As the second wave of COVID-19 seems to have arrived in many countries, the importance of measures such as social distancing, masks, testing, and tracing takes on increased importance. In Canada, the COVID Alert App is another important part of that toolkit. The app has been downloaded more than 4.5 million times and has been used to alert users to a potential exposure to the virus nearly 1,700 times. Despite the potential benefits, there remain many skeptics. Ann Cavoukian, a three-time Ontario privacy commissioner and one of Canada’s best known privacy experts, joins the LawBytes podcast this week to talk about the exposure notification and how it addresses potential privacy concerns.
The podcast can be downloaded here and is embedded below. Subscribe to the podcast via Apple Podcast, Google Play, Spotify or the RSS feed. Updates on the podcast on Twitter at @Lawbytespod.
CityTV News, Why Aren’t Canadians Downloading the COVID Alert App?
I am following up on my comment Oct 10 and the subsequent verification reply by Ziad Fazel on Oct 12 (see Four Million Downloads and Counting: Everyone Should Install the COVID Alert App).
I have now listened carefully to both Ann Covoukian’s interview and the earlier one with the Ontario privacy commissioner, Patricia Kosseim. Neither was asked about nor offered any information related to the apparently significant privacy weakness I am asking about. You are in a position to get real answers and changes.
In everything I have read or heard, it is non-technical authorities, including politicians, lawyers, privacy commissioners, and even Ann Cavoukian (who I respect greatly), all of their explicit privacy explanations can be true but their conclusion and assertions still be wrong.
They can be wrong because they are overlooking the the fact that on Android phones using version 10 or lower of the operating system –fully half the devices in Canada– Goggle Location Services (GLS) must be permitted and must be enabled in order for Covid Alert to function.
GLS is incredibly privacy invasive and is aggressively used by Google, 3rd party apps, and mobile advertising frameworks. GLS provides fine-grained, real-time , continuous location using GPS and geolocated WiFi triangulation. GLS is also apparently how the Covid Alert App accesses Google’s Bluetooth functionality. If GLS is running, the user has no geolocation privacy whatsoever — even if the Covid Alert app itself does not exploit this private data.
As reported by commenter Ziad Fazel, while Android version 11 allows the Covid Alert app to run and function without GLS. This is fine and within the next few months Google’s recent model Pixel phones will have Android 11. However currently NO 3rd party Android phones have Android 11 and the vast majority of these will NEVER get Android 11. Therefore users of these phones will never be privacy protected if they use Covid Alert.
I want to stress I am not an ideological “skeptic” and I want to use the Covid Alert app.
Can you please interview a technical expert on Android security that can authoritatively and verifiably explain if GLS on Android versions 10 and lower, when enabled for the Covid Alert app, does not expose or risk exposing any geolocation data about the device? I hope it doesn’t but am willing to bet it does.
Our name, 3A IP https://3aip.com/ is inspired from a book written by “Eric Ries”, wherein, the 3A’s are Actionable, Accessible and Auditable. We further analyzed/understood these critical ingredients to prepare/structure an intelligence report for making business decisions. We take the responsibility for preparing an utmost quality work reports where technical intelligence is captured and served in the form of user-friendly reports to support critical business decisions.