A study has shown that TousAntiCovid collects application usage statistics, which can, in some very specific hypothetical cases, weaken the tool’s promise of complete anonymity. The risks are low, but all that was needed was to generate mistrust of government enforcement. However, the technical teams are already reacting.
Does TousAntiCovid sufficiently protect the personal data of French people? This is the question raised by a report, published by three researchers (Johan D., Nils L. and Gaëtan Leurent) on August 19, 2021, and which details several types of risks that could exist in the way the government application deals with the information it has.
Concretely, these envisaged risks and hypothetical situations, to which we return in this article, are relatively low (especially when compared with the way in which other applications treat the personal data of their users). It would therefore be alarmist to assert that the personal data of French people who use TousAntiCovid are currently in concrete jeopardy.
On the other hand, the meticulous work of the three French people underlines a worrying gap between what the official application promises (complete anonymization and foolproof security), and the reality of the facts. ” It’s still quite serious “, Gaëtan Leurent tells us,” especially because there was a strong promise at the base “.
The teams in charge of TousAntiCovid, for their part, seem to be reactive and attentive to the criticisms raised: ” The will of the State since the first day has been to include this project in a virtuous approach and to take into account the relevant feedback during its use ”, commented to Numerama on the cabinet service of Cédric O, Secretary of State for Digital Transition. “Thus, for the points raised making it possible to reinforce the ‘privacy by design’ of the platform without lowering its level of security, we are currently working on adjustments “.
Here is what is going on.
What are we talking about ?
TousAntiCovid is originally a contact tracing application, called StopCovid: once activated on two smartphones, it allows, via Bluetooth, phones to communicate with each other and “record” a potential contact between two people. . In the spring of 2020, France was one of the rare countries to use a centralized data management system (via a protocol called ROBERT), which isolated it on the European scene. This tool works little and has never had a noticeable effect on the management of the epidemic, but it is rather secure.
The application was then enriched.
However, certain information emanating from ROBERT and Cléa could hypothetically be crossed, which could allow certain cross-checks, which contravene the original promise of the application: ” The data transmitted is completely anonymous. It is not possible to know the identity of the user of the application. It does not include an authentication system at the time of installation », Can one read for example on the site of the Public service.
What statistics are collected and sent?
One element is at the heart of the analysis of the three researchers: the collection of usage statistics for TousAntiCovid, in place since June 2021, and automatically activated in the app. In the settings, we can read that this information is collected ” on your use of TousAntiCovid, for diagnostic purposes, performance improvement and user experience “, And specifies that they are” kept on the server for 3 months “. They are supposed to be “anonymous”, that is to say not to be linked to the precise identity of a user.
TousAntiCovid therefore sends a lot of information to a server, such as, among others:
- the model of the telephone used;
- the version of the application;
- the number of certificates added in TousAntiCovid-Carnet;
- the number of QR Codes scanned in TousAntiCovid-Signal;
But the app also sends almost all the actions that a user performs in the app, timestamped to the nearest millisecond (for now). However, it is this ability to date many actions very precisely that is at the origin of several potential drifts pointed out by researchers. Because if these data are not directly linked to the real identity of a person, they can potentially be, by being cross-checked and crossed, in certain hypothetical situations.
What dangers are there?
X27B and P94F go to restaurant
The examples presented by the researchers in their report are very precise.
Gaëtan Leurent has thus shown, on his Twitter account, that two users (Bob and Alice, in their scenario) who have scanned the same QR Code from the same restaurant at the same time several times, could be identified as having probably had lunch together.
However, it should be noted that in this example, we can connect two users with the pseudonyms assigned to them, but not to their real identity. TousAntiCovid will not therefore make it possible to deduce that Bob and Alice had lunch together, but only, if we take this example again, that the user “X27B” may know the user “P94F”.
Contacted, the cabinet of Cédric O believes that this example does not pose ” no significant difficulty regarding the protection of user privacy “, Because the identity of the persons is” unknown to the central server “:” The central server does not know if it is the same establishment or not (among the 300,000 establishments open to the public), does not have the type of establishment either (these statistics do not show the types of establishments), so even less if these two people know each other or not », We explain.
