This post is part of a series on contact tracing apps. You can read our introduction to the series and get links to the other entries here.
The French government is considering launching StopCovid, a contact tracing app, in the form of a ‘proximity tracing’ app.
The government would like the app to collect anonymised data to feed a central server managed by state health services and wants to leverage the ROBust and privacy-presERving proximity Tracing protocol (ROBERT), a joint French and German contribution under the Pan-European-Preserving Proximity Tracing (PEPP-PT), as the technical protocol. This technical protocol ensures that data about infected individuals can never be individualised.
Without collecting location data, the app will use Bluetooth technology to exchange encrypted credentials between two smartphones running the app and operating at close range, namely a few metres.
Only individuals consenting to the app will be able to install the app and then use it.
If a person is tested positive by a health authority and wishes to add this status to the app, all people who have crossed its path, at close range and for a period of time considered as suitable for transmission will receive an alert without knowing the identity of the person infected by COVID-19.
The project will be debated and voted in Parliament on 28 and 29 April 2020.
CNIL, the French data protection authority, published its opinion on the StopCovid application on 24 April 2020 at the request of the Secretary of State for Digital.
Although it gives an overall green light and considers it can be justified on the basis of the mission of general interest to fight against COVID-19, it gives a number of recommendations, including:
- There should not be competition between apps as competition would endanger the effectiveness of the fight against COVID-19, which would be best ensured by one sole app.
- People should suffer no negative consequences for not downloading the app (eg in terms of access to testing).
- The encryption protocol, which is currently envisaged, is not sufficient and should be enhanced.
- After revealing that the project it was asked to review included the possibility of artificially generating false positives in order to counter certain types of possible cyber attacks, the CNIL strongly opposed it and rejected any possibility that users may be deliberately falsely notified of a positive contact, due to the consequences (such as self-decided isolation) for the users concerned.
The CNIL only gave this opinion on the principle of the launch of the StopCovid app and has asked to be consulted again when the details of the algorithm are known.
Other posts in this series:
- Round 1: What’s happening?
- Round 2: Legal considerations for companies that want to use contact tracing
- Round 3: Are companies required to use contact tracing?