies during investigations, leading to quicker resolutions for Canadians. At the moment, as we saw in our Facebook investigation, an organization that we have found in contravention of the law can simply ignore our recommendations and “wait it out” until the courts reach their conclusion, perhaps years later.
• The current framework creates an incentive for companies to proceed without much concern for compliance with privacy laws. They change their practices only if forced to after years of litigation. Other privacy commissioners at both the provincial and international levels who have already been empowered to make orders and impose fines report that these enforcement tools have led to much more cooperation from companies. When the regulator finds a violation, companies are more willing to correct deficiencies, without long delays.