Focus on the French government's StopCovid app: the time for the balance sheet has arrived

It is recalled that the application designed by the French government to facilitate deconfinement, through mobile tracing of people has not really had the long-awaited success.

Indeed, as soon as it was put online on the various app stores, including the Apple Appstore and the Google PlayStore, it was counted and that less than 2 million people who downloaded it.

This article will also interest you: StopCoviD: a safer application than social networks

StopCovid was designed by several French speakers, including Dassault Système, ATOS, Capgemini, all led by the National Institute for Research in Computer Science and Automation (Inria). When designing this computer equipment, the french government's goal was to closely monitor the interactions that would arise after the deconfinement. This would have made it easier to detect new cases and take charge of them quickly.

But, it should not be denied, from the stage of its conception until its validation, the application of tracing has never been unanimous. The majority of people who objected to this idea have also put forward the issue of the security of personal data that could have been generated by users.

For the digital law advocacy association, La Quadrature du net has during its various interventions on social networks regularly worried about the possibility of spy system through software. This was particularly aimed at the authentication system developed by Google and used by the application: "reCAPTCHA. For the Quadrature of the Net, we had to be wary of this tool that could have allowed the American giant to collect some information about users. So, to the question of whether the designers of this application took advantage to insert a snitch application. And of course the answer is clearly yes. And this is explained by the initiators. Being a mobile tracking application, it is obvious that there is necessarily a tracking tool. But beyond that, the National Commission for Information Technology and Freedoms, the administrative authority, responsible for ensuring scrupulous compliance with the general regulation on the protection of personal data, has decided on the deployment of the tracking tool at the request of Olivier Véran, the Minister of Solidarity and Health.

After ten days of analysis, the administrative authority decided. Note 77 of this notice included a concern of the commission about the use of the authentication tool provided by Google to determine whether the application is beautiful and well used by a natural person. The idea that this service is provided by a third party while the project presentation it was mentioned that all services that are related will be provided by French. For this reason, the administrative authority was alarmed that "the use of this service is likely to result in the collection of personal data not provided for in the decree, data transfers outside the European Union, as well as reading/writing operations that would require user consent."

For all intents and purposes, Captcha are computer tools that aim to prevent spammers. So as part of the tracking application, the idea of making sure that one who connects and beautiful and well a human being.

That's what the net squaring raises in a tweet issued on May 27. In a certain circumstance, the use of this tool allows directly to record the IP address of the phone on which the application is installed. This is totally at odds with the promises announced by the government at the time of the presentation of the project, but also against the general regulation of European data protection since the user's consent will not be required at this level. In this context, the IP address is indeed a personal information because it can identify an individual. This, of course, is not the anonymity promised from the beginning.

On the issue, Secretary of State Cedric O explained in an interview that the authentication tool used by Google is "the only element that was not done by us". The latter would have been chosen because "on the mobile version, there were no other Captcha that existed and were able to absorb the shock of millions of interactions."

In addition, in an article published around the world, it was mentioned by a French cryptography researcher at the National Institute for Research in Computer Science and Automation, Gaetan Leurent, that StopCovid hides another type of intrusion. And unlike Google's authentication tool it does seem intentional. According to the researcher, the application automatically stores contact information for the last 14 days and transmits it directly to the central server. In other words: "StopCovid sends a large amount of data to the server that has no interest in tracing the spread of the virus, but which poses a real danger to privacy," says Lant.

Now access an unlimited number of passwords: