New Halifax emergency alert app raises privacy questions
'I have concerns, generally, when government suggests that I install an app on my phone'
A privacy lawyer has some concerns about a new emergency alert app available in the Halifax Regional Municipality.
Earlier this week, the municipality launched hfxALERT. It will provide text or email messages for matters ranging from mass evacuations to overnight parking bans sent by local emergency officials.
For more precise notifications, the city has also rolled out a third-party app from U.S.-based Everbridge. The app is widely used by public service agencies across the globe to issue location-specific emergency alerts to people's devices.
"This way, users of the mobile app will receive alerts to their device (e.g. smart phone) whenever they are in an area of the municipality that is being specifically targeted by the notification," the municipality said in a news release.
But Halifax privacy lawyer David Fraser said he has questions about the personal information the app can access.
"I have concerns, generally, when government suggests that I install an app on my phone, particularly an app that has pretty significant permissions that looks for your location, which is obviously inherent to the feature of the app," said Fraser.
According to Everbridge's privacy policy, the app also asks permission to access your photos and address book "to send invites."
"I don't see any reason why they would be doing that," said Fraser.
In an email, Everbridge spokesman Jim Gatta said the app does not require access to a user's address book to register for the alerts.
"Subscribers may choose to provide access to the contacts in their address book, but this is completely optional, and denying access does not prohibit someone from using the mobile app," he said.
The city has a video that explains how to use the app, urging users to sign in using "hrm" as both your first and last name.
Maggie-Jane Spray, a spokesperson for the municipality, said this was a way to mitigate some of the privacy concerns for users.
However, Spray said the city only conducted a Privacy Impact Assessment — something Fraser said is "a methodical process" to identify and mitigate any potential privacy and security issues — for the text and email alert system.
Since users aren't required to use the app to receive emergency alerts, the city did not perform an assessment on the app.
Spray said in an email it's up to those who want more location-specific alerts via the app to read and accept Everbridge's terms and conditions.
Though your name is unnecessary to use the app, it does ask for a user's address and phone number. Fraser said that seems contradictory from a privacy standpoint.
Providing private information to police without a warrant
Another concern, said Fraser, is that the app appears to say in its privacy policy that it could provide personal information to police without the need of a warrant.
Included in Everbridge's privacy notice, it said the company would comply with court orders and subpoenas, "or similar legal process, including responding to any government or regulatory request, as well as lawful requests by public authorities to meet law enforcement requirements."
Fraser said that could be interpreted as law enforcement not needing a warrant to access your personal information.
Everbridge spokesman Jim Gatta told CBC News the company "only would disclose a subscriber's personal information if required by law or in compliance with a lawful request.
"A lawful request typically would require a warrant or similar order and Everbridge would not provide personal information of any subscriber to authorities without a lawful basis to do so, as stated in our privacy policy."
Convenience versus privacy
He said it's common for most people to choose convenience over privacy when it comes to apps, but it's important to understand what information is being freely surrendered.
"So, for example, HRM rolled out a parking app a while ago that I ended up having to load because I needed to pay for parking and didn't have any coins on me — and frankly from a user experience it's a dumpster fire," he said.
The app doesn't allow transfer of funds from "trusted vendors" like Google Pay, Apple Pay or PayPal. The app only accepts credit cards and charged Fraser $20.
Fraser said he's not necessarily comfortable having to give out his credit card and vehicle information — nor necessarily comfortable with the $20 that was taken off automatically to pay for his $4 of parking that day and the Hotspot charges, which are charged monthly. But it was a matter of convenience.
"Is the convenience of this app worthwhile when you think about the information that I'm having to disclose in connection with using it?" he said.
He suggests to those with concerns around privacy when it comes to hfxALERT to instead sign up for text an email alerts through the website.