ArriveCan App Quarantine Error Breached Privacy for 10,000 iPhone Users

In a clear violation of the Privacy Act, over 10,000 Canadians received incorrect quarantine directives through the federal government’s ArriveCan app, according to Privacy Commissioner Philippe Dufresne, in his report released on Tuesday.

The erroneous orders, issued last year, threatened recipients with substantial fines and stemmed from a database error, reports The Globe and Mail.

The Commissioner’s investigation, initiated following events that unfolded on June 28, 2022, revealed that around 10,200 iPhone users were wrongly instructed to quarantine or face fines of up to $5,000 by the federal ArriveCan app.

The miscommunication was a result of a database error that incorrectly labelled some fully vaccinated travellers as unvaccinated. Yikes.

Dufresne criticized the Canada Border Services Agency (CBSA) for its failure to involve human oversight in such critical decisions. The report also accused the agency of taking too long to rectify the issue and presently refusing to correct the known errors that still persist in the database.

The ArriveCan app, initially launched in 2020, served as a platform for travellers to provide mandatory health information, including vaccination status, upon border crossing. Although the app ceased to be mandatory from September 30, 2022, it remains a voluntary tool. The Globe and Mail previously reported in October 2022 that the app’s construction and maintenance costs were projected to hit $54 million by March 2023.

While the government cites the pandemic’s fluctuating health policies necessitating continuous app updates as a response to criticism, the Commissioner’s report argues that major app-related issues should have been resolved by the summer of 2022.

In light of the significant number of complaints from fully vaccinated individuals incorrectly told to quarantine, the report suggests that the issue should have been resolved within days rather than weeks. It further emphasizes that such an incident, happening over two years since the pandemic’s onset and ArriveCan’s introduction, signifies a failure on CBSA’s part to ensure the information’s accuracy.

The CBSA has countered the recommendation to correct its database errors, arguing it’s unnecessary due to the conclusion of the COVID-19 border measures. The agency insists that the data, which are no longer in administrative use, will be automatically disposed of after two years.

The investigation was sparked by a complaint from Matt Malone, a law professor at Thompson Rivers University. Prof. Malone called for immediate updates to Canada’s privacy, artificial intelligence, and data protection legislation, arguing that this incident demonstrated the urgent need for these laws to extend to federal departments and agencies. He also criticized the Privacy Commissioner for the slow progress of the investigation, calling for less rhetoric and more action.

“The report does nothing more than give the government and the third parties who built the app a light slap on the wrist,” said Malone.

“The privacy commissioner moved far too slowly in conducting this investigation, especially given the immediate impact of the glitch on Canadians. The privacy commissioner has a culture of complacency of making fanfare announcements about investigations that take way too long to conduct. We need less words and more action … ArriveCan shows why Canada’s proposed privacy and AI laws must apply to government,” Malone said.

Looking back at the ArriveCan app and how it screwed up royally, it’s safe to say the app was one expensive disaster.

P.S. - Like our news? Support the site with a coffee/beer. Or shop with our Amazon link. We use affiliate links when possible--thank you for supporting independent media.