STOP COVID. The application developed under the supervision of the government is available on Tuesday 2 June. How is it useful to combat the Covid ? Are there any risks for their personal data ?

Summary Opinion of the Cnil Operation of StopCovid personal Data and liberties, Volunteerism and anonymity protocol “ROBERT” Arm of iron against Apple StopCovid on iPhone release Date pushed back A bracelet connected to What effectiveness ?

[updated 2 June at 12h42 ] The application StopCovid is available on the download platforms this Tuesday, June 2. To install it on their smartphone, it is very easy : go on Google Play if you have a phone with Android, on the App Store if you own an iPhone. Of course, as promised by the government, which is at the origin of the deployment of this application, it is completely free. The public authorities have done well to know that its installation, which accompanies the second phase of the déconfinement, is done on a voluntary basis.

Concretely, the app StopCovid allows a person who is positive for the coronavirus to automatically alert all users with whom it has had a “prolonged contact” recently, less than a meter, and for more than fifteen minutes, in order that they might be tested in their turn.

Screenshot of the application StopCovid © Economie.gouv.fr Screenshot of the application StopCovid © Economie.gouv.fr learn All about StopCovid How the application works StopCovid ?

StopCovid is a voluntary and provisional, which allows, once installed on smartphones, to establish connections between its users and the alert among them the contacts of those who will be tested positive for the coronavirus. An alert that allows these “case contact” to see a doctor and isolate themselves pending the results of a screening test.

The minister of Health Olivier Véran and the secretary of State to Digital, Cedric O, in an interview with the World has exploded in the principle in the guidelines : “develop an application that could limit the spread of the virus by identifying the chains of transmission. The idea is to prevent people who have been in contact with a patient tested positive, so they test themselves, and if need be, that they are taken in charge very early, or they confine themselves”.

“Wwhere two people intersect for a certain duration, and at a close distance, the mobile phone of the a record the references of the other in its history”. “If a positive case is found, those who have been in contact with this person are defendants in an automatic way”, said then Cedric O. The ministry of Economy and Finance issued, on may 21, a press in which the operation of the application has been diagrammed as :

Operation of the app StopCovid. © Economie.gouv.fr

Cedric O was nevertheless hammered for weeks that StopCovid was only a “brick – also uncertain – of a comprehensive strategy to déconfinement and a digital tool among others in the fight against the epidemic”.

A default of StopCovid on iPhones ?

The app works on all smartphones. But after failing to find an agreement with Apple, the app of the government includes a special feature for iPhone owners. StopCovid remains ineffective in a particular situation. In a group of people who do that the iPhone and all the devices are in standby, the app could remain “asleep” as we explain here.

A debate on the personal data and liberties

Emmanuel Macron has put in place as early as mid-march a committee of experts, the Committee analyses, research and expertise (Care), responsible, in particular, to think of a “digital strategy for the identification of persons who have been in contact with infected people”. During his hearing before the fact-finding mission on the coronavirus of the Assembly on the 1st of April, Edouard Philippe had referred to a plot “voluntary” in France. “It is necessary to explore all the doors open, full of technologies may prove to be useful”, wore it already at Matignon. On the same day, Cedric O was also confirmed that the government was studying this kind of device.

But this long preparation of the opinion has not prevented the debate from exploding, including within the majority, as reported by le Parisien as of Tuesday 7 April. The same in Paris has published the following day an interview with Stéphane Séjourné, mep LREM and a former adviser Emmanuel Macron, who felt that the digital traces was “to admit that authoritarian regimes are better equipped than democracies to respond to the crisis”. The former political advisor to the presidency of the Republic did not hesitate, then, to speak of “Big Brother” and urged the government to keep “this philosophy based on the respect of rules and confidence in individuals.”

