The StopCovid application project led by the government to trace and share data between people diagnosed with Covid-19 and those who believe their path is taking shape. While screenshots have been revealed, the CNIL remains vigilant while the ANSSI tracks bugs and vulnerabilities with YesWeHack.
The baptism of fire is approaching for StopCovid. Originally scheduled for June 2, 2020, the application for traceability, monitoring and sharing of data between Covid-19 patients and healthy people to inform them of having crossed paths with the former, could land on Android and iOS phones from this weekend. The Secretary of State for Digital, Cédric O, indicated this possibility, subject to a vote by the Parliament which will take place on Wednesday and Thursday. “This application lets you know immediately if you have been in close contact in the past few days with someone you do not know and who has just been tested positive at Covid19. In the context of the application, the contacts taken into account will be the following: less than 1 meter for at least 15 minutes “, can be read in the press kit presenting StopCovid.
Developed by Inria under the supervision of the Ministry of Solidarity and Health and the State Secretariat responsible for Digital, StopCovid has been the subject of cross-work with other European partners such as Fraunhofer Heinrich Hertz Institut and the Fraunhofer AISEC (Germany), NHSX (Great Britain), Team Digitale (Italy) and BSC (Spain). “Part of these exchanges took place within a European interaction platform which gave rise to the creation of a specific working group within ETSI, the European Telecommunications Standardization Institute. . These collaborations make it possible to work on the interoperability of the solutions developed in each of the countries, that is to say their ability to communicate information between them, while respecting the European framework of respect for privacy and protection of data ”, indicates the press kit.
The CNIL would like to allow people who are more exposed than others to Covid-19 patients but who are protected by the nature of their activity to be able to activate the StopCovid application within defined time periods. (credit: Government)
Ephemeral crypto-identifiers not associated with people
Based on the principle of volunteering, StopCovid requires several settings to work, such as activation of Bluetooth, sharing of proximity history as well as declaration of positive diagnosis as can be seen in the latest screenshots of the application shared by the government. To reassure the population about the use made in terms of traceability and tracking of people, the latter is reassuring: “StopCovid uses the Bluetooth signal to detect a smartphone nearby. The application therefore does not use the location of people at any time by the GPS data of mobile phones. This is why, the application will not be able to know where a person has gone […] It is not possible to know the identity of the user of the application. There is no authentication system when installing StopCovid. The application will only generate pseudonyms (ephemeral crypto-identifiers) which will not be associated with a person. Only these ephemeral pseudonyms are stored on a smartphone and, if necessary, shared towards a central server. No one, not even the state, will have access to a list of people diagnosed positive or to a list of social interactions between users. “
A confidential code provided by hospital staff allows a user to declare their Covid-19 patient status and to automatically activate the notification chain for persons crossed who may in turn have been infected. (credit: Government)
To guarantee respect for the privacy and anonymity of people sharing their information with StopCovid – which officially does not intend to last more than 6 months after the end of the health crisis -, the Government ensures that all crypto-identifiers do not ‘having more epidemiological relevance will be deleted after 15 days. Such an application – unprecedented by the scale of personal data manipulated on a large scale – in any case could not have come out of the bud without the approval of the CNIL. As such, the National Commission for Information Technology and Liberties explained in a final deliberation that “the usefulness of the application and the need for the processing planned to fulfill the public interest mission thus entrusted to the public authority , within the meaning of the data protection rules, are sufficiently demonstrated prior to the implementation of the processing. “However:” some data mentioned in the AIPD [analyse d’impact relative à la protection des données] are not mentioned in article 2 of the draft decree. The Commission takes note of the ministry’s commitment to modify the project to mention the collection of user exposure periods to contaminated people as well as the country codes. Furthermore, having regard to the particularities of the processing, it recommends that the collection of the dates of the server’s last interrogation should also be mentioned. ”
Built on a voluntary basis, StopCovid cannot really be effective if a large number of users agree to use it and share their data, if necessary it cannot be really useful. (credit: Government)
The CNIL wants to limit false positives by temporarily deactivating StopCovid
“The transfer of the history of pseudonymous identifiers of contact cases of an infected person, from a mobile application to the central server, requires the use of a single-use code given by a health professional following a clinical diagnosis positive or a positive COVID-19 screening test. Therefore, a user will not be able to distort the database of the application’s central server by declaring themselves positive without having been screened. In addition, the Commission notes that verification of the single-use code will be limited to its validity, and will not involve verification of the identity of the person to whom it was issued. The Commission also notes that this transmission will take place without the contact history transmitted to the server being able to be linked to the infected person, ”notes the CNIL.
Citing as an example a healthcare professional or a reception agent who is particularly likely to be notified by the application as being at risk of having been contaminated by SARS-CoV-2 even when they were protected (wearing a mask, separating wall, etc.) at the time when the contact was recorded, the institution further points out “the absence of taking into account by applying the context of the contacts is likely to generate many false positive. “And to specify:” Consequently, the Commission wonders about the advisability of foreseeing in the long term in the application the possibility for the user to define time periods during which contacts should not be considered as potentially at risk […] The presence of an easily accessible temporary deactivation button on the main screen of the application could reduce the number of false alerts corresponding to times when the user is not really exposed. ”
Home screen of the StopCovid application at installation. (credit: Government)
Of course, such an application cannot be deployed without a minimum of guarantees in terms of cybersecurity and protection of the integrity of the source code. Aware of the issue, the government has commissioned the national information systems security agency (ANSSI) for this task, which notably involves the implementation of a bug and vulnerability hunting program. “The ANSSI advised Inria, a Bug Bounty type audit for the StopCovid application, currently developed in the form of a prototype prior to any political decision, in parallel with the audits and security checks carried out by the agency and partners throughout the design, ”said a press release. “For ANSSI, the security of the application must be ensured by the combination of several processes. The assistance in the secure design then the audit of the application carried out by our experts, must be supplemented by the control of the code published in open-source by the digital community and by the organization of searches for computer faults, types bug bounty, ”said Guillaume Poupard, director general of ANSSI.
To carry out this bug hunt, the StopCovid project team called on YesWeHack to solicit its community of ethical hackers. “As part of the StopCovid project, around twenty experts from across Europe will begin testing the security of the application this Wednesday, May 27. They will be followed as of June 2 by all hackers from the YesWeHack community who wish to do so. The premiums paid for the discovery of faults may reach 2,000 euros for the most critical.
Description of the procedure and text explanation of the usefulness of the StopCovid application intended for users. (credit: Government)