Creating an ArriveCAN Incident Report Pt.I — Public Tech, Accountability, Operations Capacity

Bianca Wylie
12 min readJul 31, 2022

The glitch and related processes must be investigated

The is the fifth post in a series about ArriveCAN. As always, if you read this and have additional information to share, can see things I’ve missed/got wrong, etc. please get in touch.

For those of you that like ArriveCAN, think it’s fine, don’t think it’s a big deal, etc. this post is written with you in mind. This app should be voluntary. If the app was voluntary, the recent glitch that sent erroneous quarantine notices to an unknown number of users is troublesome. That’s one reason to pay attention. In this post I’m going to talk a bit about they we need a public report about what happened. In the next post I’ll talk about what should go in that report.

Before getting into it, I received great critical feedback in the last week — one person said the ArriveCAN web app worked fine, if you don’t need a smartphone what’s the problem? great question, more below. Another person said it seemed silly for me to be paying attention to this when the health care system writ large is imploding. There is a start of that connection to that topic here — in terms of understanding efforts to automate and digitize existing systems and under-funding/badly organizing what we’ve got already. This response made me consider the constant need to better connect digital rights issues to bigger trends and themes.

I plead for people to tell me where I’m wrong or to point out mistakes or weaknesses in arguments. I’ll continue that now. It’s the best. If you’ve been quiet on this one because I’m missing something I really want to hear it. I keep humility close in this work , we all should. In this case there are a set of things that are new to me, including emergency powers, the Quarantine Act, and a whole lot of what is black boxed in government that we can’t see.

Also, to say it again: this work is all driven by an ideological position, not a right or wrong. I don’t want to fully automate government services. I want to invest in choice. I want there to be people employed by government to help us access our services. I want us as people to be guiding and directing the design of public services that are created with our money.

Incidentally, the updated price tag for ArriveCAN, is approx $46,000,000 CAD, with completion targeted for Sept 2023.

The above is from a recent privy council report. If you’d like the full report please contact me, it’s a public document.

Incident Report — What is it and Why do We Need One for ArriveCAN?

Any software we create is expected to have multiple issues in the course of its life-cycle. With public technology, we have to expect this, and the government has to expect this, both politically and within technical operations. Errors, issues, and bugs are standard fare. It’s how you plan for them and how you manage them that matters. And in the case of a technology that is provided as a public service, such as ArriveCAN, the integrity with which errors are managed matters a lot. In many ways, current political culture within canadian government — the instinct to minimize, to be quiet and hope things blow over — is at direct odds with the culture needed to be a trustworthy technology steward.

Also: if you’re new to the term “bug” this piece in Interesting Engineering, based on a skim of a read, looks good. If you get far enough into it you’ll find the story of a moth that got into a computer system. I do not claim to know about the veracity of this piece of history so if anyone has corrections or better pieces please pass them along. As the piece rightly notes, no technical system, no matter how intensely tested, will ever work perfectly and as expected. This is why *how* a government manages a problem with its technology matters. It has be part of their planning and operational and communications capacity.

As was recently reported by the CBC on July 22, 2022:

“The Canada Border Services Agency (CBSA) “has identified a technical glitch with the app that … can produce an erroneous notification instructing people to quarantine,” Audrey Champoux, press secretary to Public Safety Minister Marco Mendicino, said in an email.”

“The government’s admission was in response to a CBC News inquiry pointing out that there are dozens of complaints on social media from travellers who say they entered Canada with no issues and then later received a surprise alert about a mandatory quarantine.”

What We (Likely) Know About What Happened

One of my big shortfalls with trying to figure out what is going on with this glitch is that I’ve never used ArriveCAN in real world terms. So I’m still trying to get my head around how the process works based on anecdotes from users, media stories, what’s officially published by the govt, paperwork, and the rest of it.

The major thing that struck me when I read about the glitch was that however this system had been designed, it sounds like notifications were a feature. That the government, in the design of the app, had intended to use the app to communicate with travellers about how to adhere to the Quarantine Act. I don’t know this for sure, so again please bear with me here. I have submitted an Access to Information Request to try to access the technical requirements written by the government for the app. These requirements are what they would have shared with the firms they contracted to get the app built. We’ll see how that goes.

