Health and personal data pass: a beautiful bag of knots that we untangle for you –

The health pass comes into effect this Wednesday, June 9. It thus becomes compulsory to access certain places and events bringing together more than 1,000 people and from July to travel within the European Union.

Available in digital format with the TousAntiCovid application (Notebook function) or simply in paper format, the device is based on the use of QR Codes (or rather Data Matrix) in 2D-DOC format to certify your proof of non-contamination to Covid-19. Three types of evidence can be provided: a negative PCR or antigen test, a vaccination certificate or a recovery certificate.

To scan QR codes, the government has set up a second application, called TousAntiCovid Verif, intended for authorized persons. If TousAntiCovid has the merit of being open source and therefore easily controllable (for developers) and of using encrypted identifiers in order to anonymize users, the same cannot be said, currently, of TousAntiCovid Verif, which is causing controversy. We explain to you.

Data sent unencrypted to a server

First review, although it is intended for staff at airports, festivals and other events / places bringing together more than 1000 people, TousAntiCovid Verif is accessible without any restriction from the Play Store and the App Store, the only safeguard being a declaration on honor where one undertakes to respect “The eligibility conditions imposed by the regulations in force”.

But for all that, what challenges the most is technical. As reported on Medium by the IT expert Mathis Hammel, which looked into the issue, the QR code verification process is not done internally on the TousAntiCovid Verif application but on a central server of“In Group”, the former National Printing Office now specializing in data management and protection solutions and designer of the government application.

This means that all the information contained in the QR codes, which, moreover, is not encrypted, specifies the expert, is transmitted to the central server. This is the case of the name, first name, date of birth, type of vaccine used, etc. Geolocation data with latitude and longitude could also be shared, but this function would not be activated.

Image source

The government had however promised on its site a simple operation of “ local check / read […] without data retention“With the signature of the health pass and only this signature verified on a central server, adding that the TousAntiCovid Verif application” will have the minimum reading level with just the valid / invalid pass information and surname, first name, date of birth, without disclosing further health information e ”.

A functioning, an operation, a operating, a working“Temporary”

We asked the government about this during a press briefing for the launch of the Health Pass, organized on Tuesday, June 8. A spokesperson confirmed to us that the verification of QR codes was done remotely on a central server and explained to us that “This mechanism was faster to set up” Firstly. However, the government assures that the data sent to the server is not stored but erased once the verification is complete.

A system validated by the CNIL , the National Commission for Informatics and Freedoms, which considers it compliant with the General Data Protection Regulation (GDPR). But in its deliberation made on June 7, the institution nevertheless calls on the government to modify it, believing that “Checking the validity of supporting documents could be carried out locally for health pass control operations relating to large gatherings of people”.

The government has assured us that it will respect this recommendation and that it is planning to deploy an update in the coming days to correct the situation. With the new version, the verification of QR codes will be done internally in TousAntiCovid Verif, he explains. In addition, the application should even be able to work in offline mode according to the government, which however we have difficulty understanding given that the signature of the health pass will always have, it seems, to be verified via a database. data online.

Closed code and Google Inside

Sure Twitter, the user @gilbsgilbs who analyzed the application is also wondering about the government’s choice not to have published the source code of the TousAntiCovid Verif application while that of TousAntiCovid is indeed open-source, a pledge of transparency. An opinion shared by the CNIL which also says it regrets “This non-publication and calls on the Government to make this source code public”.

The question was asked to the government during the launch brief for the health pass. This explains its choice by the fact that a security element used by the application would have been exposed if the code had been opened. However, the government says the code will be published online, but with the notorious security feature removed.

Continuing his research, @gilbsgilbs also discovered that TousAntiCovid Verif relies (at least in its Android version) on certain components belonging to Google, including Firebase and Google Play services, which are deemed to be “Fairly opaque and the terms of use not too respectful of personal data”by IT expert Mathis Hammel. A criticism that was also made to TousAntiCovid in 2020 since the application also used, at the beginning, certain components of the Californian giant.

In this regard, the Directorate General of Health explains that the Google components in question had been used for the experiments of the health pass, in test on certain flights to Corsica since the end of April, but ensures that they were“Unplugged in application updates this day(June 8)“.

Read also :

Back to top button