Halifax’s decision to roll out a new alert system is prompting questions from at least one privacy advocate.
David Fraser, a lawyer specializing in privacy issues with law firm McInnes Cooper in Halifax, N.S., says he is concerned about how the Halifax Regional Municipality (HRM) has reviewed the system’s accompanying app.
“I have questions about the sort of diligence that the HRM might have done — that I don’t know whether they did — particularly in connection with this app.”
READ MORE: N.S. beefs up information and privacy office with new executive role
The municipality introduced the hfxALERT system to the public last week. It will serve as the “new mass notification system for the municipality” with the goal of keeping residents informed about emergencies.
The system will provide text, automated voice messages or email notifications for police operations, emergency situations and municipal parking ban notices.
Residents can sign up for the service through the municipality’s website, but the HRM has also rolled out an accompanying third-party app from the U.S.-based company Everbridge.
The Everbridge app is used around the world by 9,000 public safety agencies, and the HRM says the app will be used to send location-specific notifications.
“This way, users of the mobile app will receive alerts to their device (e.g. smartphone) whenever they are in an area of the municipality that is being specifically targeted by the notification,” said the HRM in a press release touting the new system.
Security concerns raised
But Fraser says the app may not be as beneficial as advertised.
“I would always question pretty significantly before I put an app on my phone at the behest of governments and law enforcement,” he said.
The app asks for permission to access your phone’s location and contacts to send invites.
Maggie-Jane Spray, a spokesperson for the HRM, stressed that residents are not required to download the app in order to use the hfxALERT system and that the municipality recommends signing up through the web-based system instead.
But residents can be prompted to download the app when signing up by mobile phone.
“If a resident is using a smartphone or other mobile device when they are registering through the website, it will ask if they want to register in the app. Residents can click cancel to continue to register in the web solution,” said Spray.
App not part of privacy assessment
Spray said the municipality created a privacy impact statement — which is used to assess whether the app complies with the minimum legal requirements and best practices — on the email and text system that can be accessed through the web-based system.
Since the app is not required to use the service, Spray said it was not included in the municipality’s privacy impact statement.
But the municipality has also rolled out a video explaining how to use the app, encouraging users to sign in using “hrm” as both their first and last name.
Spray says this was done to “mitigate the risk” of providing unnecessary information and that if residents enter their actual name when signing up through the app, staff will “periodically” review and alter the data to protect the anonymity of citizens.
Another concern raised by Fraser is that the app’s privacy policy could be interpreted as allowing Everbridge to share data with law enforcement agencies without the need for a warrant.
“If this app tracks your location and it also has your phone number, it probably also has your name because of your home address and things like that. That is the sort of information that is of interest to law enforcement,” Fraser said.
Spray did not directly respond to a question about the concern, instead stating that residents aren’t required to download a third-party app.
Jim Gatta, a spokesperson for Everbridge said it would only “disclose a subscriber’s personal information if required by law or in compliance with a lawful request.”
“This might consist of a warrant, court order, subpoena, regulatory order, or similar legal requirements. Everbridge would not provide personal information of any subscriber to authorities without a lawful basis to do so, as stated in our privacy policy.”
READ MORE: No action taken to improve cybersecurity after N.S. government data breach — MLAs
Fraser said that at the end of the day, it’s a matter of convenience and weighing the benefits of providing information to companies without reading the fine print.
For anyone concerned with the privacy of the system, Fraser recommends signing up for the service through the website.
As of Thursday, the HRM has added a disclaimer to its hfxALERT website, stating: “The municipality’s current service provider, Everbridge, offers users a mobile app. You are not required to download the app to receive hfxALERT notifications.”