The weekend after its launch, the ABTraceTogether app has been downloaded more than 100,000 times.
“The better we get at testing and tracing — and the app is an integral part of that — the less social distancing we need to do,” said Dr. Jia Hu, a medical officer of health for Alberta Health Services.
Using Bluetooth, the app builds a record of other app-enabled smartphones it’s been in close contact with (within two metres for a cumulative 15 minutes). The encrypted information is held on the phone for 21 days. If a user tests positive, they can consent to uploading that record to AHS for human contact tracers to reach out to other users with phone numbers the users registered the app with.
But, the iOS version of the app only works when the phone is on, screen unlocked, and the app is running in the foreground.
“Right now, on iOS, you need to have the app in the foreground,” said Hu. “You don’t need that for Android phones. You have have it on in the background.
“We recognize this is a major issue.”
“Even I was a victim of that at first,” said data forensics consultant Mike Williamson, who is testing out the iOS version himself. “I skimmed through the the first few screens.
“It wasn’t until later when I was looking into the white paper that I realized you needed to keep the app unlocked all the time with your screen activated.
“Frankly, it doesn’t make it very usable.
“But I also recognize that that’s not a failing of the developer of this application. That’s because Apple is very serious about privacy and security, and they have designed iOS in such a way that doing something like that is not easy to accomplish.”
Quinn Mah, executive director of Alberta Health Information Management, recognized this flaw could affect how many iPhone users in the province would download and use the app.
“We’ve provided feedback to Apple that we’d like this to be fixed as soon as possible. They published some new APIs, which is called application programming interfaces.
“They’ll be updating their iOS in mid May,” Hu said, “at which point we’ll update the app so that doesn’t need to be the case because you’re right, leaving the app on in the foreground is not conducive to uptake.”
The app is based on an open-source software protocol from Singapore called BlueTrace.
The open-source nature of the app is a big positive for Williamson.
“The nice thing about that is it’s open source, which means that as developers, as security researchers, we can actually go in and evaluate the inner workings of that code and decide whether or not it’s going to live up to its goals and objectives, in terms of consumer privacy,” he told Global News.
“That’s a that’s a big check mark, in my view.”
Concerns about the app tracking your location were relieved when Williamson looked closer at the data the app collected.
“There was no sign of things like location information. The app itself will never ask you for access to your location. So, again, check mark there.”
ABTraceTogether uses Bluetooth, not GPS.
Williamson wrote about his findings testing the iOS version of the app on his blog. He plans to test the Android version soon.
One concern for the former Calgary Police Service officer was where the data COVID-positive users submit — including anonymous Bluetooth connections and user phone numbers — is being stored.
“I mentioned on my blog post the only area that that really needs to be really well protected is the server side,” Williamson said. “And that’s outside of the scope of what I was doing.”
Williamson noted there are well-known, reputable vendors to provide secure servers that Alberta Health and AHS could use, like Google, Amazon Web Services and Microsoft’s Azure.
Alberta Health confirmed to Global News that IBM servers in Canada are being used to store the data submitted from the app.
“We’ve performed cyber security testing on the solution — that’s part of ensuring the information is safe,” Mah said.
“Also, as part of the Health Information Act compliance, Alberta Health and Alberta Health Services are mandated legislatively to securely have custody and control of that information.”
The ABTraceTogether privacy statement says information is held in compliance with the Health Information Act and Freedom of Information and Protection of Privacy Act.
The privacy commissioner said Alberta Health “has chosen a less intrusive approach in deploying this app” as part of its response to the COVID-19 pandemic. The OIPC is also conducting a privacy impact assessment on the contact-tracing app.
The app was developed by Deloitte for a contract worth $625,000 — a matter of concern for public policy think tank Alberta Institute.
Alberta Health said the services Deloitte provided included modifying the Singapore app to integrate with Alberta’s secure infrastructure rather than a public cloud (to meet security and privacy obligations under the Health Information Act), building the website used by AHS contact tracers to access and view contact logs, and integrating the contact tracing app/website with AHS’ contact tracing workflow.
Deloitte also made communications and training materials for the app, re-branded it for Alberta, helped develop the privacy impact assessment, supported all testing cycles and developed analytics for the solution.
AHS stresses the app provides huge value.
“The return on investment with the app — with the number of cases prevented, the number of deaths prevented and the return to society, the economy boost — is incredible,” Hu said.
“As more and more bits of society reopen, you’re going to have more interactions with people that you don’t know and that’s where the app is going to be really important. It’s one of the critical elements — that and testing.”
The cost didn’t concern Williamson either.
“This isn’t something you want to cheap out on. You want to hire reputable developers. You want to have agreements in place with them for supporting the app in the long term.
“You don’t want to hire somebody for two weeks to get the app out the door and then be left wondering how to run it.”
And Chris Nowell, director at Three Shield Information Security, also reviewed the app, finding it is doing “all the right things” an app like this should.
“They collect as little information as possible. They don’t share it. They require affirmative consent. That means it doesn’t send information right away. You actually have to go — after they call you to say: ‘You’re infected. Do you want to send the information to us?’ You have to click the button to do it.”
Nowell says the minimal amount of information being stored by AHS is reassuring.
Both Nowell and Williamson said they have already installed ABTraceTogether on their smartphones.
“After everything I’ve seen from inside the app, from the white papers on the app and so on and so forth, I didn’t find anything at all that that caused me to have concerns,” Williamson said.
“If I’m going out to the grocery store — I’m not crazy about leaving my phone screen on unlocked — but I wouldn’t have a problem doing it because I think it’s for the right reasons.”
— With files from Global News’ Lisa MacGregor and Emily Mertz