Fact Check: Does the StopCovid app contain a tracking device?
On Tuesday, June , 2020, the StopCovid app was released on the Apple Store and the Play Store (Google). Developed by several companies, including Dassault Systèmes, Capgemini, and ATHOS, and led by the National Institute for Research in Computer Science and Control (INRIA), StopCovid was designed to facilitate the contact tracing of people with COVID-19 and their potential contacts. It was approved bythe National Assembly and the Senate on May 28, 2020.
Florence Rodhain, University of Montpellier

From its design to its approval, however, the app has never been universally accepted, with its critics expressing particular concerns about the security of users’ personal data.
On social media, the organization La Quadrature du Net, which promotes and defends fundamental freedoms in the digital environment, has even expressed concern about the presence of a “spy”: the reCAPTCHA system. Designed by and linked to Google, this identification system reportedly sends data about our internet browsing directly to the U.S. company.
Did the developers of StopCovid put a “tracker” in the app? The answer is “yes,” and that deserves an explanation.
A Request for Input and Concerns
On May 15, 2020, Olivier Véran, Minister of Solidarity and Health, referred a draft decree concerning the “StopCovid” mobile app to the National Commission on Information Technology and Civil Liberties (CNIL) for its opinion.
Ten days later, the CNIL, which had to work under tight deadlines, issued an opinion on this application. In note 77 of this opinion, the CNIL expressed concern that the ministry plans to use a “Captcha” (an automated system that verifies that the application is being used by a natural person) and that this service would be provided by a third party. The commission is therefore alarmed that “the use of this service is likely to result in the collection of personal data not provided for in the decree, data transfers outside the European Union, as well as read/write operations that would require the user’s consent.”
CAPTCHAs are systems that have been implemented to combat spam bots. In the case of the StopCovid app, the goal is to ensure that a real person is using it. There are various types of CAPTCHAs developed by different companies. The most common CAPTCHAs consist of codes (numbers and letters) that are difficult to decipher, which a human user must type in.
Lines of code
On May 27, on Twitter, La Quadrature du Net revealed that the StopCovid app includes a Google tracking tool called reCAPTCHA. In its tweet, the organization linked to lines of code on the Inria website where the use of Google’s services can indeed be clearly seen.
La Quadrature du Net is also concerned that, if this tracking mechanism remains in the app, the government would not have honored its commitments—even though Cédric O, Secretary of State for Digital Affairs, had emphasized the importance of the principle of “digital sovereignty” just a few weeks earlier before the Senate.

Ludovic Marin/AFP
In fact, the entire process was intended to remain within European borders without relying on Google or Apple’s services. That is why the application was led by Inria.
The answer is in the source code
So, what’s the story? Does the StopCovid app still contain this tracking mechanism? Or has the government heeded the CNIL’s concerns and, as a result, asked Inria to use a Captcha technology other than Google’s?
To answer this question, simply visit the Inria website and read the source code, where you'll still find a reference to Google's reCAPTCHA.
So, yes, at present, the StopCovid app does indeed contain a “tracking device,” as La Quadrature du Net asserts, since it can record—in passing—the IP (Internet Protocol) address of phones on which the app is installed, which appears to contradict the principles of consent and privacy-by-design (consent principles that must be taken into account from the very design of the app) of the European General Data Protection Regulation (GDPR) upheld by the CNIL. This is indeed personal data; the app is therefore not entirely anonymous, as had been announced from the outset.
When asked to explain the matter, Cédric O said in an interview that Google’s reCAPTCHA—the “only element that wasn’t developed by us”—was chosen because “on the mobile version, there were no other CAPTCHAs available that could handle the load of several million interactions.”
It’s worth noting that work is reportedly underway with Orange to eliminate the need for Google’s services and its reCAPTCHA; this solution could be available soon. If Orange succeeds, there will no longer be any “tracking cookies” to worry about in the StopCovid app. It remains to be seen when Orange will complete this work and whether, by that time, it will still make sense to use the app…
One snitch can hide another
Ultimately, one could argue that this “spyware” is not intentional but rather a side effect resulting from the lack of an alternative solution—though this would still need to be proven. However, an article in *Le Monde* describes a completely different, far more insidious intrusion, and it is doubtful that this one is not intentional.
In this article, Gaëtan Leurent, a French cryptography researcher at Inria, explains that he discovered, on the StopCovid app’s development platform, that all contacts with other people—regardless of the duration of those contacts—over the past 14 days are sent to the central server hosting the app’s data. “StopCovid therefore sends a large amount of data to the server that is irrelevant for tracking the spread of the virus but poses a real threat to privacy,” the researcher explains in Le Monde.
The explanations provided by the Secretary of State for Digital Affairs appear questionable. When contacted by Mediapart, the Office of the Secretary of State for Digital Affairs did not dispute these revelations but sought to justify them. It explains that every quarter-hour, a new identifier is assigned to each device. Thus, a contact lasting only five minutes could follow a twelve-minute contact: two contacts that only the server is capable of linking to determine that they are, in reality, a single 17-minute contact—and therefore a risk.
These explanations do not convince researcher Gaëtan Leurent, who believes “there are fairly simple ways to mitigate the problem: the phone could filter the data to retain short contacts only when they occur immediately before or after a username change.”
What’s most concerning is that the Secretary of State’s explanations came after the app had already been rolled out. If all of this were true, we’d have more reason to worry about this second tracking tool than about Captcha!
This fact-check was conducted in partnership with the Journalism and Science program at the ESJ in Lille.![]()
Florence Rodhain, Associate Professor (HDR) in Information Systems, University of Montpellier
This article is republished from The Conversation under a Creative Commons license. Readthe original article.