Fact check: Does the StopCovid application contain a bug?

On Tuesday June 2, 2020, the StopCovid app made its appearance on the Apple store and Play store (Google). Designed by several companies including Dassault Système, Capgemini and ATHOS, and piloted by the French National Institute for Research in Computer Science and Control (Inria), to facilitate the tracking of Covid-19 patients and their potential contacts, StopCovid had been validated by the FrenchNational Assembly and Senate on May 28, 2020.

Florence Rodhain, University of Montpellier

From its conception to its validation, however, the application has never met with consensus, with detractors fearing in particular for the security of users' personal data.

On social networks, the association La Quadrature du Net, which promotes and defends fundamental freedoms in the digital environment, has even expressed concern about the presence of a "snitch": the reCAPTCHA system. Designed and linked to Google, this identification system would send data relating to our Internet browsing directly to the American company.

Have the designers of StopCovid placed a "bug" in the application? The answer is "yes", and this deserves an explanation.

A request for advice and concerns

On May 15, 2020, French Minister of Solidarity and Health Olivier Véran referred the matter to the Commission nationale de l'informatique et des libertés (CNIL) for a ruling on a draft decree concerning the "StopCovid" mobile app.

Ten days later, the CNIL, which had to work under pressure, issued an opinion on the application. In note 77 of this opinion, the CNIL expressed concern about the fact that the Ministry was planning to use a "Captcha" (an automated system for verifying that the application is actually being used by an individual), and that this service would be provided by a third party. The commission was alarmed that "the use of this service is likely to involve the collection of personal data not provided for in the decree, data transfers outside the European Union, and read/write operations that would require the user's consent".

Captcha systems have been developed to combat spam robots. In the case of the StopCovid application, the aim is to ensure that a real person is using it. Different companies have developed different Captchas. The most commonly found Captchas are hard-to-decipher codes (numbers and letters) that a human being has to retype.

Lines of code

On May 27, on Twitter, La Quadrature du Net revealed that the StopCovid application incorporates a Google snitch called reCAPTCHA. In its Tweet, the association refers to the lines of code on the Inria website, where the use of Google's services is clearly visible.

La Quadrature du Net is also concerned by the fact that, if this bug remains in the application, the government has failed to respect its commitments, even though Cédric O, Secretary of State for Digital Affairs, had spoken of the importance of the principle of "digital sovereignty" a few weeks earlier before the French Senate.

Cédric O, Secretary of State for Digital Affairs.
Ludovic Marin/AFP

In reality, the entire process had to remain within European borders, without recourse to Google or Apple services. This is why the application was piloted by Inria.

The answer in the source code

So what's the latest? Does the StopCovid application still contain this bug? Or has the government listened to the CNIL's fears, and consequently asked Inria to use an alternative Captcha technology to Google's?

To answer this question, just go to the Inria website and read the source code, where you'll still find the reference to Google's reCAPTCHA.

So, yes, at present, the StopCovid app does contain a "snitch" as claimed by Quadrature du Net, since it can record in passing the IP (Internet Protocol) address of phones where the app is installed, which appears to be in contradiction with the privacy-by-design consent principles (principles of consent that must be taken into account right from the app's design) of the European General Data Protection Regulation (GDPR) defended by the CNIL. It is indeed personal data; the application is therefore not entirely anonymous, as had been announced from the outset.

Asked to explain his position on the matter, Cédric O explains in an interview that Google's reCAPTCHA, "the only element that wasn't made by us", was chosen because "on the mobile version, no other Captcha existed that was capable of withstanding the shock of several million interactions".

Interestingly, work is currently underway with Orange to do away with Google's reCAPTCHA services, and this solution could be available soon. If Orange succeeds, there will be no more "snitches" in the StopCovid application. It remains to be seen when Orange will finalize this work, and whether it will still be relevant to use the application...

One bug can hide another

Ultimately, this "bug" could be considered unintentional, but due to a side-effect caused by the absence of an alternative solution, which would still have to be proven. However, an article in Le Monde refers to a completely different, far more perverse intrusion, which it is doubtful was unintentional.

In this article, Gaëtan Leurent, a French cryptography researcher at Inria, explains that he discovered, on the development platform of the StopCovid application, that all contacts of people crossed, regardless of the duration of the contacts, over the last 14 days, are sent to the central server hosting the data linked to the application. "StopCovid therefore sends a large quantity of data to the server, which is of no interest for tracing the spread of the virus, but which poses a real danger to privacy," explains the researcher in Le Monde.

The justifications provided by the Secretary of State for Digital Affairs seem questionable. Contacted by Mediapart, the Secretary of State for Digital Affairs did not question these revelations, but did want to justify them. It explains that every quarter of an hour, a new identifier is assigned to each device. Thus, a contact lasting only five minutes could be the continuation of a contact lasting twelve minutes: two contacts that only the server is able to link to understand that it is, in reality, a single contact, lasting 17 minutes, and therefore at risk.

These explanations don't convince researcher Gaëtan Leurent, who believes "there are fairly simple ways of limiting the problem: the phone could filter the data to keep contacts short only when they are just before or just after a change of identifier."

What's most worrying is that the Secretary of State's explanations come after the application has been deployed. If all this were true, we'd have to be more worried about this second bug than about the Captcha!

This fact-check was produced in partnership with the Journalists and Scientists program at ESJ Lille.The Conversation

Florence Rodhain, HDR Senior Lecturer in Information Systems, University of Montpellier

This article is republished from The Conversation under a Creative Commons license. Read theoriginal article.