TORONTO -- A U.K. research firm says a Canadian government app used to facilitate international arrivals into Canada may have had access to users’ location data despite its privacy policy, but the federal government denies that the app uses GPS or other location-tracking technology.

The “COVID-19 Digital Rights Tracker” report by company Top10VPN, has continuously monitored “new measures introduced in response to COVID-19 that pose a risk to digital rights around the world,” since March 2020.

In the latest update, the Canadian federal government app “ArriveCAN” was flagged.

Available on both the Apple App Store and Google Play store, ArriveCan is an app that helps facilitate travel to Canada from abroad.

According to the Public Healh Agency of Canada (PHAC), the app has been downloaded approximately 433,000 times from the Google Play store and 677,000 times from Apple.

Travellers can use ArriveCAN to submit information about their COVID-19 symptom self-assesments prior to departure, as well as provide contact information to authorities and to receive other news on quarantine requirements. Users don't need to input negative COVID-19 tests now required for air travellers coming to Canada, but must use the app prior to boarding a flight.

Until Tuesday, ArriveCAN’s privacy policy and the government site explicitly stated the app “doesn’t use GPS or other technology on your mobile phone to track your location.”

However, Top10VPN’s analysis flagged that one of the app’s 11 listed permissions clearly can monitor GPS location.

“Permissions are basically the abilities an app has to perform on your device, [they] determine what data and what system level functions an app can access,” explained report author Samuel Woodhams in an interview with CTVNews.ca Monday.

“We noticed a permission [on ArriveCAN] that says ‘access fine location,’ which is a type of permission that allows an app to monitor your GPS location…despite the fact that it says quite boldly in the privacy policy that this app will not monitor your location,” Woodhams said. He later told CTVNews.ca that when he checked the app's permissions again in the Google Play Store, the "access fine location" was removed.  

On Tuesday, after CTVNews.ca contacted the PHAC regarding the report’s findings, the app’s developers released an update removing the location permission.

In an emailed statement to CTVNews.ca, PHAC denied that the app or its website “uses GPS or any other technology of that nature to monitor movements of users.”

“The app uses machine-readable zone (MRZ) technology for scanning of travel documents. As this technology is included in the app, the Google and iOS stores will tag that the app ‘may request access.’ At no point is permission to use GPS granted to the app. Access to the GPS location would need explicit permission from the user,” the statement read in part.

Woodhams stressed that just because it’s a permission, that doesn’t mean it’s being used, but noted that “in the future it could be used to do exactly what the privacy policy is saying it won't.”

Woodhams made it clear that he’s not suggesting the Canadian government is monitoring users location using this app, "but I think what it does show is this app may not have been as well developed as you might expect,” he said.

PHAC said the protection of Canadians’ personal information is a “priority” for the Government of Canada and any information collected by ArriveCAN is protected according to the Privacy Act.

However, the agency noted that the information collected through ArriveCAN is “required” under Canada’s Mandatory Isolation Order.

“Information is collected, used, disclosed, retained and disposed of in accordance with applicable law and policies,” PHAC said in the statement.

REVIEWS ON BOTH THE APPLE APP STORE AND GOOGLE PLAY STORE

Woodhams said location data can be used to make sure people are adhering to the 14-day mandatory quarantine period, or mapping “where people are arriving into the country, where people are going, transmissions, things like that.”

And because private companies are involved in the creation, development and distribution of apps like ArriveCAN, the question of data privacy becomes even more important.

“This sort of data could really be used for almost anything, whether it's targeted advertising, whether it's monitoring where parts of the population are moving, how they're moving or really anything else,” Woodhams explained.

“And I think part of the concern about having so many private companies involved in this is that there will always be a financial incentive to do other things with this data, whether they're doing it now or potentially in the future.”

Reviews on both the Apple App Store and Google Play Store show “hundreds of one-star reviews with people having problems” with ArriveCAN, which Woodhams says “is indicative of the fact these apps have been rushed out.”

Out of the 65 digital health certificate apps being monitored by Top10VPN and Woodhams, 53 of them – or 82 per cent – do not have “adequate privacy policies.”

The report uses China’s “Alipay Health Code” system that was implemented in March of 2020 as an example, where the software “assigned citizens a color code that represented their COVID-19 status and was used to determine whether or not a user could access public spaces.”

A scan of Brunei’s “BruHealth” app found it potentially contained malware – it has been downloaded more than 100,000 times.

Law enforcement in Singapore were given users’ data from the “TraceTogether” app, despite “clear indications on the original privacy policy that this would not happen,” the report says.

Twenty-seven of the apps studied could monitor users precise location, and the reports analysis states “more than half of all apps studied explicitly state they will share users’ personal information if asked by a relevant authority.”

“A lot of the digital health certificates were pretty haphazard and don't preserve the privacy of their users, we found around 80 per cent of them had inadequate privacy policies that didn't clearly explain what information is being acquired, how long it was being stored for, whether it was going to be shared with anyone else,” Woodhams explained.

“Obviously, when we're talking about health information, particularly sensitive information, we expect a lot better.”