COVID Alert App: What Lawyers Need to Know

Man signing a contrace


COVID Alert App

What Lawyers Need to Know

Prepared by the CBA Privacy and Access Law Section and the CBA Labour & Employment Law Section.

The federal government launched the COVID Alert app to assist public health authorities across the country in their efforts to control the propagation of the coronavirus. This fact sheet will help lawyers understand how the COVID Alert app works, and highlights the privacy and employment related legal issues that should be considered in providing advice on the use of the COVID Alert app or an app performing a similar function.

Overview of the COVID Alert App

+

The COVID Alert app is the Government of Canada’s free exposure notification app, whose objective is to reduce the spread of the virus by notifying Canadians of potential exposures and encouraging them to take appropriate actions.

It is currently available in the following provinces and territories:

  • Manitoba
  • New Brunswick
  • Newfoundland and Labrador
  • Northwest Territories
  • Nova Scotia
  • Ontario
  • Prince Edward Island
  • Quebec
  • Saskatchewan
+

The COVID Alert app is based on the Google/Apple exposure notification application programming interface (API).

It runs in the background of the phone on which it was downloaded. It uses Bluetooth to exchange random codes with nearby phones every five minutes. The app estimates how near other app users are by the strength of Bluetooth signals. Every day, the app checks a list of random codes from other users who tell the app they tested positive within the last 14 days. If it finds codes that match, the app will send an exposure notification and explain what to do next.

Notifications are based on having spent more than 15 minutes less than two meters from another user who reported a positive test in the past 14 days.

Use of the COVID Alert app is always voluntary. It is up to the user to download the app, uninstall the app, tell the app they tested positive (through a one-time key, discussed below) or take any action further to an exposure notification. The Apple and Google terms of service for the exposure notification API on which the COVID Alert app is based make it clear that user consent is mandatory and users must have the option to uninstall the app and opt out of receiving notifications at any time.

For additional information on how the COVID Alert app works, visit:

+

If a user is diagnosed with COVID-19, they will receive a one-time key (OTK) from their local health authority that they can enter into the app within 24 hours, to upload the random codes their phone sent. Their identity is not revealed.

They can also enter details to help narrow down when they were likely most infectious. The COVID Alert app will ask if the user has had any symptoms and, depending on their answer, it will ask for the date their symptoms started (or their test date if they are asymptomatic or do not recall their symptom onset date). Those details are not sent or stored anywhere outside the user’s phone. It just tells the phone which random codes to upload. If the person chooses not to provide details, the app uploads the random codes from the last 14 days.

The random codes go into a central server operated by the Government of Canada. No other information is sent to the server.

+

Use of the COVID Alert app is always voluntary (see above). Therefore, a user may choose not to enter the one-time key further to a COVID-19 diagnosis.

+

The OTK is available for a 24 hour window once it is used. It “unlocks” the user’s ability to enter a Temporary Exposure Key (TEK) into the COVID Alert app on a daily basis for a 14-day period.

The TEK is generated by the user’s phone once a day and it is used to generate the random codes that are exchanged via Bluetooth and changed every five minutes. The TEK is uploaded to the server and is what other phones check to determine if there is a match to a positive case.

The COVID Alert app will prompt the user to upload their TEK each day for 13 days after the OTK is entered. The user must consent each time.

+

The COVID Alert app will inform the user of suggested next steps. Whether the user takes any of the suggested steps is entirely voluntary. The Government of Canada will not receive any health information about the user if these next steps are taken.

+

The COVID Alert app collects and stores on the user’s phone:

  • Random codes from the user’s phone, for 14 days.
  • Random codes from other phones nearby, for 14 days.

The random codes are only stored and used for the purpose of notifying users of possible COVID-19 exposure.

All random codes are deleted after 15 days.

IP addresses are also collected by the server. For additional information on this topic, see item 10 below.

Certain metrics are also collected from the COVID Alert app for the purpose of enhancing the Government of Canada’s ability to evaluate the effectiveness of the app. This information does not include personally identifiable information. For additional information on this, consult the section devoted to metrics in the  Privacy Assessment.