We need to keep returning to the Quarantine Act because that was and is the rationale being used for ArriveCAN. The Quarantine Act —2005 — “An Act to prevent the introduction and spread of communicable diseases”. The government doesn’t talk about the Act directly often, but it talk about the app in the context of public health, and given what the app does, this is the legal connection we need to study. It is critical to understand that we never had to have this app — the government could have collected the data it needed under the Quarantine Act in a number of different ways. So when they make it seem like we need to have this app for public health purposes, they seem to be banking on the fact that we don’t really know what the Quarantine Act says or means.

The Office of the Federal Privacy Commissioner and their Quiet

The first time I tripped over the Quarantine Act was when I was trying to figure out where the privacy commissioner stood on the mandatory use of ArriveCAN. The Quarantine Act is referenced in the office’s “Letter to shadow ministers” of August 2020. See the section that falls under the header: ArriveCAN Application.

The privacy commissioner basically says nothing about mandatory use of the app. Which surprised me, because earlier in the same year, the office wrote that tech used during the pandemic for public health purposes should be voluntary to support proper consent and building of trust.

What they do talk about it in that letter to shadow ministers falls more into their standard remit of data collection and retention and use. They were asked by the ministers about the ArriveCAN privacy notice, to which they first say the use of data collected via ArriveCAN seems fine to them in the context of government powers as defined by the Quarantine Act and emergency orders.

They then go on to say more about the ways the Quarantine Act, the Privacy Act, and consent/use intersect and how they don’t know enough about what the government is doing with the data collected to say more.

This was in 2020. It’s the same kind of statement I received recently when asking what the privacy commissioner’s office thinks of mandatory use of ArriveCAN. They said they’re investigating a complaint about the app so they can’t say anything.

This mode of oversight needs redundancy. I don’t know what the current ArriveCAN complaint is about, it may not even be sound, but the privacy commissioner being out of public words on the situation entirely because of it is a problem. They should be all over this glitch. And so far, nothing.

Trying To Keep the Story Focused on Mandatory Use, Equity, and Rights

It is fundamental that we understand the context and narrative and legal constructs in which and through this ArriveCAN app was both created and is currently being used. And part of that is understanding what emergency powers mean, what they allow, and how much they demand us to increase our efforts for government accountability.

I have long struggled with how to constructively use the notion of privacy to be helpful in the broader work on and towards digital rights. My background is not in privacy. I’m not a privacy law expert or even intermediate. My concerns with our use of technology in society lives in the realm of democracy and privatization. Privacy lives in this structure, but it is not the lens nor frame I approach issues from primarily.

We really need to figure out how to broaden our options for oversight and intervention because privacy rationale alone will not stop technology from being used. Privacy scholars and legal experts know this and say it too. In some cases, privacy rationales actually speed up the implementation of new tech. Privacy and data protection has spawned an enabling industry and related set of infrastructures and standards. If privacy and data protection rationales are all we use, the “should we be doing this at all” arguments, all the work we need to do in terms of transparency and accountability and investing in other modes of how to do things fall to the side. These include redress and how the public service fundamentally operates.

Assume Good Actor Status for the State

There are very real concerns to be had about state use of data, state overreach, the history of Canada Border Services Agency, etc. I don’t know enough about the privacy commissioner’s track record to date on getting into these matters but I’m not going there. The only reason I’ve been circling around the privacy commissioner is because in early 2020 they said public health apps used in the pandemic should be voluntary and later that year seem (and still seem) to have no issues with ArriveCAN being mandatory.

In critiquing the state, my efforts are to point out where things are going wrong despite everyone having good intentions. In the ArriveCAN realm, we can track this back to the genuinely plausible good intent of the Public Health Agency of Canada wanting to set up a new system to support the implementation of the Quarantine Act as part of the pandemic response.

No matter how good those intentions were in 2020, others within government, privacy commissioner included, should have expressed the reasons why a voluntary approach, along with adjacent investments in alternative systems (forms, kiosks, etc.) would have been the right way to go. It is still not public if/how those with tech expertise did or did not push back on PHAC when this approach was created. What we need to fundamentally understand is that there is nothing in the Quarantine Act about mandatory tech. We do not look to Public Health Agency of Canada for direction on technology. This part of the history of the app needs a lot more untangling to understand how this app was ever allowed to be created given what the federal government did and does know about equity impacts.

