Concordia is co-leader of a national cybersecurity consortium promoting best practices
As COVID-19 contact-tracing apps could be deployed across Canada, a critical question emerges.
How do we balance public health with privacy and security concerns?
To address this new challenge, Concordia University co-founded the National Cybersecurity Consortium (NCC) this year, along with the University of Calgary, University of New Brunswick, Ryerson University and University of Waterloo.
Experts from Concordia’s Security Research Centre inside the Gina Cody School of Engineering and Computer Science make up the 120-plus professors involved in the consortium.
“We’re recommending 10 key principles that should be followed for the development and deployment of any contact-tracing app,” says Mourad Debbabi, interim dean of the Gina Cody School and director of the Security Research Centre.
“As it stands, Canadian jurisdictions are using contact-tracing apps without sufficient technical review by independent security and privacy experts. We can do better.”
The 10 principles include a call for independent expert review, simple design, minimal functionality and data minimization. Other key tenets are trusted data governance, cybersecurity, minimum data retention, the protection of derived data and meta-data, as well as the proper disclosure and consent and a provision to "sunset" — delete collected data after the COVID-19 crisis.
“Our goal is to ensure the core principles of Canada’s western liberal democracy are protected,” says Debbabi.
Statement on privacy-respecting and trust-worthy COVID-19 tracing apps
Researchers from 32 universities across Canada, including Concordia University’s Gina Cody School of Engineering and Computer Science, have developed a National Cybersecurity Consortium (NCC), and are calling on governments to require rigorous reviews of any COVID-19 contact tracing apps for mobile phones.
The NCC, led by researchers at Concordia University, the University of Calgary, the University of Waterloo, Ryerson University, and the University of New Brunswick, have developed a statement on best practices it is encouraging governments to follow to ensure that Canadians’ online privacy is protected.
The statement, which represents the consensus views of nearly 100 experts in privacy and security around the country, emphasizes that any deployed contact tracer must meet certain privacy criteria, and must be verified with independent external review by cybersecurity experts.
“We strongly support the value of contact tracing and its central importance in safely allowing Canada to return to normal as quickly as possible, but it must be done in such a way that our civil liberties and rights are not impacted in either the short- or long-term,” says Dr. Ken Barker, PhD, professor in the Department of Computer Science and director of the University of Calgary’s Institute for Security, Privacy, and Information Assurance (ISPIA). The need to develop and deploy digitally support contact tracing will only be widely adopted by Canadians if they are assured that these rights are protected, and the use of contact data is used exclusively for this purpose.”
The statement highlights principles that governments should follow when considering contact tracing apps. The principles include independent expert reviews, minimization of data collected, simple designs, robust security, a sunset provision for the apps, and proper disclosure and consent.
"Canadians should have a right to privacy in the online world. It’s an issue that should be talked about and debated publicly, even in the face of this pandemic, so that we ensure this right is protected," says Dr. Florian Kerschbaum, PhD, director of Waterloo’s Cybersecurity and Privacy Institute. “Data protection and cybersecurity can be challenging at the best of times; ensuring governments in Canada agree on and follow best practices will be crucial to protecting Canadians during this crisis and in a post-pandemic world.”
The NCC is a not-for-profit national initiative that focuses on key challenges in cybersecurity and privacy. It comprises five networks, including privacy.
Learn more about the Security Research Centre
Learn more about the Gina Cody School of Engineering and Computer Science