+

The COVID Alert app does not collect personally identifiable information.

It does not use the phone’s GPS and has no way of knowing the user’s location, name, address, phone number, phone’s contacts or the health information of the user or anyone nearby.

+

Other than metrics related information as noted in item 7 above, no other information is shared without the user’s explicit permission. When the user gives permission, the only information shared is the random codes from their phone. Only the app and its server will have access to the random codes.

+

As a security measure, the server stores the user’s IP address in system logs when the app does any of the following actions:

  • Download a list of positive codes
  • Enter a one-time key
  • Upload random codes.

The user’s IP address is not connected to any other information in the system, like one-time keys or random codes.

The data used to develop the app metrics are collected by creating event logs of user experiences and/or action. Although these event logs are accompanied by the users IP address, the event logs and the IP address will not be linkable and will never be stored together.

These security protections are in place to prevent spammers from flooding the COVID Alert app system and the user’s phone with fake exposure notifications.

+

IP addresses are stored in system logs on the server. The system logs are kept for up to three months under normal conditions. If there is an investigation into suspicious activity, system logs are kept for up to two years to help the investigation.

System logs are closely protected. They can be used only for ensuring performance and responding to security threats.

If a malicious actor attempted to gain, or gained, access to the server where they are stored, the Government of Canada may need to share the relevant system logs, including IP addresses, with law enforcement, as required by law. They could use these logs to identify people who attack the system.

+

The COVID Alert app may be deleted at any time, and the random codes on the user’s phone will be automatically deleted after 15 days. Users themselves can also delete the exposure logs from their phone's settings.

If the user uploaded their random codes before deleting the app, they will be deleted from the server after 15 days.

Additional Resources

For general information on the COVID Alert app, see the dedicated webpage on the websites of the governments of Canada, Manitoba, New Brunswick, Newfoundland and Labrador, Nova Scotia, Ontario, Prince Edward Island, QuĂ©bec and Saskatchewan. You can also read the COVID Alert Privacy Assessment and Google’s and Apple’s terms of service. For detailed technical information, see the Apple and Google Exposure Notification – Cryptography Specification.

Privacy Issues

+

Following in-depth discussions with the federal and Ontario governments and a thorough review of the COVID Alert app, the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of Ontario (IPC) endorsed use of COVID Alert app.

See the joint news release and the OPC’s Privacy review for additional information.

+

The OPC concluded that the COVID Alert app has very strong privacy safeguards in place. This assessment is based in part on the following considerations:

  • Exceptionally strong encryption techniques protect all the data in use, in transit, and at rest.
  • The one-time code process relies on one of the strongest cryptographic hashing functions and supports an anti-spam mechanism to ensure that fake diagnosis keys are not accidentally or maliciously uploaded.
  • The Google and Apple cryptographic specifications in place to protect the data make it “computationally infeasible for an attacker to find a collision on a Rolling Proximity Identifier.” Owing to these safeguards, the risk that hackers can obtain users’ data is exceptionally low.
  • The Canadian Digital Service (CDS) has implemented appropriate measures to safeguard the data stored on its servers. Retention of IP addresses is limited and access to the IP addresses is also restricted to staff with a “need-to-know” role.

For additional information, see the COVID Alert app Privacy Assessment, the OPC’s Privacy review, Commissioner Therrien’s Letter to shadow ministers dated August 20, 2020 and the Apple and Google Exposure Notification – Cryptography Specification.

+

Experts generally agree that there is no such thing as zero risk of the re-identification of de-identified data. That said, the OPC concluded that exceptionally strong measures have been adopted to ensure that the identity of users is protected. For instance:

  • The COVID Alert app does not collect or disclose any personally identifiable information.
  • All the data in use and at rest is protected by exceptionally strong encryption techniques and cryptographic hashing functions.
  • The contact matching process takes place on the phone, with no personal data leaving the phone at any time.

The OPC acknowledged that the security features related to the IP addresses on the server present a risk of re-identification, because IP addresses can be used to identify individuals when combined with other information. Nevertheless, the OPC determined that the risk of re-identification is very low in light of the security and other safeguards adopted.

