“Among existing apps, COVID Alert is the one that minimizes risks the best, but it’s not risk-free,” computer science professor says.
Not everyone is buying Quebec’s assurances that the newly endorsed COVID-19 Alert exposure notification application is bulletproof.
Spokespeople for two opposition parties in Quebec City criticized the government Tuesday for picking a technology whose effectiveness is yet to be fully demonstrated, saying widespread use could potentially lead to COVID-19 testing centres becoming overcrowded. Their skepticism was shared by at least one prominent computer science expert, who cast doubt on the app’s security and general usefulness.
Quebec announced Monday it is adopting the federal government’s COVID Alert exposure notification app. Premier François Legault even used a televised press conference in Montreal to download the app on his mobile phone and call on all Quebecers to follow his lead.
“Among existing apps, COVID Alert is the one that minimizes risks the best, but it’s not risk-free,” Sébastien Gambs, a computer science professor at Université du Québec à Montréal, told the Montreal Gazette in an interview Tuesday.
COVID Alert uses the wireless technology standard known as Bluetooth to exchange random codes with nearby phones. For the app to work, Bluetooth must be on all the time — and that, according to Gambs, can be problematic.
“There have been security vulnerabilities in the past involving Bluetooth that allowed hackers to gain control of phones remotely,” said Gambs, who focuses on such topics as location privacy. “These shortcomings have since been corrected, but given that Bluetooth is a relatively young protocol, it’s possible that other breaches could occur. Having Bluetooth always on is a little bit like leaving your door open day and night.”
COVID Alert doesn’t track a user’s location or collect personally identifiable information. Users of the app are notified if their phones came in close contact with someone who tested positive for the coronavirus in the last two weeks.
Éric Caire, the province’s minister for digital transformation, insisted Monday that concern over possible data leaks was unwarranted. Organizations including BlackBerry, the federal government and the Ontario government have all tested the app recently, and no hacking has been reported since the app was rolled out, he said.
While Bluetooth does indeed create certain risks, COVID Alert is robust enough for people not to worry unduly about downloading the app, according to Derek Ruths, an associate professor at McGill University’s School of Computer Science.
“Any piece of software introduces potential vulnerabilities,” Ruths said Tuesday in an interview. “Are there risks associated with the app? Absolutely, I cannot deny that. But is the risk high enough for anyone to be worried? If you already have a modern cellphone and you send text messages, you’re already accepting such a high-risk profile compared to using that app. So the risk is negligible.”
That’s an opinion shared by Mourad Debbabi, the dean of Concordia University’s school of engineering and computer science.
“I looked at the design myself and I can say that the application is safe to use,” said Debbabi, a cybersecurity expert who testified this summer before a Quebec parliamentary committee studying a potential COVID-19 alert system. “There are many pieces of evidence that show the risk in using this app is very minimal. I think this app can help to save lives.”
It can also pose a problem for COVID-19 testing centres. Critics like Gambs point out Bluetooth has been known to err in calculating the distance between two mobile devices, resulting in app users receiving unwarranted alerts about possible infections.
Québec solidaire parliamentary leader Gabriel Nadeau-Dubois was one of two opposition politicians Tuesday — along with Parti Québécois interim leader Pascal Bérubé — to question the app’s usefulness, pointing out that similar alert apps in other countries have generated a high number of false positives.
“False positives are an issue that must be addressed,” Gambs said. “The government will also need to be transparent about how it plans to measure the app’s effectiveness. The exact benefits are not clear yet.”
Sign up to receive daily headline news from the Montreal Gazette, a division of Postmedia Network Inc.
A welcome email is on its way. If you don’t see it please check your junk folder.
Postmedia is committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. Comments may take up to an hour for moderation before appearing on the site. We ask you to keep your comments relevant and respectful. We have enabled email notifications—you will now receive an email if you receive a reply to your comment, there is an update to a comment thread you follow or if a user you follow comments. Visit our Community Guidelines for more information and details on how to adjust your email settings.
© 2020 Montreal Gazette, a division of Postmedia Network Inc. All rights reserved. Unauthorized distribution, transmission or republication strictly prohibited.
Quebec, François Legault, Coronavirus, Canada
World news – GB – Doubts persist about security of federal COVID-19 notification app