I Tested the StopCovid Application

Published on July 30, 2020

SocietyEditors PickLatest

The project leaders at the centre of the French government - Secretary of State Cédric O and Digital and Minister of Health Olivier Véran - have not stopped singing praises of the application from the get-go, yet the project failed to win unanimous support in the first assembly debates.

An opposition party accused StopCovid of providing non-confidential data and even of fraudulently collecting its users telephone contacts. Though this was denied, the accusation heated the discussion. Ever since the project was announced, the government saw no interest in putting the matter up for debate. Gilles Legendre, current leader of La République En Marche! (LREM), had in fact been opposed to a parliamentary vote on the 20th of April. At the same time, and after a number of discussions, the application received its first favourable review from the National Commission for Computerisation and Freedom (CNIL). Called upon at the conception phase, CNIL at first had some reservations surrounding data confidentiality. Nevertheless, in its report from the 25th May, the Commission reassured “the StopCovid application will not lead to the creation of a list of contaminated persons, but simply a list of contacts among pseudonyms, in this way respecting the concept of data protection from the start.”

Smartphone in hand, what is the application like? First of all, the interface seeks to reassure and presents itself as transparent. Before activation, various reminders state respect for the European regulation for data protection (GDPR). It explains in detail the functioning of the application, the method for sharing data as well as where data will be stored - namely the telephone and server of the Ministry of Health. At no point am I asked to provide my name, my phone number, date of birth or other medical information. Each day, users receive a random, temporary pseudonym which establishes their “proximity history”. In reality, the only point which requires a form of active engagement on my part is to certify I’m not a robot and fill in the “captcha”, permitting differentiation between human user and computer. I then activate my Bluetooth connection, necessary to transfer data, and off I go. En route, phone in pocket, and ready to wander the streets of Toulouse.

And what if I’m diagnosed? I will have to officially declare myself infected. To do this, all I have to do is scan a QR code issued after an official, positive test. Fortunately, the experiment hasn’t allowed for me to use this function yet.

A shunned tool

Downloads of the app currently total around 2 million, or around 3% of the population (the German equivalent does slightly better and fluctuates somewhere in the vicinity of 15 million downloads. Different experts judge the app “effective” if at least 60% of the population activate it. Concerning its impact, this time, the Secretary of State reported to the newspaper Libération not too long ago that 68 people had declared themselves “infected by Covid-19 by QR code in the app. These 68 people raised a total of 205 other users on the central server. This means that in the two days prior to their declaration, these 68 people had been in contact with 205 people who also have the app. Of the 205 cases, 14 had triggered notifications for being contacts judged at risk.”

Preliminary feedback falls rather short of government expectations, but one must not neglect the significance of these figures either. The government insists, in effect, on the fact that “from the very first downloads, the app prevents illness, hospitalisations and deaths,” especially at a time of marriages and family reunions in France, which can degenerate into epidemic clusters, sufficient to provoke resurgences of the virus in certain departments.

If the app benefits from a simple and reassuring interface, certain digital specialists fancy themselves more sceptical. La Quadrature du Net, association for the defence of rights and freedoms of citizens on the internet, revealed the use of a Google tool following publication of the app’s source code. It concerns the “captcha” mentioned earlier, necessary to activate the app. The presence of this “foreign body” at the very heart of StopCovid would mean the expedition of data to Google servers, damaging Cédric O’s claims about the collection and storage of data on French servers. Branded a “bug” by specialists, this harms the government’s marketing campaign surrounding its complete digital sovereignty. CNIL, at the start more favourable to the project, has since put the government on notice following checks at the end of June, and in the wake of their usage of this means of identification from the giant Google.

On his part, the French researcher in cryptography from the French Institute for Research in Computer Science and Automation (INRIA), Gaëtan Leurent, recently showed that the application was sending data from several metres away, in contrast to the one metre announced officially. Following tests, he also added: “As such, StopCovid sends a large quantity of data to the server which is of no interest for the purposes of tracing the spread of the virus, but which poses a real danger to people’s private lives.” It appears difficult to say which information really is and really isn’t being passed on, at least for now. In any case, the app allows me to delete this data with a click. It is also automatically deleted after 14 days.

