French data protection authority on « StopCovid » application

The French data protection authority (CNIL) recently published an opinion on the government project to create a contact tracing application called “StopCovid”.

Such an application would be based on the Bluetooth technology (no location tracing) and the ROBERT contact tracing protocol. It would enable users to get a notification if they have been in contact with an infected person. The use of “StopCovid” would be voluntary.

The recommendations include specific security measures (see below). 

Main conclusions

In the CNIL’s views, the project is in line with GDPR if some conditions are fulfilled. Two important conditions are: 1) temporary use of the applications and 2) data retained for a limited period. In addition, CNIL stresses that there should be no negative consequences for citizens who chose not to use “StopCovid”.

CNIL notes that the application is privacy by design as it uses pseudonyms (random identifiers): one permanent pseudonym and temporary pseudonyms. Moreover, the list of infected persons is not centralised on one server.

CNIL recalls that this project is only one component of the overall sanitary strategy. The efficiency of “StopCovid” in contributing to such strategy must be assessed.

Recommendations on security

First, the actual project foresees a server where identifiers of exposed persons (who have been in contact with an infected person) would be centralised. CNIL underlines that it is highly important to adopt adequate security measures. For instance, encryption keys that allow access to identifiers could be protected by hardware security modules and independent trust parties.

Secondly, measures must be taken at the application level and server level to avoid re-identification. This includes preventing the creation of a link between temporary pseudonyms and specific information on the device.

Thirdly, only state of the art cryptographic algorithm must be implemented to ensure integrity and confidentiality of exchanges. The use of 3DES algorithm is currently envisaged in the government project. CNIL points out that this algorithm should no longer be used according to ANSSI’s guidelines (référentiel general de sécurité).

Fourthly, the current system does not envisage an enrolment mechanism for the first use. The purpose here is to limit collection of personal data. However, CNIL notes that this leads to increased risks of attack.

Finally, CNIL highlights that protocols and source code should be freely available for the scientific community to be able to check for vulnerabilities.

Next steps:

The French Parliament (Assemblée Nationale and Sénat) will hold a debate on “StopCovid” on 28 and 29 April.

For any question on this issue, do not hesitate to contact Camille Dornier: camille.dornier@eurosmart.com