Categories: Privacy

A 3D Test for Evaluating COVID Alert: Canada’s Official Coronavirus App

Great news – Canada has just released its free COVID-19 exposure notification app [1], COVID Alert. Several questions now arise: Is it private and secure? Will it be widely adopted? And how effective will it be at slowing the spread of the virus? We have evaluated the COVID alert app against three dimensions: Concept, Implementation, and User Experience. We grade the concept as leading-edge (A+), the implementation, just adequate (C), and the user experience less than satisfactory (D).

Ontario Digital Service (ODS) and Canadian Digital Service (CDS) built the app based on a reference implementation by Shopify, with CDS taking operational responsibility and ownership. The security architecture was reviewed by Blackberry and Cylance. Health Canada performed an Application Privacy Assessment[2], which was reviewed by the Office of Privacy Commissioner of Canada[3] and the Information Privacy Commissioner of Ontario.


  1. Via Bluetooth, the app remembers to which phones it has come in close physical proximity.
  2. When a person contracts COVID-19, she or he can submit code into the app declaring their status.
  3. The app will check daily to see if anyone you’ve been near has reported testing positive.
  4. If you’ve been near an infected person in the past 2 weeks, you’ll get a notification.

At present, there isn’t enough data to provide a proper assessment of COVID Alert

However, I can offer my thoughts on the three aspects of design mentioned above:


Canada got it right – a successful COVID-19-related app that focuses primarily on its benefit to users, i.e. notification, rather than tracking. A tracking app needs to track everyone’s routes and interactions all the time; this captures way too much private data, making it a tempting treasure-trove to hackers. Privacy concerns will impede adoption of tracking apps.

COVID Alert side-steps these concerns by focusing only on notification. All other countries that have developed an app have built a tracking device to be installed on a cell phone, and included a notification feature. Canada, on the other hand, has built a notification app. The fact that its use is voluntary will further boost public confidence.

Grade for concept: A+


Apps may be built for the public, for healthcare providers, or for business use. Canada has chosen to build an app for the public. For apps created for the business or healthcare sectors, adoption is a given. The main challenge for a public app is: Will the public adopt it? It will need to reach a critical mass of adoptees to be successful. Without that critical mass, the app will provide little to no benefit.

COVID Alert’s server and app are both open source. This is an encouraging decision, as it makes it business-friendly, and improves public trust through expert scrutiny of the code.

The choice to focus on adoption by individuals is a strong point for privacy, but a challenge to effective implementation. In contrast, an app designed for business, aimed at detecting outbreaks connected to particular business locations, might raise more complex privacy issues, but could be implemented much more widely with support from the private sector.

The Canadian government had the option of implementing a COVID-19 data network between citizens, businesses, and public health. This app, unfortunately, only covers the individual, with a manual link to public health. How could this have been improved? A data exchange platform would have been a wiser choice, as it would help boost business adoption.

Grade for implementation: C


While I’m not an expert, I’d say that the app user experience is marked by three things:

Grade for usability: D

Takeaway and Next Steps

The COVID Alert app is a positive and important concept; from a conceptual standpoint, Canada is ahead of all other solutions to date. Ideally, its implementation would go beyond the boundaries of an app. The current approach creates a basis for expansion. I intend to fully leverage the federal app by building an end-to-end solution, IoPlus, that focuses on business adoption.





To read more about Wael’s outbreak notification design, follow this link. To learn about enterprise corporate compliance feel free to download Privacy in Design: a Practical Guide for Corporate Compliance from the Kindle Store.

Article info

Leave a Reply