COVID Alert App — Part 8, Ontario and Accountability, and Alternative Public Health Tech Approaches
Part of the State Capacity Story
I am still working out a proper system map for how the COVID Alert app workflow goes. I am getting a lot of runaround in terms of finding out who at the province of Ontario is in charge of the provincial parts of the equation. One good update on that front, however, is below. And when I say workflow, I mean the human parts of the operations that support the software. The focus for this part of the mapping ties back to one of the clear weak points in this experiment: the one-time codes that were distributed to people upon receiving a positive PCR test from an Ontario testing facility.
Before diving into this part of the story a bit more, wanted to share two observations that are part of the post-mortem frame that we’re slowly putting together.
Post-Mortem to Understand Alternative Tech Investments
One, no matter how many specific points of failure we find by reviewing the history of the operations of COVID Alert, we need to table and discuss the idea that these types of apps — the types that hinge on individual users and cell phones — do not represent technology writ large. They do not represent health tech or public tech writ large. These types of apps are a specific kind of technology that we need to hive off and approach and consider differently in the future. This is part of the digital literacy element of all digital rights conversations we need to have, and the government is well situated to support on this despite them not doing so for a long time now.
I have had several conversations about the COVID Alert app over the last two months that helped me realize how to be more specific in defining the types of tech we may want to use in future to support our public health and other social aims. The process we can use can be considered civic and public product management, if that’s helpful. We the publics define the requirements — this is product management language — for the tech we want. This also means that we can define the things we do not want, such as apps that are on our phones, apps that follow the model of COVID Alert, ArriveCan (border and travel app). etc.
This would mean that we can advocate, via public and civic product management, for technology that supports the following kinds of activity, to: locate vaccine availability and support equitable distribution, track and support PPE access and distribution, address online mis and dis information, monitor indoor air quality, help organize mutual aid and childcare and outdoor school activities, provide early warning of pandemics. This list could go on for a long time. What you’ll note here is that these are not technology interventions tied tightly to the kind of apps that COVID Alert and ArriveCan represent. There are nuances here to be sure, not all apps are bad, but the general model and frame needs to be shifted and it needs to be much more expansive.
I say this as a bit of an interlude on these posts which continue to dig into where things went wrong with COVID Alert because COVID Alert is not the type of tech we want in future, regardless of how we could tighten up its supporting operations. This does not mean that looking at the operations situation is a waste of time, because as we’ll see, some of the major issues with COVID Alert had nothing to do with the technology.
If the Government Won’t Pull Broken Apps Then It Can’t Launch Them
I’ve had several people share with me that the political optics of pulling an app down would be understood as failure and so there is no way the governments would ever do it. I understand this. I don’t agree that government is unable to learn that the process of pulling something and sharing lessons learned is a trust building exercise. I realize this is not the culture we exist in today and that this shift has not happened yet but it feels both possible and necessary should governments want to continue to develop technology. It’s part of any technology life-cycle.
However, there is something important to note here. Before this app launched, there were likely a lot of public service professionals and experts (not tech, bureaucracy) that probably could have shared this problem and talked about how to elevate it at the front. If governments won’t culturally take the COVID Alert app down despite it being a) broken and b) a source of misinformation, then there is no way they should have been allowed to launch it. How we deal with this at the front end of a process in future needs a lot more attention, and different voices.
Ontario Accountability Update
For today, here is the reply in full from the Information and Privacy Commissioner of Ontario in response to my questions about who was in charge of the one-time key process. Here was my email to them:
Hello there,
I’m trying to understand more about the COVID Alert app’s efficacy. In doing some reading, I found your assessment and endorsement of the app here:
https://www.ipc.on.ca/covid-alert-and-your-privacy/
Could you kindly share with me the information you used to make an assessment of the Lab Results Viewer? As I understand it, this was the province of Ontario’s web-based mode of distribution for the one-time keys that people with a positive diagnosis would upload into the app. I might have this wrong, but hopefully you understand the general line of my inquiry. I’m interested in understanding your assessment of the provincial process for the provision and use of the one-time keys.
Happy to discuss if helpful.
Their email back is below, in full. One part of the answer, provided indirectly, points us again to the need to get access to the Memorandum of Understanding (MoU) between the federal and provincial government. It also points us to the Assistant Deputy Minister, Digital at the Ontario Digital Service. I am going to follow up there this week. They, the Information and Privacy Commissioner of Ontario, did not, however, answer my question about the provincial Lab Results Viewer, in specific. I will also follow up with them on that part.
______________________________________________________________
Dear Ms. Wylie,
Thank you for your inquiry about the COVID Alert app.
As you know, COVID Alert is supported by a federally-developed infrastructure, but some aspects of the COVID Alert initiative are particular to the province or territory in which it is used. For example, in Ontario, these province-specific aspects include how a user receives the validation code (i.e., the “one-time key”) that they may enter into the app in the case of a positive COVID-19 diagnosis.
The Government of Canada’s “Download COVID Alert today” webpage states that the one-time key process for Ontario is:
If you test positive for COVID-19, you can get a one-time key directly from the eHealthOntario test results website. You may also call your local public health authority.
The news release from the Office of the Information and Privacy Commissioner (IPC) about COVID Alert upon its launch in Ontario on July 31, 2020, is available here. This news release links to a more detailed document: our letter, addressed to the Ontario Digital Service, containing our recommendations regarding COVID Alert.
Our review of COVID Alert was informed by a number of key documents, including the provincial privacy impact assessment (PIA) [version 1.06 dated July 24, 2020] and the final Memorandum of Understanding (MOU) between the federal and Ontario governments, signed and executed July 30, 2020. Based on this information provided, we made a number of recommendations in our letter. For example, we recommended that the Government of Ontario:
Commit to keeping the IPC informed of any changes to COVID Alert, or any provincial or federal systems that support COVID Alert, that deviate from its currently intended purpose, or may otherwise impact the privacy of individuals or the security of the app as originally described to us in the PIA [version 1.06] dated July 24, 2020.
Our letter also noted that the MOU included provisions that
explicitly set out the safeguards that must be put in place to protect the privacy of individuals and the security of personal health information contained in any provincial system that interacts with COVID Alert and/or the federal infrastructure that supports COVID Alert
and
require that the following information about the COVID Alert app be made available to the public: a general description of any provincial system that will interact with COVID Alert and/or the federal servers that support COVID Alert; a general description of the safeguards in place to protect the privacy of individuals with respect to any information exchanged between any provincial system and COVID Alert and/or the federal infrastructure that supports COVID Alert …
Our letter also mentioned that the MOU contains provisions that require the federal government to decommission COVID Alert and delete the data collected through COVID Alert once the pandemic is officially declared to be over by the Chief Public Health Officer of Canada. In our letter, we recommended:
Should the prevailing scientific evidence indicate that the COVID Alert app is not, or is no longer, effective in achieving its intended purpose, ensure that the COVID Alert app is decommissioned and that all data collected through the app is deleted accordingly.
Other sources that may be of interest include:
- The Office of the Privacy Commissioner of Canada’s Privacy review of the COVID Alert exposure notification application (July 31, 2020)
- The Government of Canada’s COVID Alert: COVID-19 Exposure Notification Application Privacy Assessment (February 2021)
I hope that this information is helpful to you.
Regards,
