Priv Comm'r: WeHealth was well-crafted to support privacy & public health - I downloaded it myself
The Privacy Commissioner supports the WeHealth Bermuda mobile app. If you have questions or concerns, you can reach the Government team via their contact form or our office as described on our Contact Us page.
In my anecdotal conversations with Bermudians about whether they intend to download the recently launched WeHealth Bermuda app, the issue of trust is the first topic. People are worried that their data might be shared or used in ways they haven't thought of - or that they might even be signing themselves up for surveillance.
Bermudians can feel confident in WeHealth Bermuda as an example of trust being earned. My office engaged with Government early in this process, and the technologists and civil servants with whom I worked were quick to realise the privacy risks that could come into being with these sorts of apps. We reviewed these issues and risks together, and throughout the app design process they addressed all of my recommendations.
From early days, this app aimed to earn your trust through privacy protections. Government took what I would call a "Privacy-By-Design" approach, which means intentionally planning out for and selecting the most privacy-friendly of the many, varied possible options. WeHealth Bermuda avoids the riskier (from a privacy perspective) approaches that other countries have tried.
The app is designed to prevent misuse of data by not collecting it in the first place unless it is absolutely needed - and then keeping all of that data on the phone itself. It remains in your hands, under your control.
Not only that, but even if WeHealth Bermuda wanted to collect more data or to use data in different ways, your phone would not let it. This is because Google and Apple, working together in an historical collaboration, put limits on what contact tracing apps might do - precisely to assure people worried about "creeping" permissions.
It is a fair thought to worry about data privacy in modern times, when technology issues feel more complicated by the day. You can often feel like you don't even understand enough to make an informed decision.
I hope you have confidence that the WeHealth Bermuda app is designed so that you stay in control. I chose to download the app myself, because it was developed to protect privacy along with public health. It represents the kind of solutions that we should strive for and support.
How does it work? A quick overview
You can find a very good description of how the app functions on Government's WeHealth Bermuda web page (https://www.gov.bm/wehealth-bermuda) and in the app's brief-but-informative Privacy Notice.
Essentially, the app uses the phone's Bluetooth antenna, which is often used to connect to speakers or earbuds, to broadcast out a random code similarly to a TV or radio signal. This code changes frequently, to prevent identification. Your phone will also use the Bluetooth antenna to receive others' broadcasts and then make a record of other codes nearby.
Only these random codes are used. No other personal information is collected, unless you choose to tell the phone that you received a positive Covid test. In that case, the app will send a list of your random codes from the times you were infectious for phones to compare to their list. Cases of a positive test are the only time that your personal information is handled centrally (as it would be to a similar extent by manual contact tracers).
Your phone will periodically download a list of codes that relate to positive tests from that central database, then compare the codes on the list to codes it has heard recently. If there is a match, you might get a message to get tested or self-isolate.
Some approaches in other countries involved using GPS to track everyone's physical location, or using CCTV cameras and facial recognition technology for contact tracing. Compared with such privacy-intrusive methods, these random codes broadcast by Bluetooth are an excellent example meeting both public health and privacy goals - not one or the other.
What are the privacy considerations in designing an app like this?
Covid has been a global problem, and our office has been in close contact with our colleagues elsewhere to learn lessons from their experiences.
Experts at the World Health Organisation (WHO) and the Global Privacy Assembly (GPA; a group of fellow Privacy Commissioners) have outlined the main issues. The WHO developed a comprehensive list of "Ethical considerations," with principles that generally align with the minimum requirements of PIPA. After surveying all of its members, the GPA published a "Compendium of Best Practices" describing the collected experience of other Privacy Commissioners tackling Covid response.
Regulatory concerns relate to a variety of factors. Some experts were most concerned that mandatory apps would create a risk of exploitation or unfair use of the data. Some experts were concerned that a digital divide might mean that portions of society become overlooked, which, while a concern, has a lowered risk in Bermuda since network connectiveness is so prevalent. Some experts focused on the fact that contact tracing apps have not yet been proven in controlling a pandemic, which is a fair criticism since we are still only in the middle of our first pandemic with them - but this fact only argues more strongly that we should select the most privacy-protective options to keep the risk of harm low.
