Fact check: Does the StopCovid app contain a tracking device?
On Tuesday, June 2, 2020, the StopCovid app appeared on the Apple Store and Google Play Store (Google). Designed by several companies such as Dassault Système, Capgemini, and ATHOS, and led by the French National Institute for Research in Computer Science and Control (Inria), StopCovid was approved bythe National Assembly and the Senate on May 28, 2020, with the aim of facilitating the tracking of Covid-19 patients and their potential contacts.
Florence Rodhain, University of Montpellier
However, from its conception to its approval, the application has never been universally accepted, with its critics expressing particular concerns about the security of users' personal data.
On social media, the association La Quadrature du Net, which promotes and defends fundamental freedoms in the digital environment, has even expressed concern about the presence of a "spy": the reCAPTCHA system. Designed and linked to Google, this identification system reportedly sends data relating to our Internet browsing directly to the US company.
Did the designers of StopCovid put a "tracker" in the app? The answer is "yes," and that deserves an explanation.
A request for advice and concerns
On May 15, 2020, Olivier Véran, Minister of Solidarity and Health, referred a draft decree on the "StopCovid" mobile app to the French Data Protection Authority (CNIL) for its opinion.
Ten days later, the CNIL, which had to work urgently, issued an opinion on this application. In note 77 of this opinion, the CNIL expressed concern that the ministry planned to use a "Captcha" (an automated system that verifies that the application is being used by a natural person) and that this service would be provided by a third party. The commission was alarmed by the fact that "the use of this service is likely to result in the collection of personal data not provided for in the decree, data transfers outside the European Union, and read/write operations that would require the user's consent."
Captchas are systems that have been put in place to combat spam bots. In this case, for the StopCovid app, the aim is to ensure that it is being used by a real person. There are various Captchas developed by different companies. The most common Captchas are difficult-to-decipher codes (numbers and letters) that the user must retype.
Lines of code
On May 27, on Twitter, La Quadrature du Net revealed that the StopCovid app includes a Google tracking tool called reCAPTCHA. In its tweet, the association links to lines of code on the Inria website where the use of Google services is clearly visible.
La Quadrature du Net is also concerned that, if this spyware remains in the application, the government will have failed to honor its commitments, despite the fact that Cédric O, Secretary of State for Digital Affairs, had emphasized the importance of the principle of "digital sovereignty" a few weeks earlier before the Senate.
Ludovic Marin/AFP
In reality, the entire process had to remain within European borders without using Google or Apple services. That is why the application was piloted by Inria.
The answer in the source code
So, what's the situation? Does the StopCovid app still contain this tracking device? Or has the government listened to the concerns of the CNIL and asked Inria to use an alternative Captcha technology to Google's?
To answer this question, simply visit the Inria website and read the source code, where you will still find the reference to Google's reCAPTCHA.
So, yes, at present, the StopCovid app does contain a "tracking device" as claimed by La Quadrature du Net, since it can record the IP (Internet Protocol) address of phones on which the app is installed, which appears to contradict the principles of privacy-by-design consent (principles of consent that must be taken into account from the design stage of the app) of the European General Data Protection Regulation (GDPR) defended by the CNIL. This is indeed personal data; the app is therefore not entirely anonymous, as had been announced from the outset.
When asked to explain himself on the matter, Cédric O explained in an interview that Google's reCAPTCHA, "the only element that was not created by us," was chosen because "on the mobile version, there were no other Captchas that existed and were capable of withstanding the impact of several million interactions."
It is interesting to note that work is reportedly underway with Orange to eliminate the need for Google's services and its reCAPTCHA; this solution could be available soon. If Orange succeeds, there will no longer be any "spyware" in the StopCovid app. It remains to be seen when Orange will finalize this work and whether, at that point, it will still be relevant to use the app...
One snitch can hide another
Ultimately, one could argue that this "spyware" is not intentional but rather a side effect caused by the lack of an alternative solution, although this remains to be proven. However, an article in Le Monde mentions a completely different, much more perverse intrusion, which one can doubt is not intentional.
In this article, Gaëtan Leurent, a French cryptography researcher at Inria, explains that he discovered, on the StopCovid app development platform, that all contacts with people encountered, regardless of the duration of the contacts, during the last 14 days, are sent to the central server hosting the app's data. "StopCovid therefore sends a large amount of data to the server that is of no interest for tracking the spread of the virus, but which poses a real threat to privacy," the researcher explains in Le Monde.
The explanations provided by the Secretary of State for Digital Affairs appear questionable. When contacted by Mediapart, the Secretary of State for Digital Affairs did not dispute these revelations, but sought to justify them. It explained that every 15 minutes, a new identifier is assigned to each device. Thus, a contact lasting only five minutes could be the continuation of a 12-minute contact: two contacts that only the server is able to link in order to understand that they are, in reality, a single 17-minute contact, and therefore risky.
These explanations do not convince researcher Gaëtan Leurent, who believes that "there would be fairly simple ways to limit the problem: the phone could filter the data to keep short contacts only when they are just before or just after a change of identifier."
The most worrying thing is that the Secretary of State's explanations come after the app has been rolled out. If all this turns out to be true, we should be more concerned about this second spyware than Captcha!
This fact check was carried out in partnership with the Journalists and Scientists department of the ESJ in Lille.
Florence Rodhain, Senior Lecturer in Information Systems, University of Montpellier
This article is republished from The Conversation under a Creative Commons license. Readthe original article.