The TousAntiCovid-Verif application, which is aimed at professionals to check public information as part of the health pass, has been the subject of strong criticism for several days. Some technical choices are controversial and the advertised operation of the application would not be entirely consistent with its actual operation.
On June 9, a new phase of deconfinement begins in France, with the total reopening of bars, cafes and restaurants, but also sports halls and stadiums. The public reception gauges will also be relaxed and the curfew time will be pushed back to 11 p.m., instead of 9 p.m. Finally, movement between European countries will also be facilitated.
It is also on this date that the system of QR codes to be scanned at the entrance to public places comes into play, to allow the public to be notified if a sick person was also in the area on the same day at the same time. time slot. These codes can already be generated and, in some cases, this device will be mandatory. To put it quickly, it's the digital equivalent of the reminder notebook.
To go furtherScanning QR codes at the entrance to restaurants: is it really anonymous?TousAntiCovid-Carnet, to put your certificates
In this context, the TousAntiCovid application is evolving. It of course includes a section to store, for a period of two weeks, the information of the QR codes of the places that have been visited, in order to alert individuals in the event of possible exposure to the coronavirus. In addition, it also includes a “TousAntiCovid-Carnet” section, which allows you to keep documents related to your state of health.
This is what the TousAntiCovid-Carnet option will look like
Source: Government
In this notebook, the public can place a vaccination certificate (this document is given each time a vaccine is injected and, for people who have been vaccinated very early on, before this document is put in place, it can be retrieved a posteriori on Ameli), but also proof of a negative or positive test, for people who are not yet vaccinated or who do not want to be.
This TousAntiCovid-Carnet section is part of the health pass strategy, which will be mandatory in certain situations, starting with events that bring together more than 1,000 people. However, to avoid possible attempts at cheating, a system is provided for verifying the authenticity of the supporting documents which are contained in this section, or which are presented on a sheet of paper.
TousAntiCovid-Verif, to scan certificates
This system consists of another application, called TousAntiCovid-Verif, which is not intended for the public, but for certain professionals (such as airlines, to check the validity of health documents before boarding and determine if you can actually to travel). This application already exists and can be found on Google Play (for Android) and the App Store (for iOS).
In fact, it is not said that inappropriate uses occur. In theory, the use of this application is reserved for authorized persons and authorized services. A lambda user does not have the right to use it. In practice, however, it is impossible to ensure that only the right people use it, despite a reminder of the possible sanctions. It is not a declaration on honor that will be a sufficient filter.
Screenshot of TousAntiCovid Vérif in the Google Play Store
Pointing out data transfers
It turns out that this new application, TousAntiCovid-Verif, has been the subject of criticism for a few days in its mode of operation and for its technical choices which are likely to expose personal and medical data. That's what this Twitter thread from IT expert Mathis Hammel and these posts on Medium and Broken by Design show.
In these different experiments, it is possible to extract the identity of the individual, but also the type of vaccine that was injected, the date of birth and other indications (number of doses received, date of injection , etc.). It turns out that's partly because of the 2D-DOC standard the device relies on. In fact, a simple mobile application taking into account the 2D-DOC standard can see this information.
This is what makes Mathis Hammel say that if the TousAntiCovid-Verif application is undoubtedly restricted in order to display only the essentials (this was what was suggested in April, when this device was mentioned), and avoid saying too much about people, other applications could emerge, and be used wrongly instead of the right one or intentionally for malicious purposes.
Moreover, a frequently asked questions from the government goes in this direction: “the application will have the “minimum” reading level with just the valid / invalid pass information and name, first name, without disclosing further health information “. Cédric O, questioned on FranceInfo on June 7, also reaffirmed that he had “no worries about the protection of the privacy of the French”.
In the screenshots published on the Google Play Store, we can also see what those who scan the codes with TousAntiCovid-Verif are supposed to see:
Screenshot of TousAntiCovid Vérif in the Google Play Store, showing what those who scan the code are supposed to see
Personal health data is transferred to a server of a company that belongs to the State
In addition to the problems of imperfect pseudonymization of information, there are the conditions under which this information is handled by TousAntiCovid-Verif. However, here too, particularities in the operation of the application have been noted. In this other thread on Twitter, it is observed that data is transferred to a server of the company that developed TousAntiCovid-Verif, IN Groupe.
IN Groupe happens to be a separate company: it is the Imprimerie Nationale, 100% owned by the French State - it is this structure that is responsible for producing the new national electronic identity cards, for example. The fact remains that sensitive information would circulate between TousAntiCovid-Verif and the IN Groupe server, although this seems neither necessary nor indicated.
Still on Twitter, it is announced that "the entire content of the 2D-DOC (namely the surname, first name, date of birth, number and brand of vaccine, date of injection, signature, etc.) is sent to a server of IN Groupe". The 2D-DOC code is a kind of QR code which is based on the Datamatrix code. In the vaccination certificate, it is presented next to the QR code to be flashed in TousAntiCovid.
