July 26, 2021

The CNIL warns of a possible exposure of medical data during the control of the health pass

A simple “red” or “green” signal to verify the low risk of contagiousness to SARS-CoV-2 of visitors at the entrance to gatherings of more than 1,000 people: since the presentation of the health pass, launched in France on Wednesday 9 June, the government pledged to minimize the information accessible during document control to limit the risk of malicious use of personal data.

Inaugurated on Tuesday during the friendly football match between France and Bulgaria, attended by 5,000 people at the Stade de France, the official application TousAntiCovid-Verified does not allow display, when checking the health pass (negative virological test of less than seventy-two hours, complete vaccination certificate or certificate of recovery), only with a “valid” or “invalid” indication. The user’s first name, last name and date of birth are also displayed to compare a nominative entry ticket or an identity document.

Decryption: TousAntiCovid: what use to find friends, go to a restaurant, watch a game, travel?

The possibility of knowing whether the person instead has a negative test, a positive test or a vaccination certificate seems to be ruled out in this way. Such an eventuality would constitute “A breach of medical confidentiality that does not respect the rights of users”, had warned, from April 20, the Covid-19 liaison and information committee. The body responsible for advising the government on the technological challenges of the health crisis already insisted on the good reflex of aggregating data, in line with the principles followed by the National Commission for Informatics and Freedoms (CNIL) in France and the regulations. General on Data Protection (GDPR) at European level.

Data “kept in the clear”

Since the presentation of the first 2D-DOC Datamatrix – similar to a QR code, a kind of barcode – several IT security experts have nevertheless noted that the use of a generic mobile barcode control application made it possible to access all the information contained in the health pass: the date, the type of vaccine and the number of doses received are, for example, readable outside the TousAntiCovid -Check application.

“The committee notes that the data relating to the evidence is kept in clear [de manière non chiffrée] within barcodes “, also underlines the CNIL in a deliberation dated June 7. The text indicates that such a practice can be “Accepted taking into account the technical constraints and the need to implement, at short notice, the system for checking supporting documents”, but encourages the government to inform users to encourage them not to display their health pass outside the framework in which it is imposed.

Investigation : The usefulness of unmeasurable contact tracing applications

The decree detailing the terms of the measure, published in Official newspaper June 7, make it clear that “The supporting documents are read by means of a mobile application called TousAntiCovid -Check” and that any other type of verification is illegal. A risk anticipated by parliamentarians during debates on the health crisis management law – “Keep [ces] documents and reuse them for other purposes ” that the control is punished by one year’s imprisonment and a fine of 45,000 euros – but the constitution of a list of people vaccinated or tested positive during an event is technically feasible.

For the government, the legal framework decided would be enough to prevent this misuse of the health pass. A register “Detailing the persons thus authorized and the date of their authorization, as well as the days and times of the checks carried out by these persons” must be made up of all the venue operators and the event organizers concerned. The list is also specified: stadiums, marquees, conference rooms, casinos welcoming more than 1,000 people are mentioned in particular. Zoological, amusement or theme parks are exempt, such as public transport, cinemas and theaters.

Explanations: Health pass: the places in which it will be necessary

“Sanctions are planned”, warns Cédric O

“I have no doubt that if there were any abuses, for example by restaurateurs who tried to impose it on their customers, we would quickly be aware, if only through social networks. And sanctions are planned ”, warned the Secretary of State for Digital, Cédric O, during an interview published in The Parisian, le 24 mai.

Accessible to all on mobile application download portals (PlayStore on Android, AppStore on iOS), TousAntiCovid-Verified is also the subject of other comments from the CNIL. In particular the fact that it was developed by the Imprimerie Nationale, outside the consortium formed by the National Institute for Research in Computer Science and Automation (Inria), responsible for the other features of TousAntiCovid, and that its code and its characteristics techniques have not been made public.

In addition, all the information contained in the 2D-DOC is sent during each check to a central server placed under the responsibility of the Imprimerie Nationale group to check its validity, which the government explains by the need to adapt to different rules and likely to evolve between European countries – the device must also be used for the Covid digital certificate planned by the European Commission, the launch of which is scheduled for early July.

Synthesis: Europe converts to dispersed order at sanitary passes

To achieve a “The most protective architecture possible” , especially during national uses of the health pass, the CNIL invites the government to “Study the implementation of a more decentralized version” in order to “Limit the sending of data to this server while guaranteeing the application of the updated rules”.