While France is still thinking about the technological response to bring to contain the epidemic of coronavirus, a French Web agency specialized in the creation of applications for large groups has launched CoronApp, a Web application that promises to help contain the contagion by tracking the movements of people carrying the Covid-19 to allow others to better avoid them.
Developed in just 72 hours, this platform is only accessible from a mobile web browser. It aims to limit contact between people, like the containment measures that have been in place for ten days now. But it pushes the cursor a little further by taking up the principle of digital plotting implemented in several countries, such as South Korea in particular.
On a voluntary basis, people carrying Covid-19 and those who think they may be register on the tool and declare yourself as infected. The platform will then track all their movements and notify all users who have crossed their path with notifications.
The creators of CoronApp claim that the data collected by the application is anonymized and deleted after 14 days. However, they reserve the right to provide them to the State, if the Ministry of Health so requests, to help the authorities better understand the spread of the epidemic.
At first glance, this initiative seems beneficial for reasons of public health. Contacted by RTL.fr, the French cybersecurity researcher Baptiste Robert however advises against its use. Denouncing “a curious approach”, which seems to be guided by “the desire to obtain media coverage while surfing the crisis”, the researcher specializing in tracking application flaws recalls that “creating a mobile application takes time and work, it takes studies, third-party evaluations, it can’t be improvised, it’s like a vaccine” .
The risk: entrusting sensitive data to an unknown company
According to him, the users of the service take the risk of entrusting sensitive personal data to a private company, relating to location and health, while there is no evidence that the purpose and the means of their processing comply with the obligations in force in France and in Europe. “The application asks, for example, users claiming to be carriers of the coronavirus to download a medical certificate to verify that they are indeed affected by the disease. hosting medical data requires an authorization issued by the authorities competent, “said Baptiste Robert.
Contacted by RTL.fr, the founder of CoronApp, Christophe Mollet, admits that “medical proof is indeed sensitive data”. “Afterwards, we don’t have to keep it, we can take it and delete it. The only health data we want to keep is anonymous data indicating that a user is infected or not”, he said, brushing aside the argument of the location data that “the French have already agreed to give to Facebook and Google for years”, according to him.
An app that requires government support
Beyond some bugs observed on the platform, the CoronApp web application also suffers from another, more structural flaw. To get results, an app like this must have massive adoption. “The whole country must be on top, it necessarily requires government support like other countries have already done,” said Baptiste Robert.
In the press, the application claimed Wednesday, March 25, several thousand registrants. But only 893 registrations were actually listed on his site in the evening. This low adoption is explained in particular by the fact thatit is not offered on the application stores of Google and Apple. They are now rejecting all apps related to the coronavirus that are not issued by the authorities.
“We communicated on the application to receive government assistance”, replies the founder of CoronApp who hopes convince the authorities to finance his project. “We have submitted two files to the State Secretariat for Digital Affairs and the Innovation Agency of the Ministry of the Armed Forces”. According to him, the urgency of the situation justifies the implementation of “exceptional measures”. “We don’t have time to wait. But we are takers of all aid. If there is a need for a technical audit, we will do it. ”
Backtracking still under study in France
France is still considering the possibility of using data from smartphones to stop the coronavirus epidemic. The Elysee Palace set up on Tuesday March 24 a new committee of researchers responsible in particular for advising it on the issue of “backtracking”, devices to track an individual’s journey from geolocation data.
As it stands, the implementation of an application is not yet on the agenda, assures the government. But as Secretary of State for Digital Cedric O. indicated on Tuesday, the government has exchanges with many countries which use these practices at different levels in order to define the best strategy to prepare for release from containment.
In Europe, countries such as Germany, Belgium and Spain are aggregating the anonymized geolocation data of telecom operators to model the epidemic and determine the next foci of infection to better distribute hospital resources. This technique has for example enabled Orange to note that almost 20% of Parisians had left the capital at the start of containment.
Discussions are underway in Brussels for harmonize these practices at European level with the main continental operators, such as Vodafone, Deutsche Telekom, Telecom Italia and Orange, which is awaiting authorization from the Cnil to launch and is already collaborating with Inserm to help epidemiologists to refine their models in France.
The CNIL sets limits
For their part, countries like South Korea and Israel have implemented more intrusive “contact tracing” practices to find infected people and determine who they have been in contact with to impose quarantines and measures isolation from those who may have been exposed to the virus.
Smartphone data can also be used to monitor confined people and ensure they comply with travel restrictions, such as in Poland or Taiwan, where citizens must respond to notifications to prove to authorities that they are at home.
The CNIL has already set limits by asking the State to favor the processing of anonymized data and go through legislative intervention if it wishes to introduce more intrusive measures.