France's data protection watchdog CNIL has released its second review of StopCovid, the contact-tracing app backed by the French government. The CNIL says there’s no major issue with the technical implementation and legal framework around StopCovid, with some caveats.
France isn’t relying on Apple and Google’s contact-tracing API . Instead, a group of research institutes and private companies have worked on a separate solution.
At the heart of StopCovid, there’s a centralized contact-tracing protocol called ROBERT. It relies on a central server to assign a permanent ID and generate ephemeral IDs attached to this permanent ID. Your phone collects the ephemeral IDs of other app users around you. When somebody is diagnosed COVID-19-positive, the server receives all the ephemeral IDs associated with people with whom they’ve interacted. If one or several of your ephemeral IDs get flagged, you receive a notification.
ROBERT has been a controversial topic as it isn’t an anonymous system — it relies on pseydonymization. It means that you have to trust your government that it isn’t collecting too much information and it doesn’t plan to put names on permanent IDs.
But the CNIL says that ROBERT focuses on exposed users instead of users who are diagnosed COVID-19-positive — it is “a choice that protects the privacy of those persons,” the agency says. The CNIL also says that ROBERT tries to minimize data collection as much as possible.
Inria released a small portion of the source code that is going to power StopCovid a couple of weeks ago. The research institute originally said that some parts wouldn’t be open-sourced. The CNIL contested this decision and Inria has now reversed its stance and the government promises that everything will be released, eventually.
The StopCovid development team is also launching a bug bounty program in partnership with YesWeHack following recommendations from France’s national cybersecurity agency (ANSSI).
On the legal front, the draft decree excludes data aggregation in general. For instance, the government won’t be able to generate a heat map based on StopCovid data — StopCovid doesn’t collect your location anyway.
The CNIL says that the government promises that there won’t be any negative consequence if you’re not using StopCovid, nor any privilege if you’re using it. The government also promises that you’ll be able to delete pseudonymized data from the server. All of this is still ‘to be confirmed’ with the final decree.
Finally, the CNIL recommends some changes when it comes to informing users about data collection and data retention — it’s hard to understand what happens with your data right now. There should be some specific wording for underage people and their parents as well.
In other news, the government has sent me some screenshots of the app. Here’s what it looks like on iOS:
France’s digital minister, Cédric O, will be in front of parliament members tomorrow to debate the pros and cons of StopCovid. It’s going to be interesting to see whether the French government has managed to convince parliament members that a contact-tracing app is useful to fight the spread of COVID-19.