CEO of mimik technology, Fay Arjomandi, says infection tracing for COVID-19 doesn't need to sacrifice privacy
Fay Arjomandi is the founder, president, and CEO of Vancouver-based mimik technology, which describes itself as a "pioneering hybride edgeCloud company".
The Concordia grad is also the author of 12 patents. And her company has developed the Pandimik app, which it calls the world's first "anonymized" infection-tracing and positioning system.
Pandimik can notify users who may have been exposed to COVID-19 in the last several weeks, preserving confidentiality by not passing any information to the cloud, corporations, or governments.
The Straight asked Arjomandi five questions after Prime Minister Justin Trudeau revealed that a free app will be launched in July to let Canadians know when they've been near anyone who has COVID-19.
Georgia Straight: What went through your mind when Prime Minister Justin Trudeau announced that the federal government will begin testing a new contact-tracing app?
Fay Arjomandi: I was encouraged, concerned, confused, and disappointed. Encouraged because I think we need a contact tracing app; concerned because I'm not sure how the app announced by the prime minister will protect citizens' privacy rights.
I was confused because I couldn't figure out the role of Shopify, which is one of the largest cloud-based shopping platforms. What part of the application are they developing and what part of the data is shared in that application and with whom? What is the role of an e-commerce shopping platform provider?
I was disappointed why the government didn't assess the plausibility of utilizing other technology solutions from innovative and disruptive players such as the hybrid edge cloud approach by mimik, which keeps our contact-tracing data completely private with no need for trusting mimik or any other third party—and throughout the journey of the user—as they need to interact with other service providers.
No details have yet been shared with the community on the information flow between devices, the cloud, and any third parties, including health authorities, and roles and responsibilities of these vendors.
Georgia Straight: What needs to be done to ensure this app will provide adequate privacy protection?
Fay Arjomandi: Citizens and only the citizens should be in complete control of their contact-tracing data and any data related to their health at all times.
Citizens should be able to delete the app and disable any privacy back doors in the operating system; this is why some countries have decided to avoid the approach from Google and Apple. Their mechanism is only open to government authorities, which obviously points out to the fact that access to a broader group is risky.
Otherwise, the APIs [application programming interfaces] would be exposed to everyone. In other words, as users, we are put in a position to trust Google, Apple, and the government to keep our data private.
According to a latest poll by Insights West, 48 percent of B.C. residents opposed the idea of using contact tracing to halt the spread of COVID-19 because they are concerned about their privacy rights.
For any app to be effective it needs to be adopted by 60 to 70 percent of the population. And people will only use it if they know for sure their data is safe and no one is tracking them.
Any successful contact tracing app should be completely transparent and protect a user's data throughout the journey. Our priority should not only be the tracing aspect, but to ensure that there is data privacy throughout the user's journey.
No third parties, including government entities, should have any possibility to access the contact history on our devices anywhere in the entire process. In other words, no contact-tracing information should ever be sent to the cloud and nobody other than the user of the app should be able to access the data that is on their device.
Otherwise, we are exposed no matter whether the data is encrypted, or even anonymized in the cloud.
Mimik has already developed the app called Pandimik that can do contact tracing without sending any contact-tracing information to the cloud or any third parties.
So we know this is possible and is also not only complementary to Google and Apple’s approach, but resolves their shortcomings as well.
Georgia Straight: What's the biggest mistake the federal government could make?
Fay Arjomandi: Not knowing the details of the end-to-end solution and how it evolves over time. The mistake would be to assume privacy where it cannot be guaranteed.
It is not enough to promise users that their data is kept private, encrypted, anonymized, or even destroyed after 14 days. People have heard this in the past and have learned that once they trust their data to any third parties, they lose control, and anything can happen with that data.
The government has to reassure people that no third parties including the government will have access to their contact-tracing data throughout the process. Users should be put in control with full transparency of information, rather than being told, “don't worry, trust us, it will be all secure.”
Georgia Straight: What's been the experience of contact-tracing apps for COVID-19 in other countries?
Fay Arjomandi: As far as I know, to date, contact tracing in all countries has been a failure. Many governments have given up or are in the process of redesigning their apps.
The experience has varied from extreme violation of privacy by constant surveillance in countries like Bahrain, Norway, and Singapore, to highly ineffective with little adoption in other countries like Italy, Switzerland, and Germany.
Most people are genuinely concerned about their privacy and have not adopted the apps. Lack of transparency along with ambiguity and fragmentation of experience has been the primary reason for low adoption.
Georgia Straight: What advice would you have for Canadians who want to stop the spread of COVID-19 but who are nervous about the privacy implications of contact tracing?
Fay Arjomandi: Canadians should demand an effective trustless contact-tracing app that uses the latest technologies that guarantees their privacy and provides all the controls in their hands. We have to be watchful and ask questions, and not just accept promises that our data will be kept private.
There are technologies that can guarantee our privacy. Anonymous contact tracing is definitely possible.
We should insist that our devices, and not the cloud, do the entire contact tracing. Smartphones can detect and record proximity using many existing techniques. This is not the main challenge.
The catch is once we are diagnosed with the virus, how are those who have been exposed informed? If the app sends a warning with a list of all the devices to the cloud and then others are informed through the cloud, then this is a privacy risk.
So, we should insist that no contact tracing history should ever be sent to any third parties. Instead, the contact tracing app on the smart phone of the infected person should directly inform others without any third-party exposure.
The only role the government should play is to give us a code confirming that we have been exposed once we test positive so we can enter it in the app to avoid false warnings. There should be no other exclusive data access to any third parties or government entities.
We highly recommend the government to assess use of the hybrid edge cloud platform by mimik or any other provider to ensure the data is not stored on any private or public cloud and that users have complete control over their data. Once people are confident their data is protected, they will use the contact tracing app, which is crucial to control the spread of COVID-19.