We also need to be very aware of the fact that we’ve got two state actors in play here — the Public Health Agency of Canada and the Canada Border Services Agency. How they worked together on this and how their mandates came together needs more focus. This issue has a lot to do with how the slide/shift from a public health rationale to a border modernization rationale is happening. How both parties have valid public good rationales and interests, but the ways they are using them in one place concurrently is causing, at minimum, significant confusion at a time where no one can afford the trust erosion it is bringing with it.

Web App v. Smartphone App

When I started to write about ArriveCAN I quickly found it clunky to try to write about mandatory smartphone and web app, and so began using mandatory app as shorthand. As you may or not be aware, if you don’t want to use the Apple or Google option, you can create a login to the system via a web browser. I’m not sure if that option is supported on mobile phone browsers. Last night, upon me posting this oped by a political science professor about the problem with the mandatory nature of the app, someone online said that they had used the web login just fine, you don’t have to have a smartphone. This is true, and warrants a bit more consideration. It also brings us back to the beginning of both the incident report and our understanding of what is going on with ArriveCAN.

When the government commented on the glitch, they said it only impacted Apple users. If we stop for moment, we can now consider that there are, to some extent, three concurrent sets of code running. I don’t know enough about mobile app development or web development to be able to guess how much crossover there is between the three sets of code, but there is code for ArriveCAN that supports Apple mobile operating systems, code for ArriveCAN that supports Google’s mobile operating systems, and code for ArriveCAN that supports the web application.

This alone warrants a pause because this is a good example of the burden this app involves in terms of maintenance and support. This also warrants a pause because in two of those three cases of ArriveCAN’s code, we’ve designed a dependency for a public service upon the use of two companies infrastructures — Google and Apple — over which our governments have zero control. That bears repeating several times and also warrants more attention outside of this conversation. I have said before that I don’t believe we’ve ever had a mandatory app in Canada. I might be wrong. But the implications of this shift are wide-ranging.

Back to the distinction between web app and mobile phone app. Let’s say you don’t have a smartphone. Does that mean you have access to the internet and comfort in using the web app? No. Equity impacts remain with the web app. There are also several anecdotes that have lead me to understand that the smartphone apps are informally preferenced/recommended by government. This may not be true and I welcome more info. I would be curious to know percentage adoption of each of the three: web app/Google/Apple. We should know this.

But here we have to keep digging in. The unifying requirement of all three of them is an email address. Do we want having an email address — and comfort in using it by yourself — to be a requirement of using a public service? I would argue no. Legally, I’m not sure where that lives or what the ruling is or would be. Who takes on the burden of labour for those that can’t use an email address or computer or smartphone by themselves?

So let’s keep down this road and we’ll finally get closest to what the heart of the matter is: what does it mean to be semi-automating the implementation of the Quarantine Act?

As the government said in some of its latest media statements, people shouldn’t believe notifications they receive from the app over what they are told at the border or through other communications. From the CBSA press contact in the CBC piece: “…travellers should rely on the instructions they get at the border if they conflict with subsequent notifications about a 14-day quarantine.” But what happens to us when this all becomes so unclear?

There are significant rights and redress issues at play here. If you haven’t yet read this twitter thread from Matt Malone “ on the Government of Canada’s increasingly tenuous legal justification for ArriveCAN and the pressing need for judicial review…” I suggest you do so. I’ll stop on that path for now today, there is lot more to explore.

What Should We Have Done and What Should We Do Now?

Good advice about tech systems, particularly about legacy tech: don’t create systems you can’t roll back. In this moment, I think the government’s basic operational capacity to shift to voluntary use and to bring alternatives into the operational workflow is low. I think borders are under strain and this reason for the state to keep digging in on using the app as a mandatory step of the process, from a purely operational perspective, is in play. That doesn’t make it right. That doesn’t make it even acceptable. But it’s definitely relevant.

Next post will continue along with the incident report situation, the lack of information on the glitch from government, what it means to be uncoupling people and processes — and most importantly physical place — from public servants that can and should be there for us. This relates to more to think on about the web app and mobile app element, and what it means to be shifting the burden of administrative inputs to public service delivery to private infrastructures and private spaces. More soon, there is a lot of unfinished argumentation here but i don’t know how else to both keep going but also not get overwhelmed : )

screenshot of the Quarantine Act https://laws-lois.justice.gc.ca/eng/acts/q-1.1/FullText.html

--

--