Great news – Canada has just released its free COVID-19 exposure notification app [1], COVID Alert. Several questions now arise: Is it private and secure? Will it be widely adopted? And how effective will it be at slowing the spread of the virus? We have evaluated the COVID alert app against three dimensions: Concept, Implementation, and User Experience. We grade the concept as leading-edge (A+), the implementation, just adequate (C), and the user experience less than satisfactory (D).

Ontario Digital Service (ODS) and Canadian Digital Service (CDS) built the app based on a reference implementation by Shopify, with CDS taking operational responsibility and ownership. The security architecture was reviewed by Blackberry and Cylance. Health Canada performed an Application Privacy Assessment [2], which was reviewed by the Office of Privacy Commissioner of Canada [3] and the Information Privacy Commissioner of Ontario.

HOW COVID ALERT WORKS

1. Via Bluetooth, the app remembers to which phones it has come in close physical proximity.
2. When a person contracts COVID-19, she or he can submit code into the app declaring their status.
3. The app will check daily to see if anyone you’ve been near has reported testing positive.
4. If you’ve been near an infected person in the past 2 weeks, you’ll get a notification.

At present, there isn’t enough data to provide a proper assessment of COVID Alert

However, I can offer my thoughts on the three aspects of design mentioned above:

• Concept, or the design focus. Does the design mitigate the target problem or realize the desired benefits?
• Implementation, the outcome of the product. Does the design achieve its intent?
• Usability, or user experience. Is the design user-friendly enough to achieve widespread adoption?

CONCEPT

Canada got it right – a successful COVID-19-related app that focuses primarily on its benefit to users, i.e. notification, rather than tracking. A tracking app needs to track everyone’s routes and interactions all the time; this captures way too much private data, making it a tempting treasure-trove to hackers. Privacy concerns will impede adoption of tracking apps.

COVID Alert side-steps these concerns by focusing only on notification. All other countries that have developed an app have built a tracking device to be installed on a cell phone, and included a notification feature. Canada, on the other hand, has built a notification app. The fact that its use is voluntary will further boost public confidence.

Grade for concept: A+

IMPLEMENTATION

Apps may be built for the public, for healthcare providers, or for business use. Canada has chosen to build an app for the public. For apps created for the business or healthcare sectors, adoption is a given. The main challenge for a public app is: Will the public adopt it? It will need to reach a critical mass of adoptees to be successful. Without that critical mass, the app will provide little to no benefit.

COVID Alert’s server and app are both open source. This is an encouraging decision, as it makes it business-friendly, and improves public trust through expert scrutiny of the code.

The choice to focus on adoption by individuals is a strong point for privacy, but a challenge to effective implementation. In contrast, an app designed for business, aimed at detecting outbreaks connected to particular business locations, might raise more complex privacy issues, but could be implemented much more widely with support from the private sector.

The Canadian government had the option of implementing a COVID-19 data network between citizens, businesses, and public health. This app, unfortunately, only covers the individual, with a manual link to public health. How could this have been improved? A data exchange platform would have been a wiser choice, as it would help boost business adoption.

Grade for implementation: C

USER EXPERIENCE

While I’m not an expert, I’d say that the app user experience is marked by three things:

• The entire success of the app relies on someone with COVID-19 getting and storing a secret code on their phone. This activity alone may be prohibitive. People with severe symptoms may be semi-conscious, or even being hospitalized; their primary concern isn’t with entering a secret code into the app. If they hadn’t already downloaded the app, they wouldn’t download it at that point.
• The OS version of the app requires a rather recent version, limiting its potential adoption.
• Hackers have already targeted Canadians with fake COVID-19 contact-tracing app disguised as official government software. Downloading the bogus app activates a hidden program that hijacks the user’s data and holds it for ransom.[3]
• The Alberta COVID-19 tracking app that was rejected by the Alberta privacy commissioner shows up on the Apple App Store right below the federal application. This won’t improve public trust of the app.

Grade for usability: D

Takeaway and Next Steps

The COVID Alert app is a positive and important concept; from a conceptual standpoint, Canada is ahead of all other solutions to date. Ideally, its implementation would go beyond the boundaries of an app. The current approach creates a basis for expansion. I intend to fully leverage the federal app by building an end-to-end solution, that focuses on business adoption.

References:

[1] https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert.html

[2] https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy/assessment.html

[3] https://nationalpost.com/news/canada/hackers-target-canadians-with-fake-covid-19-contact-tracing-app-disguised-as-official-government-software

To read more about outbreak notification design, follow this link. To learn about enterprise corporate compliance feel free to download Privacy in Design: a Practical Guide for Corporate Compliance from the Kindle Store.