An app that has been validated by the Cnil

Before the vote of parliamentarians, the national Commission on informatics and liberties (Cnil) was also completely validated Tuesday, may 26, the principle of the application, in an opinion which pointed out that the numerical solution respects the data protection. The Cnil welcomes, in particular, that some of its recommendations have been followed on the anonymisation of contacts, the duration of the backup data, the fact that the ministry of Health who has the charge, or even on the liberté or not to install it on his smartphone, and this without any legal consequences (negative on the access to public transport for example).

“It’s a good thing we took the time to ensure that there are sufficient guarantees regarding the protection of privacy in order to implement an application that is not trivial or insignificant”, said Marie-Laure Denis, the president of the Cnil, on Europe 1 on Tuesday. She promises that StopCovid will preserve “the information of the people and their right to erasure of data recorded on the mobile phones and the central server”.

other developments more technical, such as a new encryption algorithm or the fragmentation of encryption keys allow, according to the Commission, “to ensure the impossibility for a single player to operate a diversion of use of the data”. “The actual usefulness of the device will have to be more precisely studied after its launch”, nuance, however, the notice provides some additional recommendations, but concluded that StopCovid “can be legally implemented”.

As of Sunday, April 26, in a first notice available on its website, members of the quorum of the Cnil had already considered that “the application [could] be deployed, in accordance with the general regulation of data protection (RGPD), if its utility for the management of the crisis [was] sufficiently proved and if certain safeguards [were] made.” The commission was called, however, for the government to “use great caution”, considering that the app StopCovid might generate a “phenomenon of addiction” to the devices for tracking. She recalled that this type of application raises “novel questions in terms of protection of private life”.

Interviewed by the Senate on Wednesday, April 15, the president of the Cnil, Marie-Laure Denis, had already urged the government to make the application “temporary”. “It is really necessary that its duration does not exceed the duration necessary for the treatment of the health crisis,” said the president of the Cnil, referring also to “protection of personal data”, “data deletion”, the essential possibility of being able to uninstall the app and that the consent is “informed”. “The refusal to download the application will not reduce your ability to move”, she added.

A new hearing of Marie-Laure Denis was held Tuesday, may 5 at the national Assembly. She indicated to mps that the Cnil as it heads had already begun to dissect the project StopCovid, and that the commission would be “particularly attentive to the duration of conservation of data”, as well as to their “relevance”. The president of the Cnil requested that the data be “deleted within a fairly short, well before the end of the epidemic”. It seems that she had been heard…

Volunteerism and anonymity meets the government

“It is important to keep the fantasy of an application to be liberticidal.It is a tool deliberately installed and which can be uninstalled at any time. The data would be anonymous and deleted after a given period of time,” replied the World’s Cedric O to the detractors of StopCovid as early as 8 April. Main guarantee displayed by the defenders of the tool contact tracing : the mobile application is based on a voluntary by the users of smartphones and the Bluetooth communication that allows you to retain anonymity.

A long argument in favour of StopCovid

Cedric O has released it a bit of a long post on the platform Medium. On the merits, it is estimated that StopCovid is very valuable, with other tools, to avoid a rebound of the epidemic in the déconfinement. It is necessary, according to him, “do everything to cut the ‘departures of fire’ as quickly as possible, including the use of digital tools as ‘StopCovid’, in a highly supervised and proportionate”. The digital solution would be highly useful according to him, “in the urban centres […], public transport, public places, or shops”, where the human resources will not allow us to reconstruct the channels of transmission as effectively as the processing of data.

Everyone can of course “opt-out of these tools for philosophical reasons” , but that would mean “in this case” to “accept a significant risk of sick and dead extra”, also prevents Cedric O who says that StopCovid “is not a monitoring application”, “is not an application to tracking” in the sense of geolocation, “is not an application of denunciation”, “is not compulsory”, “there is nothing a black box”, and would even many safeguards.

In The Figaro on may 26, Cedric O still wanted to push a little more the nail, ensuring that StopCovid “will automatically be turned off and the data will be all erased within six months after the end of the State of health emergency”. “You can’t be better-saying in terms of protection of privacy that this app !”, de jure the secretary of State. “Nobody, not even the State, will have access to a list of people who are diagnosed positive or with a list of social interactions between users.”

