Sean Boots

Technology, public services, and people. But mostly people.

“Working in the open” firsts for COVID Alert

Make things open, it makes things better.

A few months ago I wrote about how busy the summer ended up being. Working on COVID Alert has definitely been a career highlight, in a lot of unexpected ways in an unexpected year. As of this week more than 4.9 million people have downloaded the app, and 2,900 people have used it to alert people close to them about their COVID exposure. For everyone that has worked on COVID Alert, it’s humbling and daunting to be part of something at this scale.

An iPhone on a wood-panel desk, showing the COVID Alert app with a message that says “No exposure detected”.

In a lot of ways, COVID Alert represents some unprecedented milestones in Canadian federal government IT:

  • It’s the first large-scale, public-facing mobile app launched by the Government of Canada that is open-source, to my knowledge. (A lot of that is credit to the volunteer team that built COVID Shield, the proof-of-concept app that COVID Alert is based on!)
  • It was built in 45 days, between the day that CDS’s product team was formed and the public launch of the app.
  • It had a pre-launch public beta where thousands of people helped test the app and provided feedback.
  • And, it involved some very close collaboration between the federal government and provincial healthcare and technology teams to deliver one-time keys to COVID-positive patients.

Beyond all of that, there were some extra geeky “firsts” that I was really thrilled to see, as someone working at the intersection of tech and policy. Each of these are different (really neat) examples of working in the open.

A privacy assessment published in the open

Protecting Canadians’ privacy was one of the foremost goals of the entire project. If Canadians didn’t trust COVID Alert and didn’t adopt it in sufficient numbers, it wouldn’t have any public health impact. Ensuring users’ privacy was one of the main benefits of the underlying Google/Apple exposure notification framework, and building the app as an open source project gave privacy, security, and technology experts the ability to dig into the code and point out any privacy concerns.

One of the highlights of my day-to-day work on COVID Alert was working with Health Canada’s privacy division on the COVID Alert Privacy Assessment and the wide range of other privacy documentation that went into the design and oversight of the overall system. Health Canada’s privacy team is second to none. Their thoughtful feedback, questions, and deep understanding of Canada’s federal privacy environment made working on a complicated topic a really wonderful experience.

The privacy assessment was published both on GitHub and on the day the app launched. As far as I know, it’s the only full privacy assessment for an app or online service that the federal government has ever proactively published. (If you know of any others, let me know!)

A public Accessibility Statement

Accessibility statements are an emerging best practice for organizations and websites, where they detail how they’re meeting accessibility needs, what issues are still outstanding, and provide ways for people to provide feedback or raise issues. A number of European countries now require accessibility statements on public sector websites.

COVID Alert’s Accessibility Statement, published on, is the federal government’s first-ever accessibility statement for a mobile app. (It’s the second-ever published accessibility statement, after a 2018 accessibility statement for an ESDC consultation tool run by a third-party vendor). COVID Alert’s Accessibility Statement is accompanied by an accessibility report, published on GitHub, that details ongoing issues and work in progress.

My colleague Julianna – a fearless advocate both inside and outside CDS for accessibility and inclusive design – championed both of these in really thoughtful ways as COVID Alert came together.

A Vulnerability Disclosure Policy for cybersecurity researchers

Last but not least! Vulnerability disclosure policies (VDPs) are quickly becoming a norm for both tech companies and government institutions. They let cybersecurity researchers know what things they can and can’t do while poking at websites or services to make sure they’re secure, and how to notify the organization’s security teams if they find something broken.

Vulnerability disclosure policies are an important signal to cybersecurity researchers that a team or organization takes cybersecurity seriously. That if they notice something broken or unsecured, that they can report it to the organization in an obvious way – without worrying that they’ll be accused of hacking or illegal activity when they’re trying to help. Both the UK government and the US government’s cybersecurity agencies have been making vulnerability disclosure policies into a standard process over the past few years.

COVID Alert’s Vulnerability Disclosure Policy is the first VDP ever published by the Government of Canada. There’s still work ongoing to make this a regular part of launching and operating government websites and services – I’m really excited to see where it goes.

Onwards and upwards

I’m really grateful to have been able to work on COVID Alert, and in total awe of my software development, design research, design, and product management colleagues that made it a reality. Working with the talented team at Health Canada has also been a huge highlight. (And, not least, with Sam and Lucas and Michael and John and the whole CDS policy team! Y’all are the very best.)

People’s reactions to the app have been really really positive, and I hope we can maintain that level of public trust as the app continues to improve. If you want to learn more about how it came together, check out the official CDS blog for an ongoing series of posts on how COVID Alert was built.