Video: why the StopCovid app doesn’t work

StopCovid, SI-DEP et Contact Covid : la CNIL prévoit de nouveaux contrôles Cybersecurity

StopCovid experienced a difficult gestation, punctuated by heated debates and criticism of the technological choices behind the project. One would have thought that with the official release of the application on June 2, the business would settle down, but the contact tracing application project is not finished. As revealed by France Info, the number of users of the application is seriously struggling to take off: two weeks after its launch, it hardly reaches 1.7 million, which represents 2% of the French population. The application would only be effective if 80% of the population used it.

On the first day of launch, the app had a total of 600,000 downloads and has struggled since to score better. And this low adoption rate is a pale figure, while its German equivalent claims to have totaled 6.5 million downloads from its first day of availability.

The flow of criticism of the StopCovid application has never stopped: a security researcher has thus brought back to the fore the criticisms concerning the amount of data transmitted by the application to the central server. In a post on the application’s gitlab, the cryptographer Gaetan Leurent (known in particular for his work on the Sweet32 flaw) questions the functioning of the application when a user declares himself infected. According to the researcher, the effective functioning of the application goes against the application decrees framing its use and its policy in terms of personal data: the tests conducted by the researcher show that the application sends the server back to the all cross contacts during the last 14 days, not contacts with a risk of transmission.

Criticism is easy, contact tracing is difficult

It could have been a simple additional entry in the StopCovid bug tracker. But Mediapart took up the researcher’s findings and questioned the digital secretary of state on this subject. The ministry’s response reminds us that a new identifier is assigned “every quarter of an hour” to the user of the application.

“Thus, a contact that would last only five minutes could be the result of a contact of twelve minutes: two contacts that only the server is able to link to understand that it is, in reality, only one, 17 minutes, therefore at risk. The only solution designed to overcome this problem is to send all of the contacts back to the server in order to be able to perform the necessary data processing to isolate the contacts at risk.

Critics of the application point out that these problems have already been pointed out in the past and are inherent here in the choice of protocol (ROBERT, protocol developed for the occasion by Inria), a centralized “house” protocol. A choice fairly criticized by European counterparts, who for the most part took a stand behind the decentralized protocols favored by Google and Apple. During a hearing in the Senate of Margrethe Vestager, Vice-President of the European Commission in charge of digital technology, she recalled that the choice of a centralized approach “put France in a specific situation” vis-à-vis its European counterparts. Europe wants to pool contact tracing data for the various applications offered by the Member States, but the technological choices of the StopCovid project set the application apart.


Rate article