TousAntiCovid now collects statistics and audience measurements. This feature, however, compromises the security and protection of user privacy.
The TousAntiCovid application welcomes your test certificates //
Three researchers have just published a risk analysis on the statistics system integrated into the TousAntiCovid application since June and supposed to make it possible to assess its use and effectiveness. The result is clear: according to them, "the collection of statistics contradicts the principle of data minimization and endangers the properties of security and protection of privacy." Explanations.
Cléa and Robert enter a bar ...
It starts off as a bad joke. TousAntiCovid integrates two different protocols: Robert for Bluetooth tracing (contact tracing) and Cléa for location tracing by QR Code. But now, the detailed event log of the system and its precise time-stamping allows a lot of information to be crossed and conclusions to be drawn that go against the promises of privacy made by the government. On his Twitter account, Gaëtan Leurent, one of the three researchers at the origin of this analysis, details several examples allowing to use the data sent to the statistics server.
Problem # 1: user overlap
Each QR-Code scan with the Cléa protocol is recorded by the statistics system and an accurate time stamp and sent to a server. Thus by cross-checking the scans of several people in the same place in a reduced time unit, we can guess if two people went to different places at the same time, thus making it possible to deduce that they know each other.
If Alice and Bob eat at the same time in identical restaurants every day of the week, for example, they certainly came together.
TousAntiCovid can deduce if Alixe and Bob know each other //
Problem n ° 2: the leak of health data
TousAntiCovid's statistics system simultaneously synchronizes information from Cléa and Robert. However, when a user tests positive for Covid, they have no reason to go to a public place and scan their QR-Code. The synchronization of Cléa's data therefore stops and only Robert continues.
By noting that Cléa's data synchronization has stopped, it can therefore be deduced that the user has tested positive, thus revealing confidential health data.
Problem n ° 3: the precise identification of a person
Of course, this data can be deduced, but the statistics server hides the user's personal identification by using a unique identifier (UUID) different from the name + first name pair. Unfortunately, the certificate converter saves a specific entry with a time stamp. By crossing its data with the timestamp of the application's converter use, it would be possible to precisely deduce the identity of a person hidden behind a UUID.
Likewise, Robert's data and that of Cléa are recorded using different identifiers. But by cross-checking the timestamp of these data, we can deduce a correlation between these two parameters.
TousAntiCovid can guess the identity of a user //How to turn off statistics
Since June, this collection of statistics has therefore been activated automatically for all TousAntiCovid users. However, it is possible to deactivate it manually.
To do this, open the TousAntiCovid application, scroll to the bottom of the home page, then click on “Settings”. Again at the bottom, you will see a “Statistics and audience measurement” box that can be deactivated. Take the opportunity to click on "Delete my data".