I Always Feel Like Somebody’s Watching Me: Privacy Considerations in Contact Tracing

On May 1, 2020, as a component of Alberta’s Relaunch Strategy, the government of Alberta introduced a mobile contact tracing application with the objective of monitoring exposure to and containing the spread of COVID-19.

This mobile app, known as the “ABTraceTogether App”, seeks to enhance and expedite the currently used manual contact tracing process, allowing Albertans to be alerted upon exposure to COVID-19 and for testing to be sought in a more targeted and expedited manner.

Digital contact tracing has been considered as an alternative to traditional time and resource intensive manual contact tracing in many jurisdictions. Digital contact tracing allows the objective of identifying incidences of close contact, expeditious notification, and slowing of transmission rates to be achieved just as it would with manual contract tracing, but in an automated and rapid manner. However, a digital system still relies on tracing. The concept of having one’s interactions with others and movements within society traced understandably gives rise to a variety of privacy and security concerns, and fears regarding intrusive surveillance. When this tracing and its component personal information collection occurs via a mobile app, privacy concerns are often heightened due to the possibility of that tracing being more extensive and closely logged or monitored. Users typically express concerns regarding how information sharing is occurring via digital contract tracing, and how they may retain control over their own information within such a system.

A digital contract tracing system must therefore be cognizant of these concerns, and compliant with applicable privacy laws, in order to build the public trust necessary for it to become widely adopted and effective. A summary of key privacy considerations applicable to such a system, and how the government of Alberta has purported to address them in relation to the ABTraceTogether App, follows below.

Consent

Pursuant to Canadian federal and provincial privacy laws, meaningful consent must be obtained by organizations, whether public or private, for the collection, use and disclosure of personal information (unless certain exemptions apply). In order for consent to meaningful, the individual must be informed regarding what personal information the organization intends to collect about the individual, why it collects it, and what it does with it when collected. With that information in hand, the individual can then choose to permit the collection, use and disclosure, or not. Without that information, the individual lacks the knowledge they require in order to consent to an organization’s proposed handling of their information, and the consent may not be viewed as validly and effectively given.

The government of Alberta has addressed the issue of consent with respect to the ABTraceTogether App in two ways: (1) by making publicly and readily available information regarding the purpose and functionality of the ABTraceTogether App, the information it collects, and how that information is used, and (2) by making the App available on a purely voluntary basis. Use of the ABTraceTogether App is optional for Albertans, and involves an express opt-in in order for a user to provide information to the App  and participate in the tracing functionality offered by the App.

This approach allows the user to make an express choice to turn on the technology, and to turn it off via deleting the App when they no longer wish to participate in the digital contact tracing system.

Data Minimization

Regardless of whether or not consent to collection, use and disclosure of personal information is obtained, privacy compliance dictates that the actual collection, use and disclosure conducted by an organization must be reasonable. Generally speaking, this means that the organization must only collect, use and disclose personal information that is necessary in order to achieve the purpose for which it is being collected. Extraneous, or unnecessary, personal information should not be collected, nor used or disclosed by the organization, nor retained by the organization when that information is no longer needed to achieve the stated purpose.

Unlike some other mobile apps used for similar purposes in other jurisdictions, the ABTraceTogether App does not purport to use a device’s GPS tracking or other geolocation services, nor track the individual user’s location. Rather, according to the government of Alberta it collects the user’s phone number during app set-up, and uses Received Signal Strength Indicator (RSSI) readings to track phone numbers within a two-metre radius of the user’s phone, and the duration of that contact. If the user’s proximity to another phone number indicates that the user may have been exposed to COVID-19, Alberta Health Services (“AHS”) then contacts the user’s phone number to inform the user of the risk and recommended actions to take in response. If, on the other hand, the user is diagnosed with COVID-19, the user has the option of sharing their encounter or contact log from the App with AHS in order to allow AHS to notify other users with whom close contact may have occurred.

In addition, all personal information collected via the ABTraceTogether App is deleted on a rolling basis, every 21 days.

Processes such as the above allow the amount of personal information collected by the ABTraceTogether App to be minimal, and closely tied to the purpose of the App – contact tracing and notification. By using RSSI, for example, random Bluetooth identifiers rotate every few minutes to prevent tracking of any individual user, and users do not share identifying information with each other. Users also do not share identifiable personal information with public health authorities, their governments, or the app developer, without consent. Rather, the user may choose to share certain personal information, including a COVID-19 positive diagnosis, with the App or AHS. The personal information shared is reportedly limited to the user’s encounter or contact logs, which effectively means that the user’s most recent keys to their Bluetooth beacons are added to the positive diagnosis list shared by AHS so that other users who also came into contact with those beacons may be notified of possible exposure.

Encryption

When personal information is collected with consent and to the extent necessary to achieve a stated purpose, it must be stored, retained and transmitted in a secure manner in order to minimize the risk that it will be accessed or used without authorization or for an unintended purpose.

Secure digital storage and transmission typically involves some form of encryption technology. Encrypting data means that it cannot be accessed or viewed without an applicable decryption key, either while in transmission over a network, while in storage, or both. If it is accessed or viewed by someone without a decryption key, it will appear scrambled and unreadable as “cipher text”, thus rendering it effectively meaningless and useless.

The government of Alberta has stated that personal information collected by the ABTraceTogether app is anonymized and stored in encrypted format. No identifiable personal information is shared between users via the App, meaning that if a user comes into close contact with another user, the first user will be notified that they may have been exposed to COVID-19, but not by whom or where. Information collected via the App is reportedly stored locally on the user’s own phone, and is only shared with AHS if the user consents in response to a request for their exposure or contact tracing logs. If so shared, the personal information is then stored by AHS on an encrypted server and deleted every 21 days. It is not clear at this time precisely what method of encryption is being used with respect to the ABTraceTogether App, and if metadata collected and sent along with the target personal information will also be encrypted.

We note that as of the date of this post, the Office of the Information and Privacy Commissioner of Alberta has provided a series of questions to the government of Alberta regarding privacy and security considerations surrounding ABTraceTogether, however a final report and/or recommendations have not yet been released. Please check this space for updates on this topic as they become available.

The above is an overview of key privacy considerations applicable to digital contact tracing in the context of COVID-19. Please do not hesitate to reach out to our MLT Aikins team if you require assistance with privacy and security related questions – we would be pleased to assist you in navigating the unique circumstances presented by this pandemic.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.

Contact Us CTA