Technologists also raised technical issues with contact tracing apps, and it is important for individuals to understand that no technology is perfect. While it can do the job, Bluetooth was not designed specifically for this purpose, so there are potential accuracy issues. We could see false-positive or -negative results, for example if people were close together but wearing masks. (To compensate, WeHealth Bermuda factors in these sorts of issues with a notification algorithm that uses aggregate exposure details, potentially from multiple exposures.)
How does WeHealth Bermuda avoid privacy risks?
I must again give credit for the many steps that our civil servants got right. Instead of churning out an intrusive, unproven app, they engaged in thorough research and analysis so as not to act with haste. From our early conversations, they have spoken of the importance of protecting privacy and confidentiality in the contact tracing process. Instead of re-inventing the wheel, WeHealth Bermuda leverages the Google-Apple Exposure Notification system - which also, as mentioned above, has its own privacy guardrails designed into the system.
To evaluate the app, our office wanted to ensure that a checklist of best practices was followed - and it was. The app development also included all of my recommendations to ensure the protection of users' privacy.
Prior to launch, our office reviewed draft design documents from Government that described an approach that consists of the following:
the use of the app is voluntary;
personal information will be stored on an individual’s device and not a central repository;
identifying information consists only of a random identification number (“IDs”) that will change over time and may not be retroactively re-identified;
IDs will be deleted from the individual’s device after a set, 30-day period of time;
use of the personal information of Covid-positive individuals will be by the official public office, the Ministry of Health (just as it is manually);
IDs that relate to Covid-positive individuals, which must necessarily be shared to communicate others’ exposure, will be shared only to those who require them, such as the app developer and matching contacts, and only for a set, 30-day period of time; and
individuals may choose at any time to delete the app and the associated data on their device.
Does this mean there is no risk to using the app?
From a privacy perspective, WeHealth Bermuda was designed to collect only random codes, and is the most privacy-protecting option that can meet the public health goal of an app to assist contact tracing.
From a security perspective, cybersecurity professionals will always find ways to "hack" a system, because no system is perfect. As in all things, from driving a car to exercising at home, it would be impossible for anyone to be 100% safe from everything. There is always the possibility that someone nefarious could engage in a variety of mischief. The chances are remote, but here are some examples we should be aware of - but not afraid of.
By dedicatedly following someone or by setting up an island-wide system of Bluetooth sensors, it could be possible to track individuals by their Bluetooth signal. (Importantly, this is something that could already happen without the WeHealth Bermuda app, if you have your Bluetooth or WiFi antennas on.)
If someone could change the clock on your phone, it could confuse the random ID system into thinking you were exposed when you were not, or affecting the central database and causing others to receive notifications. It may theoretically be possible to plant a fake device and report a false positive that would affect the surrounding community, school, or constituency. This is why it is so important to protect your security by using antivirus software and avoiding suspicious links in emails or text messages.
Please note that these possibilities are not themselves failures of trust or Government abuse of data. These sorts of issues are caused by an evil-doer abusing the WeHealth technological infrastructure. The chance that your personal information might be abused is incredibly remote - because the app does not collecting anything but a random code in the first place.
Cybersecurity professionals make a good living by being paranoid enough to worry about these things, but individuals should take heart that WeHealth Bermuda has been designed in good faith to help you stay in control of your privacy.
What happens next? Monitoring the app's performance
As with any technology, the work is never completely done. We must evaluate effectiveness, ensure that there are no accidental harms, and place a governance framework in effect to allow appropriate oversight. I will continue to work with Government, making recommendations to engage a technical evaluation of the app, to plan for a statistical review of its success, and to ensure appropriate governance of such technological efforts by empowering and appropriately funding my office in the new year.
Each of these steps will assure Bermudians that they could place even more confidence in endeavours such as this one, knowing that their rights are protected and their trust has been earned.
Alexander McD White
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by H.E. the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."