On the certificate, two QR codes are presented (here hidden for confidentiality reasons).
He goes on to point out that this 2D-DOC code “is digitally signed using an ECSDA asymmetric key”, which on the one hand “makes tampering theoretically impossible”, but above all “allows everyone […] ] to verify its authenticity in a completely offline and decentralized way”. In other words, without having to go through an IN Groupe server, or simply over the Internet.
However, IN Groupe's personal data protection policy regarding TousAntiCovid-Verif ensures the opposite (no data shared, no data stored). The same commitment can be read in the description of the application on Google Play: “the application does not use the location of people at any time, and it is impossible to know the identity of users. »
We can also read on the document: “When activating the TousAntiCovid-Verif application, a 2D-DOC reader is triggered and allows the data contained in a proof of Covid test, a proof of vaccination test or a recovery certificate in 2D-Doc format. The data is only displayed. There is no data logging."
This insists on the absence of transfer, recording, or sharing — there is only a local display of the 2D-DOC code information at the time of the control. "Once the control is completed, the information displayed on the user's screen disappears", we read. However, on social networks, the observations that are made appear visibly in contradiction.
The personal data protection policy reminds that it is not compulsory to present your code (except in very special cases, mentioned above). Those who show it could therefore be considered as individuals agreeing to provide the information contained in the 2D-DOC voluntarily – which would theoretically settle the issue of compatibility with the GDPR.
IN Groupe declares for all practical purposes that this processing “is based on the performance of a mission in the public interest”, provided for by the GDPR and the Data Protection Act, as part of the government plan to combat the pandemic. The company also recalls that it is possible to contact the CNIL if the processing does not appear to comply with data protection rules.
In practice, however, it remains to be verified whether this consent complies with the forms provided for by law, starting with free and informed consent. In fact, who will really know the issues around 2D-DOC and TousAntiCovid-Verif? And, for convenience, won't this scan simply impose itself and become in fact obligatory, even if it is not supposed to be?
Google components, not open source
These are not the only criticisms addressed to TousAntiCovid-Verif: it is also underlined the fact that the application is not in open source code, unlike TousAntiCovid, whose sources are publicly accessible so that everyone can take a look. eye, commensurate with his skills. At the time, the publication of the source code of StopCovid (its former name) had been decided to reassure.
Another grievance that has been raised in recent days, the use of software components provided by a foreign company, namely Google (Firebase and certain Google Play services), which contrasts with the political discourse which justified the development of TousAntiCovid in the name French digital and health sovereignty. In this case, TousAntiCovid-Verif should not embed any proprietary code.
This latest controversy is reminiscent of others: at one time, it was denounced the use of Google's ReCaptcha technology, which is used to ward off bots that are designed to automatically register for online services. . This service ended up being discarded in favor of a solution developed by Orange. A controversy had also erupted over the collection of certain IP addresses for security purposes.
Google ReCaptcha
Will TousAntiCovid-Verif evolve in the light of the critics?
As a new phase of deconfinement begins, and as the health pass strategy is put in place, it remains to be seen whether these first controversies will have the effect of causing TousAntiCovid-Verif to evolve – exactly as TousAntiCovid had evolved because of the controversy over ReCaptcha, for example, by ejecting the component provided by Google for a solution made in France.
Two requests could in principle be addressed quickly: the complete publication of the source code and the withdrawal of foreign proprietary components. More significant transformations could also be considered, if data transfers do take place: IN Groupe says no, but a government FAQ qualifies the statement.
Admittedly, it is explained, "when your health pass is checked by an authority or an authorized person, the verification/reading operation is done locally (thanks to the TAC-Verif application), without storing data, without a request to a central data server". But, there is still communication with a central server, from TousAntiCovid-Verif.
“Only the signature of your health proof is checked on a server […] to ensure its authenticity”, it is indicated. “TousAntiCovid Verif has local management rules, only the signature of the certificate will be verified by a dedicated IN Groupe server that complies with all information system security rules in order to guarantee the authenticity of the certificate to the reader. »
These problems are not necessarily catastrophic, but testify at the very least to questionable technical choices and an insufficient clarification on what is really transferred, or not. The good news is that, like the corrections made to TousAntiCovid, adjustments can be made to the presentation and operation of TousAntiCovid-Verif.
These adaptations seem essential, because the pandemic, even if it is in decline, will remain for a while in France. What's more, the cost/benefit ratio of this health pass "in the return to life before" seems so favorable that doing without it is clearly not an option on the table. On the contrary, it could become unavoidable in its use, despite its optional nature, which raises the question of a risk of harm for people who do not want to use it. Therefore, TousAntiCovid-Verif must be beyond reproach.
Find all the information on TousAntiCovid (StopCovid)