A recent glitch in the controversial ArriveCAN app that sent fully vaccinated travellers erroneous messages saying they needed to quarantine affected more than 10,000 people, according to the Canada Border Services Agency (CBSA).
The extent of the glitch, which was revealed in a statement sent to Global News by the CBSA, represents 0.7 per cent of the typical number of cross-border travellers each week.
Global News has also learned it took the government 12 days to notify travellers of the error.
This is troubling to some data and privacy experts who say the app may be violating the Charter of Rights and Freedoms, which protects the right to move freely.
There’s also a debate among experts about whether ordering people to remain in their homes for two weeks without justification is a form of unlawful detention.
“It creates direct harm for people who are receiving this incorrect notification and following it,” said Matt Malone, a law professor at Thompson River University in Kamloops, B.C., who specializes in trade secrets and confidential information.
“The government hasn’t provided sufficient transparency about why that happened. And there needs to be better accountability practices in place to make sure it doesn’t happen again.”
ArriveCAN was originally launched in April 2020 as a voluntary tool meant to assist border guards in determining if people were eligible to enter Canada and whether they met strict COVID-19 requirements.
It was made mandatory for all air travellers seven months later. In March 2021, it was expanded to anyone crossing the border by land.
The app collects personal data, such as name, telephone number, address, and vaccination status, which is then used to help public health officials enforce the government’s quarantine rules.
But the recent glitch, which the CBSA says it identified on July 14 and fixed six days later, meant the app autonomously emailed thousands of fully vaccinated travellers who hadn’t tested positive for COVID-19 and told them they needed to quarantine.
The messages also raise concerns that the government doesn’t have a handle on the app’s automated decision-making functions, which in theory are meant only to determine if information uploaded to the app is accurate.
“I think it’s very troubling and I think it raises some important questions about government use of AI,” said Teresa Scassa, Canadian research chair in information law and policy at the University of Ottawa.
“This is one of their flagship tools and there doesn’t seem to be any transparency or clear governance.”
Impact of the app
The government says ArriveCAN is the fastest and most efficient way to screen people crossing the border to make sure they’re vaccinated against COVID-19 and to monitor the spread of new variants.
It also said it’s important that travellers understand that CBSA and public health officials are responsible for determining if someone needs to quarantine — not the app.
But travellers who received the erroneous quarantine order have told Global News there was no way to contact the government to correct the mistake. Efforts to do so, they say, have been met with automated messages or agents who couldn’t discuss the issue specifically.
Scassa said an early review of ArriveCAN completed by the government during the “implementation” phase of the app was supposed to identify and help mitigate potential risks to the rights and freedoms of Canadians.
But the review — known as an Algorithmic Impact Assessment (AIA) — isn’t clear about how the app is supposed to work or the scope of its automated decision-making authority, Scassa said.
A section of the review that’s supposed to indicate whether ArriveCAN has the authority to make decisions on its own, without the assistance of a human, says decisions “may be rendered without direct human involvement.”
Scassa said this doesn’t add up with another section of the review that says the app will “only” be used to assist human decision-makers.
Either the app does or doesn’t make decisions on its own, Scassa said. Both of these statements can’t be true.
“That’s not supposed to be how automated decision-making works,” she said.
There’s no way to know for sure how many people obeyed the erroneous quarantine orders sent because of the glitch.
A software update for ArriveCAN released on June 28 introduced the glitch, according to the CBSA. Prior to this update, some individual travellers experienced isolated problems with the app, the CBSA said, but no widespread issues were reported.
The CBSA also said it compiled a list of travellers affected by the glitch and shared these details with the Public Health Agency of Canada (PHAC), which is responsible for contacting people after they cross the border.
PHAC said it received the list from the CBSA on July 25, but added that it only contained the email address and unique identifying number created by the app for each traveller.
The agency said it emailed these travellers on July 26 — 12 days after the glitch was first identified — to inform them that they or someone in their group of travellers received the order in error and that they didn’t need to quarantine.
Data and privacy experts also have broader concerns about ArriveCAN.
The technology behind the app is considered a “trade secret,” according to the app’s AIA.
This means any attempt to obtain information about how the software works will likely result in a government rejection because these details are often considered confidential, third-party information under federal privacy and access to information legislation.
The companies that developed the app for the government have also cited non-disclosure agreements and “secret” classification of their work as reasons why they can’t release details.
Malone, the data and privacy law expert, said the absence of publicly available information about ArriveCAN’s software is deeply concerning, especially in light of the recent glitch.
He also said it’s concerning that the government would define this kind of technology as a trade secret, given the potential impact of ArriveCAN on the lives of Canadians.
“It exposes fundamental problems we have with seeking redress under existing privacy and data protection laws,” he said.
Carissima Mathen, a constitutional expert and law professor at the University of Ottawa, said she’s not sure whether the recent ArriveCAN glitch rises to the level of a constitutional breach.
That’s because it appears to have been relatively short-lived and because the government made efforts to fix the problem. She said the government also hasn’t tried to justify the mistake and isn’t trying to enforce the erroneous quarantine orders.
Still, she said, any decision made in error that impacts a person’s fundamental rights is concerning. This is true whether the decision is made by a human, such as a border guard, or an autonomous machine acting on behalf of the government.
“It’s an error. So, by definition, it’s not a justified infringement of your liberty,” Mathen said.