The protocol “ROBERT” in question

for the sake of transparency, the source code of the app has been unveiled as part of the Tuesday, may 12, “so that all the coders interested” can “go and check how the application works” and in particular, whether a risk of diversion &aserious; for the monitoring of the population is found has also shown Cedric O. The source code is available on the Gitlab Inria a site that allows coders and developers to share their work. There is a question in particular of the protocol used, called “ROBERT” (for “ROBust and privacy-presERving proximity Tracing”), which is at the heart of the application.

ALSO READ A presentation of the protocol ROBERT dated 18 April on the website of the Inria another document of the Inria on the protocol, ROBERT a PDF of The details of the protocol by ROBERT on the Gitlab Inria

researchers franco-germans, who also had published as early as mid-April some technical details on the app StopCovid, have confirmed that the protocol to ROBERT, does not use geo-location data of the smartphone, but the Bluetooth technology. It will allow “the sharing, by the persons detected positive Covid-19, a list of anonymous identifiers corresponding to the people that they have to cross during the incubation period of the virus”. Concretely, a server will generate the codes anonymous, which will be disseminated at the interactions between users to allow then to alert the right people if one of them is tested positive for the coronavirus.

The catch is that this server provided by the protocol ROBERT will reference each user in a central database in the form of a unique identifier. A system judged to be very (too ?) “centralized” by several experts, who argue that it makes possible a control of the tool by its owner, namely the State. Among the main opponents of the centralized system is a protagonist of size : Apple, supporter for its share of a “decentralized”. The american giant is also repelled by the diffusion in the background (in other words when the user is not viewing the app) of the famous codes anonymous generated via Bluetooth. A detail that directly contradicts the model of security of its system iOS, used to protect the data of its users. However, this work in the background seems essential to make the connection between the users even when the app is not open or when the phone is locked at the bottom of a pocket.

The iron arms of France in the face of Apple

To solve part of this problem, Apple and Google have announced Friday, 10th of April a partnership “with the aim of helping governments and health agencies to reduce the spread of the virus”, but “integrating the privacy and security of the users at the heart of the design”. Their solution, called the “Exposure documents”, is based on an API that is “decentralized”. She quickly proved to be incompatible with StopCovid. Questioned in the Senate on this issue as early as mid-April, Aymeril Hoang, former director of the cabinet of Mounir Mahjoubi Digital and adviser to the government, has pleaded for the sovereignty and warned against the “turnkey solution” of the two giants. Arguments repeated, word for word, or almost by Cedric O who was confirmed on 20 April before the Senate’s law commission that the model proposed by France would not change one iota on this point.

The secretary of State to Digital has not then been continuously confirm this position, as in the Sunday Newspaper of April 26, or on BFMTV on Tuesday 5 may. Even if she always remained “in discussion with Apple,” France did not want to give in to the injunctions of the u.s. firm, believing that “mastery of the health system, the fight against the coronavirus, it is the business of the States” and the option “centralized” brought as much guarantee of security as the “decentralized” advocated by the two giants of the digital world. “In a common platform in Germany, France, Italy, Spain and Portugal […] we recall that the choice of a country’s health should not be constrained by the choice of a company, as innovative as it is”, further indicated Cedric O on may, 26 in The Figaro.

“there is indeed the solution proposed by Apple and Google that application as we have a number of problems in terms of privacy and in terms of interconnection with the health-care system”, said the minister in early may on Medium or even on BFMTV. “It is for these problems, not because Apple and Google are villains, that we refused to go through their solutions”, added the secretary of State.

beyond The political speeches, the control of data is at the heart of the problem. Access to the metadata, that is to say, the anonymized recordings made by StopCovid may also allow the government and its health authorities to measure the evolution of the epidemic in a geographic scale is very fine. “This allows you to generate statistical data for monitoring the epidemic, always preserving the anonymity of the users,” recently confirmed by a specialist of the folder in The Figaro. If the keys were given to Apple and Google, the government could say goodbye to these datas and therefore, in this analysis.

