May 22, 2020

Canadian privacy and cybersecurity leaders call for independent technical reviews of COVID- 19 contact tracing apps

Researchers sign on to national statement outlining security and privacy best practices

Researchers from 32 universities across Canada, including the Faculty of Science, and with the support of the National Cybersecurity Consortium (NCC), are calling on Canadian governments to require rigorous reviews of any COVID-19 contact tracing apps before they are deployed.

The NCC, led by researchers at the University of Calgary, the University of Waterloo, Ryerson University, the University of New Brunswick, and Concordia University, has today issued a statement setting out the best practices that it encourages Canadian governments to follow, in order to ensure that Canadians’ online privacy is protected as COVID-19 contact tracing apps are developed and implemented.

The statement, which represents the consensus views of nearly 100 experts in privacy and security across Canada, emphasizes that any deployed contact tracing app must meet certain privacy standards, and must be approved by cybersecurity experts following independent reviews.

“We strongly support the value of contact tracing and its central importance in safely allowing Canada to return to normal as quickly as possible, but it must be done in such a way that our civil liberties and rights are not impacted in either the short- or long-term,” says Dr. Ken Barker, PhD, professor in the Department of Computer Science and director of  the University of Calgary’s Institute for Security, Privacy, and Information Assurance (ISPIA).The need to develop and deploy digitally supported contact tracing will only be widely adopted by Canadians if they are assured that these rights are protected, and the use of contact data is used exclusively for this purpose.”

The statement highlights principles that governments should follow when developing and implementing contact tracing apps. The principles include independent expert reviews, minimization of data collected, simple designs, robust security, a sunset provision for the apps, and proper disclosure and consent.

"Canadians should have a right to privacy in the online world. It’s an issue that should be talked about and debated publicly, even in the face of this pandemic, so that we ensure this right is protected," says Dr. Florian Kerschbaum, PhD, director of Waterloo’s Cybersecurity and Privacy Institute. “Data protection and cybersecurity can be challenging at the best of times; ensuring governments in Canada agree on and follow best practices will be crucial to protecting Canadians during this crisis and in a post-pandemic world.”

The NCC is a national not-for-profit corporation, established by leading Canadian post-secondary institutions, with a mandate to advance cybersecurity research, innovation and talent development in Canada.