Data protection monitoring in France CNIL has published its second review of StopCovid, the contact search app supported by the French government. The CNIL says that there is no major problem with the technical implementation and the legal framework around StopCovid, with a few caveats.
France is independent of Apple and Google’s contact tracking API. Instead, a group of research institutes and private companies worked on a separate solution.
At the heart of StopCovid, there is a centralized contact search protocol called ROBERT. It relies on a central server to assign a permanent ID and generate ephemeral IDs attached to this permanent ID. Your phone collects temporary identifiers from other users of the application around you. When someone is diagnosed with COVID-19 positive, the server receives all the temporary identifiers associated with the people with whom they interacted. If one or more of your ephemeral identifiers are reported, you will receive a notification.
ROBERT has been a controversial subject because it is not an anonymous system – it is based on pseydonymisation. This means that you need to trust your government that it does not collect too much information and that it does not intend to put names on permanent identifiers.
But the CNIL indicates that ROBERT focuses on exposed users rather than on users diagnosed with COVID-19 positive – it is “a choice that protects the privacy of these people,” the agency said. The CNIL also indicates that ROBERT strives to minimize data collection as much as possible.
Inria has published a small part of the source code that will feed StopCovid a few weeks ago. The research institute initially said that certain parts would not be open source. The CNIL has challenged this decision and Inria has now reversed its position and the government promises that everything will finally be released.
The StopCovid development team is also launching a bug bounty program in partnership with YesWeHack following recommendations from the National Cybersecurity Agency (ANSSI).
In legal terms, the draft decree excludes data aggregation in general. For example, the government will not be able to generate a heat map based on StopCovid data – StopCovid does not collect your location anyway.
The CNIL says that the government promises that there will be no negative consequences if you do not use StopCovid, nor any privilege if you use it. The government also promises that you can delete the pseudonymized data from the server. All of this remains to be “confirmed” with the final decree.
Finally, the CNIL recommends a few changes to inform users about data collection and storage – it is difficult to understand what is happening with your data at the moment. There should also be specific wording for minors and their parents.
In other news, the government sent me screenshots of the application. Here’s what it looks like on iOS:
French digital minister Cédric O will be before parliamentarians tomorrow to discuss the advantages and disadvantages of StopCovid. It will be interesting to see if the French government has managed to convince parliamentarians that a contact search application is useful in combating the spread of COVID-19.