See also the OPC’s Privacy review.

Labour and Employment Issues

*Note: these answers may be subject to change in a union versus non-union environment.

+

There is a difference between “installation” and “use” of the COVID Alert app. Installation does not mean the app is turned on and therefore the app could be installed but not be operational.

Use of the COVID Alert app involves activating the Bluetooth technology which results in the desired tracking and alerts if exposure occurs as well as alerting others if the user tests positive and enters the required code into the app to notify others.

The Federal, Provincial and Territorial Commissioners have stated that installation and use of the app should be voluntary and have cautioned employers against making the app mandatory.

In this context, an employer is unlikely to be able to require an employee to use the COVID Alert app outside of work hours.

However, some employers may require installation on work devices. For example, the Government of Ontario has pushed the app to all Government of Ontario devices. Activation of the app remains voluntary. If a Government of Ontario employee consents, they may activate the app and use it by entering the required code to notify others if they receive a positive test result.

The question of whether an employer can require employees to use the COVID Alert app in the workplace or in work hours is addressed further below.

A. Are there any circumstances where an employer could require an employee to install or use the app?

Employers are required to provide a safe workplace and are entitled to implement and enforce reasonable policies. Occupational health and safety obligations can override privacy rights in certain circumstances. Mandatory installation and use of the COVID Alert app in the workplace would require a fact-specific assessment and consideration of whether physical distancing or other safety measures can be maintained and are sufficient to protect employees and other third parties in the workplace.

For example, in large workplaces where it is difficult to maintain physical distancing, use of the COVID Alert app might be considered a reasonable occupational health and safety tool to protect workers, manage exposure and avoid a total shut down of operations.

The employer would need to carefully balance all privacy and occupational health and safety issues, and consider, for example:

  • Whether the app is downloaded on a personal or employer device
  • Whether app is engaged during working hours only
  • Any requirements to report to management and/or enter the required code relating to a positive test result
  • Any requirement to report to management if the employee receives notice of exposure on the app.

B. Does it make a difference if the device is employer or employee property?

This is one factor to consider. Installation and use of the COVID Alert app on an employer-owned device that is only activated while the employee is engaged in workplace activities could weigh in favour of an employer requirement to use the app.

+

The answer depends on the nature of the employer’s business, the reason the employer wishes to be notified and the effect of notification. For example, if an employee works from home and does not interact with the public or coworkers a requirement to disclose would not be reasonable. Conversely, if an employee works in a setting where they interact with coworkers and/or the public, disclosure might be reasonable. The question would then move to “and now what?” and employers should have policies on monitoring, testing and isolation, as well as protocols on how to alert workers who have come into close contact. Reliance on the COVID Alert app alone would likely be insufficient to manage the employer’s occupational health and safety responsibilities.

A. If the employer is aware that an employee received a notification from the app, does that put an onus on the employer to take any measures?

The employer is required to provide a safe workplace for all workers under occupational health and safety legislation. In addition, under the common law the employer is required to not knowingly expose members of the public to a dangerous situation. The employer would be required to consider whether the individual circumstances required the employee testing positive to be absent from the workplace for a some time (eg 14-day quarantine period) or whether appropriate measures such as physical distancing and mandatory masks with self-monitoring and reporting are sufficient to ensure the safety of all. The employer will need to have policies in place including whether pay will continue during any period the employee is not permitted to be in the workplace due to notification from the app.

+

Assuming an employer can establish sufficient grounds for mandatory use of the app in the workplace, or mandatory notification to the employer of information received from the app, failure to follow employer policy could result in employment consequences. Available discipline will require a fact-specific assessment that is appropriate to either the union or non-union environment.

+

An employer will still be required to balance privacy and occupational health and safety considerations arising from use of a similar app.

The employer may be required to conduct more vetting of the app from a privacy perspective, as it will likely not have been vetted by relevant privacy commissioners. However, another app may permit the employer to tailor functionality to the specific requirements of the workplace.