The Race to Trace:
Security and Privacy of COVID-19 Contact Tracing Apps

Executive Summary

As governments around the world scramble to control the spread of COVID-19, leaders and policy-makers are urgently considering new technologies that might help. Chief among these technologies are contact tracing apps — mobile device applications that track the proximity of other mobile devices and alert users if they have come close to someone infected with COVID-19.

Proponents of these apps argue they can increase the volume, accuracy and reach of manual contact tracing, provided that enough of the population uses the app.

Though a contact tracing app has yet to be deployed nation-wide, many Canadians seem ready to embrace this technology. A survey of 2,000 Canadians from mid-May 2020 finds that:

• Majorities of Canadians support making contact tracing apps mandatory for the use of public services, like public transit (55%) and in workplaces (51%), though in both cases only one in four strongly support such an approach.
• Support is somewhat lower (46%) for retail or grocery stores making apps mandatory.
• In contrast, opposition to landlords or condominiums making contact tracing apps mandatory (45%) surpassed support (30%).

But there are critical considerations that need to be addressed to make certain this technology is deployed in a manner that protects the security and privacy of Canadians. While there will be security and privacy vulnerabilities with any contact tracing app, Canadian governments and institutions should ensure that any app mitigates these risks to the greatest extent possible by:

1. Following privacy-by-design principles and using only Bluetooth technology, not location data;
2. Using a decentralized approach by keeping contact data on Canadians’ individual devices;
3. Only collecting, storing and using data that is necessary, including deleting data after no more than 30 days, limiting data use to public health uses only, and deleting the app after the pandemic is adequately contained;
4. Ensuring the app is used on a voluntary basis only, and passing legislation to ensure that no public or private entities can make the app mandatory to access goods, services, employment or housing, especially considering one in four low-income Canadian households do not have a smartphone; and
5. Being transparent and maintaining trust, in part through transparent procurement, publicly available source code, comprehensive independent reviews and ongoing oversight.

A review in May 2020 of contact tracing apps in other jurisdictions indicated that no jurisdiction had yet to fully satisfy all these conditions, and should they choose to proceed, Canadian governments had the chance to lead and ensure the highest standards of privacy and security.

Since then, Canada deployed its COVID Alert app, which meets our five recommended criteria. We join Canada’s privacy authorities in saying that Canadians can opt to use this technology with confidence in its privacy and security protections. We continue to urge governments to pass legislation to ensure that no institution requires its use.

Canada must pay particular attention to maintaining the trust of the public through ongoing oversight of the contact tracing app’s efficacy alongside parallel manual contact tracing, particularly given other jurisdictions’ experiences, where negative risks to cybersecurity and digital privacy have outweighed apparent benefits to public health.

App-enabled contact tracing is only desirable if it feeds into a strong, people-powered public health tracing, testing and treatment system. It should not be mandatory, but a well-governed regime, guided by these five principles, may support the fight against COVID-19.