The CoronApp offers its users to geolocate to identify if they have been in contact with a patient affected by Covid-19. The ITSS company hopes to convince the Ministry of Health to finance its development. Except that in the state, the application does not present sufficient guarantees and the government has not yet decided on the use of geolocation data.
The CoronApp promises to send you a notification if you have passed a person infected with Covid-19, with the date on which you would have been exposed. The goal is that if you do, you can quarantine yourself, and monitor your health even more closely. To achieve this, the CoronApp asks you to create an account, give the geolocation of your smartphone, and declare whether you have the Covid-19 or not.
But the application – developed in 3 days – is currently shaky, and offers only too few ethical and security guarantees in its operation. Cybersecurity researcher Baptiste Robert, known by the alias @ fs0c131y on Twitter, expressed reservations about the app: ” Do not use this type of app yet. App development is like developing a vaccine, it takes time, method, and it has to be reviewed by third parties He wrote.
One of the reasons we write about CoronApp is that it has been the subject of a media communication campaign. At Numerama, we received two emails on the subject, dated March 20 and 25. ” Even since confinement, the Covid-19 virus continues to spread, causing more and more people to become infected. Christophe Mollet, Founder of the ITSS web agency, thinks that in addition to the solutions mentioned above, the counterattack must be technological. Surrounded by a team of experienced IT specialists, he launched a crazy bet: create a geolocated application in 72 hours to fight against the proliferation of Covid-19 called “CoronApp”, we read on the press release. The application was presented in the Parisian, Strategies, The Obs and even on the television news of France 2, among others.
We scratched a little under this varnish to expose you the few guarantees of the application, which collects all kinds of personal data.
A mobile application? Not really
CoronApp is presented as a smartphone application. But for now, it's just an encapsulated website: when you open it, it just displays a site page in a web browser (webview).
Then, the app is only downloadable on Android. To use it on iOS, you will need to connect to coronapp.eu from your smartphone, and keep the web browser page open so that geolocation remains active.
In different media, Christophe Mollet, creator of the app, says that a version for the App Store and the Google Play Store is ready, but that he cannot submit them without the approval of the government. Baptiste Robert, whom Numerama questioned, is much more skeptical: ” It is not a mobile app at all. It is not possible to put this kind of app in the blinds ” They must indeed bring more than a mobile site to be validated.
The application publisher, ITSS, is a small web agency of five employees, specializing in the development of Drupal websites, an open source site creation and management tool. Application development, which requires other expertise, seems to come out of this company's core business.
But Christophe Mollet explains to Numerama that his company has sufficient technical skills: “ we have already made mobile projects, for example for Orange. We use Drupal for the back office (the application control center, note), then other technologies, like Angular, for the front (the part visible to the user, note) “. During his rapid observation of the application, Baptiste Robert correctly identified the technology used, and he did not hesitate to tackle: ” This application, this is the Angular tutorial, with a little layer of personalization on top. “
When we point out certain technical faults, Christophe Mollet recalls that the app was developed in 72 hours. But he also defends that a “A small team of around ten people works on this application day and night ” On this project, the developers of ITSS are receiving help from volunteers outside the company.
The application, free and without advertising, offers its users to make a donation to developers, via Paypal.
As it stands, the CoronApp is extremely rudimentary
We decided to create our own account, from the home page of the site, riddled with faults and whose fields do not all display correctly. The registration form requires: surname, first name, date of birth – we indicated that we were born on January 5, 2029, it went smoothly – and the user's email address. You can also enter your address and phone number. We choose a password in three letters, which the system also accepts without flinching. The application therefore has no password requirements, which is the first barrier to protecting the account. Minors and people not yet born (like us) are also not filtered and the collection of this precise data is therefore possible.
Once connected, the site logically asks us to activate geolocation when the application is active. On Android (but not on iOS), it also asks to allow the sending of notifications.
Then we have two options: “I protect myself” and “I have the coronavirus”. In the first case, the site refers us to a page that distributes written advice, with uncertain spelling. It also includes an official government prevention video, hosted on an unofficial YouTube channel, which probably belongs to a retired person.
In the second case, when we indicate that we have the coronavirus, the app asks us to ” take a photo of a medical document ”, With apparent first and last name, to verify our comments. ” Once the proof has been verified, all the people you have met will receive a notification on their phone. “, She specifies.
To collect health data, ITSS must comply with demanding standards
Medical receipts fall into the category health data, particularly protected by the general European data protection regulation (GDPR). To handle this kind of data, ITSS must comply with several standards and requirements. ” All stakeholders in the processing of health data are bound by a responsibility “Recalls lawyer Sabine Marcellin of Aurore Legal, contacted by Numerama. ” If he doesn’t‘There is no legal necessity to carry out a prior security check, the Cnil will however demand the highest level of security during its checks. The company must have specific protocols, requirements for storage codes, or hosting on specific servers “, She specifies.
Does ITSS meet these requirements? ” We are accompanied by a law firm which drafted quickly, but cleanly, the general conditions of use (CGU). In the case of health data, since there is user consent, this is less critical “Says Christophe Mollet. We have read the T & Cs, which make no mention of medical data or health data.
However, the text specifies that geolocation data is kept for 14 days (to correspond to the incubation period of the disease), before being automatically deleted. During these two weeks, the data is ” likely to be passed on to other users of the CoronApp application “, Specifies the contract.
Personal data (surname, first name, email, telephone, etc.) is kept for at least 6 months, ” in accordance with legal and regulatory requirements ” Finally, the CGU specify that this data could be communicated to the Ministry of Health, but that it will not be sold or used for advertising. Precisely, ITSS hopes to convince the government with its communication campaign.
State seduction operation
But for the moment, the CoronApp does not seem at all successful. This does not prevent Christophe Mollet from confirming his ambitions to us: ” JI think we have the technical capacity and the motivation to develop this application. But will the government help us? Will the French agree to share their geolocation data? Failing to convince the government from the start, ITSS hopes to win through user adoption.
In Le Parisien, Christophe Mollet argued that if the number of users of the app was confidential, he counted ” several thousands ” For his part, Baptiste Robert found the programming interface that serves as a counter to the CoronApp: the site only had 893 registered at 3 p.m. March 25. When we confront him with this gap between his statements and reality, Christophe Mollet eludes: ” Our number of users has exploded in recent hours, after our visit to France 2 and France 3. “
The ethical debate around the use of geolocation is not over
Several countries are considering or have already set up such applications to contain the pandemic. In Israel for example, the Ministry of Health has deployed an official app, called The Shield. But before making it available to the Israelis, she conducted a security audit, and put forward several solid pieces of evidence of her privacy-friendly treatment.