Canada Begins Testing of North America’s First COVID Exposure Notification App (Here’s What It Looks Like)

Although there’s been a surge of COVID exposure notification apps in Europe using the Apple-Google API over the past several weeks, with countries from Germany to Ireland getting on board even despite the intransigence of a few others, the technology has been much slower to arrive in North America. That may finally be on the cusp of changing, however, as Canada has begun testing of its first exposure notification app, and a handful of U.S. states have also committed to adopting the technology.

We actually first heard reports from Canada back in early June that it would be going with the Apple-Google Exposure Notification System due to its strong privacy protections and ease of adoption.

While the app, which was jointly developed by a team of volunteers from Shopify and BlackBerry along with the Government of Ontario and Canadian Digital Services, was expected to be available in Ontario on July 2, that date was later pushed back to July 24 as a result of delays in getting it approved at the Canadian Federal Government level, which wanted to make sure that everything was working properly.

Now it looks like the app has been pushed out a day early, although only for preliminary testing through Apple’s TestFlight beta program, according to iPhone in Canada and an announcement by the Canadian Government on Twitter.

Canadian Digital Service (CDS) and Health Canada are now accepting applications to beta test the app, which will provide an early access version and require testers to provide feedback as part of the process. The agency emphasizes that “We’re testing the app, and not you,” and reiterates that they’re using a “privacy-preserving, decentralized” approach to designing the app, but they will be asking users to complete tasks with the beta version so that they can collect more information on how it works.

It also appears that the test will include some sample notifications, with CDS explaining that “Notifications sent during this study will NOT BE REAL” and that they’re simply testing COVID Alert.

Beyond that, the only requirements to sign up for the beta are that users must be over 18 and live in Canada.

How it Works

Since COVID exposure notification apps are being developed by regional public health authorities, each one will likely have a slightly different implementation, but Canada’s COVID Alert gives us a pretty good idea of what you can expect from just about any app that uses the Apple-Google Exposure Notification System.

Upon installing COVID Alert, the user is presented with a series of welcome screens that explain what the app does, making it very clear that it collects no personal information, including your location, your name or address, your iPhone’s contacts, your health information, or the health information of anyone you’re near.

This is all detailed in Apple’s privacy policies for the API, and in fact Apple expressly prohibits this kind of data collection in an extra set of App Store policies that govern any developer that’s given permission to use the Exposure Notification API. Of course, most end users aren’t aware of Apple’s policies, and with the number of apps out there that are tracking users for various purposes, there probably can’t be enough reassurances that this is actually an extremely privacy-focused approach to fighting the spread of COVID-19.

The onboarding screens in the app go on to briefly explain how the app actually does work, providing additional links for those who want to take a deeper dive. Essentially, it’s all based on a collection of randomized codes stored on your iPhone that identify the other iPhones you’ve come into contact with. Those codes remain entirely on your iPhone, but should somebody be diagnosed with COVID-19, they have the option of submitting their own personal random code (anonymously, of course) to the secure exposure notification servers.

Your iPhone checks in on a daily basis, and if one of the random codes stored on your iPhone matches the random code voluntarily submitted by somebody who tested positive, you get alerted to the fact that you may come into contact with someone who tested positive for COVID-19 — note that the app does not tell you who that person is, however. In fact the system is designed such that there’s no way for it to even know, as only a random code is stored.

Although the app is entirely opt-in at every level, including allowing individual users to decide whether they want to report a positive COVID-19 result to the system, in order to prevent abuse you’re required to enter a special “one-time key” that’s given to you by a health provider in order to trigger the exposure notifications, confirming that you actually have received a positive test result before sounding the alarm.

During the onboarding process, the app will also prompt you for permission to “Enable Exposure Logging and Notifications.” The app’s welcome screens explain this, however the actual permission request comes from the underlying Exposure Notification API, in exactly the same way as permission requests work for other iOS privacy features in every other app.

Note that users running the iOS 14 beta will not be able to use the Exposure Notification API at this point. As 9to5Mac reports, Apple has identified this as a known issue with the iOS 14 betas, and it appears to still be the case in the most recent beta released this week. Users running iOS 14 who install COVID Alert will not see the prompt to enable the API, and COVID Alert will show up as disabled.

CIRA director Andrew Escobar shared some screenshots via Twitter showing what COVID Alert looks like when running on iOS 13.6, however, where it appears to be fully functional.

What About the U.S.?

At this point, Canada’s COVID exposure notification app is the first of its kind to go live in North America, even in testing form. The Canadian province of Alberta was actually the first regional government in North America to release a contact tracing app of any kind, however it did not use the Apple-Google API, and while that app remains available for use within the province’s borders, the Canadian Government has insisted on a single national app rather than a series of regional ones. This actually prevents individual provinces from building their own apps that use the API even if they wanted to, as Apple has already stated that it prefers to approve only a single app for each country.

In the U.S., however the Federal Government has generally left contact tracing and exposure notification apps up the individual states, and Apple has noted that it will reluctantly make exceptions for regional apps where appropriate. However, as 9to5Mac reported today, only four U.S. states have committed to using the Apple-Google API, and none of them appear to be anywhere near actually releasing one.

In all fairness, most U.S. states don’t appear to have plans to create contact tracing apps at all, but the few that have already gone down that road have built their own GPS-based solutions, opening up a can of worms when it comes to privacy issues. Only Oklahoma, Alabama, South Carolina, and Virginia are currently planning to use the Apple-Google system; North Dakota was also previously on that list, but appears to no longer be included.

Instead, North Dakota has joined South Dakota and a group of several other states, including Wyoming, Rhode Island, and Utah, which have all built their own contact tracing apps that rely primarily on GPS location tracking rather than Bluetooth. In fact, Care19, the contact tracing app being jointly developed by North Dakota and South Dakota, which is expected to be adopted by Wyoming as well, actually chose to use Foursquare and Google to process its location data, despite claims that it’s not being shared with any third parties.

Meanwhile, Utah’s app has had its contact tracing features disabled after only 200 residents agreed to share location data with the app, making it only “a really expensive WebMD” now as one state official said.

On the other hand, at least 16 states, including California, Colorado, Connecticut, Delaware, Georgia, Idaho, Indiana, Iowa, Louisiana, Maryland, Montana, New Hampshire, New Mexico, Tennessee, Texas, and Vermont, have explicitly said that they have no plans to create a contact tracing app at all.

Earlier this week, however, we saw promising news that the Linux Foundation had gotten on board to spearhead the open-sourcing of the contact tracing apps used in Canada and Ireland to help jump-start similar initiatives by other public health authorities and encourage them to adopt the Apple-Google Exposure Notification System. The Linux Foundation Public Health Initiative (LFPH) is expecting more U.S. agencies and developers to hop on board in the coming weeks, and it does appear that the four U.S. states that are embracing the Apple-Google API with open arms will be among the first, but the move should hopefully spur some more action by other agencies that are either on the fence, or have found their own attempts at contact tracing apps to be abject failures thus far.