Former COVID Alert app developer talks privacy, misconceptions and transparency

Boisvert says a major misconception about exposure notification apps is the belief that they can are only effective if the majority of a population uses it, …

As the government is encouraging everyone to download the COVID Alert exposure notification app amid the second wave of COVID-19, some Canadians still have concerns about the app.

Stéphane Boisvert, a former principal developer with the Canadian Digital Service (CDS) who worked on the app, spoke to MobileSyrup to clear up several misconceptions about the app, explain exactly how it works and how it protects user privacy.

It’s important to note that Boisvert’s insights are those of his own, and do not reflect the Canadian government or the CDS.

“It’s open software that is created with public funds, therefore the public should have access to it”

As some Canadians are still debating whether to download the app, something that many people may be unaware of is the fact that COVID Alert is open source and available on GitHub. Boisvert outlined that it was important for the development process of the app to be transparent.

“It’s open software that is created with public funds, therefore the public should have access to it,” Boisvert stated.

Boisvert outlined that it was important to ensure that Canadians have access to the code and are able to provide feedback on the app.

Addressing misconceptions and criticisms

Boisvert says a major misconception about exposure notification apps is the belief that they can are only effective if the majority of a population uses it, but he says that this isn’t the case.

“At every level of usage, it has a big increase in the amount of people that can be saved. If you have the app, you can protect your family, your neighbours and people who are close to you,” he explained.

Further, Boisvert outlined that one of the most common criticisms of the app is that we don’t know how many people have received exposure notifications. For context, some countries like Ireland have released data on how many notifications have been sent by their exposure notification apps.

Boisvert notes that omitting this type of data had to be one of the tradeoffs in terms of ensuring privacy when developing the app.

In order to collect this type of data, the government would have had to gather more information about users. If this information had been collected, Boisvert notes that there would have been the potential for some data to leak, such as information about users’ IP addresses and locations.

Boisvert stated that the development team researched to determine Canadians’ main concerns with the app, and found that privacy was the most important factor.

“It doesn’t use GPS, it doesn’t use anything except Bluetooth”

The feedback revealed that Canadians didn’t want the app to track them, use GPS or indicate who was linked to exposure notifications. With privacy being the largest concern, there was no way to ensure complete security while also tracking the number of exposure notifications.

Additionally, Boisvert noted that there are several misconceptions about privacy and the app, especially when it comes to devices running Android 10 and below.

Since the permission for Bluetooth access is called “location services” in Android 10 and below, many people are led to falsely believe that the app uses GPS.

“It doesn’t use GPS, it doesn’t use anything except Bluetooth. Thankfully this has been fixed with Android 11, but in Android 10 it still says location services,” Boisvert explained.

Although it’s an understandable misconception, it’s one that may be causing some unnecessary confusion about the app’s privacy practices.

Further, it’s important to note that when users’ phones transfer data to the main server, it is not done in a way that sends information about you or your device. He notes that while a medical professional may know your name, this information isn’t sent anywhere to the server.

There is no way for the server to even get that information if it wanted to, which is mainly due to the way Apple and Google’s exposure notification framework works since it was built on a privacy-first model.

Additionally, Boisvert notes that another misconception about the app is its data usage and storage. He outlined that COVID Alert uses a very small amount of data.

The keys and codes that are collected and developed by the app are usually around 16KB, which means that things like GIFs and images are usually far bigger and take up more usage. Boisvert also notes that since the app uses Bluetooth low energy, battery usage is also quite low, which means that it shouldn’t drain users’ phones.

Boisvert outlined that if people are still concerned about battery usage, they can always just turn off Bluetooth when they’re at home.

An overview of how the app works

COVID Alert creates random codes so that no one will know your name or your location. It then uses Bluetooth to exchange the random codes with nearby phones.

Since there is some confusion about how COVID Alert works while also protecting Canadians’ data, Boisvert provided a walkthrough of a hypothetical scenario to explain how the app functions.

“First off, let’s say my phone is going to generate a daily key, and then from that key, it’s going to generate one-time rotating unique identifiers every 10 or 20 minutes. These numbers are really big and not humanly guessable,” he stated.

“Then let’s say you and I are at a coffee shop together and we both have the app. My phone is going to start repeating the same number for 10 to 20 minutes.”

In this scenario, his phone will generate one of the giant numbers and then my phone will capture that number and store it in the device.

“Let’s say we’re still in the same coffee shop and my phone will generate a new number and then your phone will also hear the number and store it along with the signal strength.”

He explained that in this instance, my phone wouldn’t know that the different numbers are coming from the same phone.

“The phone is going to keep track of all of these interactions. It can’t figure out which ones are linked and which ones are not,” Boisvert explained.

In the instance when someone tests positive for the virus, a healthcare professional will use the health care portal to generate a one-time key for that person. The portal is managed by provinces, which delegate access to healthcare professionals to generate keys.

“The server will create a key and it knows that it generated the key to someone it trusts, which could be the Ontario healthcare portal. It stores the key and knows that a trusted healthcare professional generated the key and then it is given to the person.”

When the individual who tested positive enters the key into their phone, the device will send a message to the server. The key then authenticates the device and allows it to communicate with other codes securely.

At no point can these codes be used to identify information about users, which relates to the trade off between privacy and collecting data about the number of exposure notifications sent out, as discussed earlier.

He explained that your phone will then download and go through other codes provided by the server. No one knows if your phone had a match because that is all done on your phone, so the server has no idea who received an exposure notification. You and your device are essentially the only ones who know that you’ve encountered an exposure.

Early developmental tweaks

Earlier this year, the Canadian Digital Service released a beta version of the app, during which users were asked to provide feedback about the app.

Boisvert notes that the first version of the app featured an indicator on the main screen that would read something along the lines of: “last checked one hour ago,” which was meant to show that this was the last time the app downloaded keys from the server.

However, there was some confusion because users thought that this indicator meant that the app hadn’t checked for exposures since an hour ago, which wasn’t the case. In response to the feedback, the development team tweaked this to avoid confusion.

“It’s much easier on iPhones, but with Android, there’s a variety of devices and it’s challenging to ensure that it works on everything”

Further, Boisvert outlined that the development team made other tweaks to the app based on user feedback to enhance things like usability and accessibility.

“The app is very accessible, but it took a lot of work to do that. There was a lot of testing and user testing to ensure that the app was working properly. It’s much easier on iPhones, but with Android, there’s a variety of devices and it’s challenging to ensure that it works on everything.”

For instance, the team had to ensure that users only got an exposure notification if they had spent more than 15 minutes within two metres of another user who later tested positive, which are the parameters set out by Health Canada.

With COVID-19 cases increasing across the country, Canadians are being encouraged to use this free and easy-to-use tool to help curb the spread of the virus.

The app has recently been updated to send more precise notifications. There’s also a new option for people who’ve tested positive for the virus to share symptoms or testing dates in order to narrow down who receives a notification.

COVID Alert is currently fully functional in Saskatchewan, Manitoba, Ontario, Quebec, New Brunswick, Newfoundland and Labrador, and Prince Edward Island. The app can be downloaded everywhere, but other regions don’t provide one-time verification keys with positive tests, which are integral to how COVID Alert operates.

You can download COVID Alert from the Apple App Store and the Google Play Store.