Obstacle upon obstacle

If doubts persist in relation to the technology, an umpteenth explanation resides perhaps in its usage, strictly speaking. To detect a possible infection, a number of important steps must follow on from each other. Firstly, two people must have a smartphone (around 77% of the population, 44% among the over seventies). Downloading the app alone does not suffice, one must activate StopCovid and authorise Bluetooth communication. Then, the government explains, the people in question must stay within proximity of one another for at least fifteen minutes to be registered as potentially infected. Bluetooth must also be functioning correctly, between 70% to 80% of cases, Cédric O assures us.

Beyond these technical considerations, an ill person must have already been detected with the help of a PCR (Polymerase Chain Reaction) test, and the test not to have recorded a false negative, to be authorised to declare themselves “ill” via the app. Put end to end, the number of demands made, combined with the stated probabilities, reduces the chances of detecting the illness. The experiment carried out for this article has not raised any alerts thus far. Yet, the app has been taken to a variety of environments and contexts. In the course of three weeks, I been on terraces of cafés, restaurants, I went for walks in urban areas, went to the shops and so on. It is hard to say at this stage if contact was too brief, from too great a distance, or if simply no one who had declared themselves infected on the app was in close proximity. The experiment was carried out in Toulouse, the fourth largest city in France in demographics, but nevertheless far away from French population clusters like Paris or the east of the country.

Another plausible lead: after several weeks of isolation, has France not felt a deep need to combat its anxiety? The reopening of bars and restaurants linked to a more than summer-like weather forecast has favoured a carefree attitude in the face of the virus. Far from experiencing a massive increase in new cases, the reality of the figures for the end of June seemed more nuanced anyhow. The departments of Meurthe-et-Moselle and Meuse in the east of the country indicated a fresh outbreak of cases exceeding even the thresholds for ‘vigilance’ (10 cases per 100,000 inhabitants), without nevertheless reaching the level of alert set at 50 cases per 100, 000 inhabitants.

At the start of July, the French exception seems to be falling to pieces still a little more with the formation of just over 200 clusters. Outside the Grand-Est, the regions currently the most affected are situated around the Aquitaine and Mediterranean coast, victim to people going on holiday in masses. The pandemic globally seems to be observing a similar trend, with Spain and Germany on the European side even placing certain regions back under quarantine. These signs, for the time being, are not motivating the French population to frantically download the app.

“Such a project would normally have required a development period of one to two years.”

When all is said and done, StopCovid currently boasts mixed fortunes. Strictly from the user’s point of view, it seems perfectly operational. On the telephone performance side of things, using Bluetooth permanently obviously affects the performance of the phone, and the battery runs out slightly quicker. On the other hand, no major bug was really detected during the experiment. Cédric O reminded the newspaper Libération anyhow that “such a project would normally have required a development period of one to two years.” Despite having some important players in on the project (Capgémini, Orange, Dassault), France has little experience with a phenomenon like SARS, in the same way as do countries such as China or Korea, and certainly has a population much more reluctant to use tracing systems.

For all that, the battle is not yet over, and the government seems to be learning from their mistakes. Moreover, they have recently opened the app to a “bug bounty” campaign - a sort of treasure hunt for bugs carried out by a number of important “ethical hackers” from a variety of backgrounds. This practice, well-known within the world of cyber security, results extremely beneficial in the majority of cases as it permits the flagging of any persistent problems and flaws, and so helps the app work more securely.

The government is setting its sights on the app’s long-term usefulness. The tool will be there for a hypothetical second wave, but the normalisation of such a tool is not looked upon kindly by all. “Is everything which is technically possible also desirable?” asks the deputy Jean-Luc Mélenchon at the National Assembly. The proliferation of forms of the state of exception as well as the increasingly significant merging of private and governmental structures favours the emergence of an economy of “social distancing” by actors who, yesterday, were claiming to fight against terrorism. Recent trials of mask detection by RATP (the public transport operator) or temperature checks by thermal camera are also examples to keep a close eye on within our democracies.

Cover photo: Célia Péris

Translated from J'ai testé l'application StopCovid