XDA8 and X27B are the same person
We find a similar logic in another example, which shows that it is possible to link two different identifiers (that of ROBERT and that of the statistics of use of the application) to the same person. However, the identity of this person is not known.
Example 4. In theory, the various functionalities are compartmentalized, with distinct pseudonyms: ID for the ROBERT protocol, UUID for reporting statistics. But they can be linked by crossing the logs from the ROBERT server and the data from the statistics server. pic.twitter.com/o1mJ5wznqb
– Gaëtan Leurent (@ cryptosaurus6) August 19, 2021
Can we precisely identify a person?
The following example presents greater risks in the potential identification of a user of TousAntiCovid, although this is a rare situation; the planets should really be aligned in the right place to get a “good” result.
At the start of the vaccination campaign in France, the vaccinated people were given a document with a Datamatrix code (via the 2D-DOC standard), a kind of bar code that is not very far from the QR Code. This code is no longer used, because the European certificate, which can now be downloaded by all vaccinated French people, does not use the 2D-DOC standard.
TousAntiCovid makes it possible to transform a 2D-DOC code into European format: this process lasts less than a second, but it can be time-stamped very precisely in the server to which it sends this request. TousAntiCovid also keeps the memory of the use of this converter. By crossing the two, it is possible to link the pseudonymized identifier with the information from the health pass (name, first name, date of birth).
These two servers are not, technically, supposed to be able to talk to each other. Just like the ROBERT server is not supposed to communicate with the one where the usage statistics of TousAntiCovid are collected. However, there is no guarantee that definitely proves that these servers cannot communicate with each other, and this is what allows these small flaws, potentially exploitable under certain conditions, to be raised.
Example 3. The log records the use of the certificate converter. The statistics server therefore receives the timetables for using this service.
If it crosses this data with the logs of the certificate converter, it can find the identity of the users. pic.twitter.com/Yr1r1eZdrF
– Gaëtan Leurent (@ cryptosaurus6) August 19, 2021
Changing the timestamp could improve the situation
To alleviate some of these risks, the cabinet of Cédric O has confirmed to us “ work on adjustments ”Following the publication of the study of the three French. It is possible, as Gaëtan Leurent suggested to us, that the timestamp of the collection of usage statistics for TousAntiCovid is notably modified: instead of having figures precise to the nearest millisecond, the data could not be lifts only every hour.
If that was the case, then many of the risks mentioned above would be swept away, as it would be impossible to come across information with such a large timestamp.
In relation to promises, a question of communication and transparency
Despite these modifications, it is certain that the study by the three researchers, as well as the press articles which shared it, gave rise to new questions about the TousAntiCovid application. This is indeed now part of the national landscape, and is frequently scrutinized: it has been downloaded in total. more than 30 million times since its launch last year (although the government does not release its actual daily active user count, which is unfortunate).
The dangers associated with the protection of user data, if they exist, are however relatively minimal. It is possible that many users do not understand all the subtleties, because of the degree of technicality of the issues. However, like all subjects related to the coronavirus crisis, vaccination and the health pass, TousAntiCovid is a sensitive topic on which it is easy to get carried away.
One thing is certain: given the tensions that revolve around these questions, it is necessary that communication around the application be irreproachable, and that the technical guarantees follow the promises of security. So, even though these are rare hypothetical situations, it remains important to take this study seriously – as well as to welcome the fact that civil society and its experts are seizing on these topics to push its institutions to do so. always better.
How to disable the collection of data from TousAntiCovid
If in doubt, you can easily deactivate the collection of statistical data in the TousAntiCovid application, very easily.
- Go to the app;
- Go down to “Settings”;
- Scroll down to the “Statistics and audience measurement” box;
- Uncheck the button
You can also take the opportunity to request the deletion of data that has already been recorded on your use of the application.