The “big ears” of the StopCovid application

No sending of contact data of less than 1 meter and less than 15 minutes between two phones equipped with StopCovid. This was the privacy condition imposed on the StopCovid application which is shattered today. This tracking application aims to facilitate contact with all people potentially infected with Covid-19. Its installation is voluntary, on June 9 StopCovid was activated on 1.4 million telephones, i.e. an estimated coverage of 2% of the population.

However, on June 12, Gaëtan Leurent – researcher at the National Institute for Research in Digital Sciences and Technologies (Inria) – left a message on a bug detection platform noticing an anomaly. According to this IT specialist, when a user declares himself sick, the StopCovid application collects all cross-contacts for the last 14 days without any filter of contact duration or distance between phones. “It therefore sends a large amount of data to the server which is of no interest in tracing the spread of the virus, but which represents a real danger for privacy.“He warns.

He reached this conclusion by activating the application for about ten seconds on two telephones equipped with this application and placed in two different rooms about 5 m apart. “When I declare myself as sick, my app sends this contact to the server, even though it has no epidemiological interest, he says. I obviously declare myself with a fake sick code, and the server refuses my data, but it allows me to clearly see what is being sent.” An experience that demonstrates that the application does not respect the conditions of duration and distance mentioned by the decree in force since June 17.

The CNIL questioned

Is StopCovid monitoring us? contacted by Mediapartthe State Secretariat for Digital justifies this “indiscretion”: “Every quarter of an hour, a new identifier is assigned to each device;thus, a contact that only lasts five minutes could be the continuation of a contact of twelve minutes and only the server is able to connect to understand that it is, in reality, a single contact of 17 minutes, therefore at risk. But these explanations do not, however, convince Gaëtan Leurent, who thinks “that there would be fairly simple ways to limit the problem.” “The phone could filter the data to keep contacts short only when they are just before or just after an ID change,” he explains.

Mediapart also questioned the National Commission for Computing and Liberties (CNIL), the supervisory authority in particular for this application. The CNIL reported “ongoing” checks. The office of the Secretary of State in charge of digital ensures that the CNIL is fully aware of the operation of the application and recalls that it authorized its deployment knowingly.

Moreover, in his error report, the researcher also notes the presence in the code of a distance algorithm “apparently not used by the rest of the application“but who, according to him, “presents a real risk for the server to learn the social graph of users.” A fear of digital surveillance often highlighted by La Quadrature du Net which advises against the use of this application.

“All contacts within bluetooth range are uploaded”

On the web, some coders like Yoann Gini, president of a digital consulting company, are taking advantage of this news to dismantle the structure of the application. In one long social media message thread, it analyzes the application code and points out the many opportunities where a filter can be programmed into the code. “We therefore have confirmation that StopCovid sends too much information in the event of a declaration of a sick person, far too many contacts are reported, all those within reach of bluetooth in reality and not those less than one meter away“, he says after his demonstration before driving the point home: “MThe code review was frankly fast, and shows how this application is neither done nor to be done.“

However, this code also poses a problem for… Margrethe Vestager, the European Commissioner in charge of digital and competition. The Danish politician, known for her standoff against the American digital giants. She criticized during the European Affairs and Economic Affairs Committee of the Senate, on June 16, the French choice. “The Member States have agreed on the technical specifications and on the decentralization of the data of these telephones. This puts France in a specific situation because it requires a decentralized system, it raises the question of interoperability [entre les différents systèmes de traçage européens]“, she explained.

Absence of call for tenders

Added to these problems of cooperation in the Schengen area, there is a real but limited efficiency with regard to the study by Oxford researchers published in Science who estimate that 60% of the population needs to be covered for a tracing app could have a ‘significant impact’. Finally, Anticor – an anti-corruption association – filed a report with the National Financial Prosecutor’s Office following revelations from the Obs. According to the weekly, the maintenance and hosting of the application – free – is provided by the company Outscale, a subsidiary of Dassault Systèmes, for an operating cost estimated at an amount of €200,000 to €300,000 per month. Gold Anticor ensures that no call for tenders has been made for this contract involving public money. “Anticor recalls that the government is required to proceed with a call for tenders from 139,000 euros excluding tax for supply and service contracts, according to the rules of public procurement. Breaches of the rules relating to public procurement have an impact on democratic life but also on public accounts and the operating cost here is much higher than practices in the sector. The association therefore wonders about the conditions under which the decision to entrust this company with the maintenance of the application was taken.