StopCovid on iPhone : the rules of the iOS bypassed

If both Google and Apple have banned any new application taking advantage of the crisis of the sars coronavirus since the start of the pandemic, there was a hope that an exception would be granted to an application to government by the two american giants. But never Apple didn’t bow to a government, was-t-he in the United States. France, which remained braced on his solution, therefore had to work around the problem. “Like what was presented to the NHS of the uk, the French hope to be able to partially circumvent the restrictions of american software”, wrote the newspaper Les Echos as of 5 may, which evoked an app going background tasks, Bluetooth, but that is likely to “wake up” when a smartphone passes near another. A solution that is very consuming battery and imperfect, which has, however, been chosen.

In The Figaro on Tuesday, may 26, Cedric O has well and mentioned an app that can “wake up” other applications to close. More specifically, once launched, StopCovid will work, even if it is not used, but as long as the iPhone is in the works. It will be able to continue to make and send signals to other smartphones equipped. When the iPhone is in sleep mode, however, the app will need to be “woken up” by another smartphone that is emitting such signals, but only if it comes to phones Android. If it is other iPhone, who are not in a capacity to issue permanently, then it will remain “asleep”. If the API Exposure notification from Apple and Google, StopCovid will therefore be ineffective in some particular case. In only groups, teams and iPhone, whose devices are concurrently in sleep mode, it will not work…

The effectiveness of StopCovid very uncertain

there is one last fundamental question : StopCovid will it be really effective in the fight against a new epidemic wave of coronavirus ? In The World April 8, Cedric O called on the French to “keep a fantasy opposite, the one of the application that magic would solve everything. There is a technological uncertainty, and this is only a brick an option in an overall strategy of déconfinement”. The chairman of the scientific Council in charge of advising the government on the Covid-19 was also expressed reservations before the Senate as early as 15 April. Jean-François Delfraissy believed that it would be necessary to complete the app by human means of tracing and monitoring of the epidemic on the ground. “The Koreans have a squad of 20 000 people to track down contacts. There is a human behind the digital. But it does not in France. If it has not, an app for digital will not work”, said the professor, who has since made a recommendation in this sense.

The scientific Council has indicated in a notice made public on Saturday, April 25, that it was necessary that “mobile teams contact tracing, and isolation” are put in place, “in particular to target populations in remote or insecure or in the case of outbreaks of transmission (clusters)”. These teams would be “complementary platforms” as StopCovid and “would be coordinated with a direct link to it”, wrote the experts. “In support of the app, it takes a very wide use of tests for the persons having crossed a sick person”, added Jean-François Delfraissy. Cedric O when indicated in the JJD on April 26, that StopCovid would be an element of the system sanitary surveys, which is at the heart of the déconfinement, in order to avoid the epidemic spread”. These brigades have been confirmed by Edouard Philippe the presentation of the plan of déconfinement on 28 April and began work on may 11.

How many users of StopCovid

The question of the rate of penetration of the app StopCovid is also raised. If it is based on the consent or the volunteer, it could be installed on a smaller portion of phones, which would reduce the efficiency. The issue of older workers is also evident. Then they are more likely to develop severe forms of the coronavirus, they are also the ones who are the least well equipped in smartphones. The president of the Cnil Marie-Laure Denis was at his Senate hearing in mid-April, the equipment rate of more than 70 years at only 44%, compared to 98% among the 18-25 years old. But Cedric O minimizes. According to him, in large urban areas where StopCovid will be the most useful, the penetration rate is 90%. “Our first target is people who are very mobile, especially in dense area. This is why we will strongly encourage its use among the populations of the urban active population who take public transport. These hold smartphones to more than 97%”, he says to the Figaro on Tuesday, may 26.