Widely used for certificates and the health pass, the TousAntiCovid application also collects information of a private nature. To avoid any exploitation of sensitive data, disable this automatic collection.

Widely used for certificates and the health pass the TousAntiCovid

Widely used for certificates and the health pass, the TousAntiCovid application also collects information of a private nature. To avoid any exploitation of sensitive data, disable this automatic collection.

Downloaded more than 25 million copies at the end of July 2021, the TousAntiCovid application is significantly more successful than StopCovid, the first government contact tracking tool intended to stem the Covid-19 epidemic in France, which had preceded it in 2020. Unquestionable popularity, but above all due to its “ancillary” functions, namely the conservation of travel certificates during periods of confinement and the presentation of the famous health pass with its QR Code, now mandatory for access in many public places (see our practical sheet Using the sanitary pass with the TousAntiCovid application). In fact, even if they are still present, the contact tracking functions, through Bluetooth and the Reminder Book, do not seem to be the main reason for using the application.

What is the risk of data breach with TousAntiCovid?

However, one task can spoil the picture. Three security researchers have just published an alert relating to the confidentiality of information collected by TousAntiCovid, which they share online in a careful analysis of the risks involved, supporting evidence. As they clearly explain, the application has been enriched since June with various functions, and in particular a collection of usage information intended in principle for statistical analyzes, relying in particular on a Very detailed event log, which records most of the actions performed by the user, with an accurate timestamp.

Deploring any official publication on the real use of the data thus collected, the researchers stress that they pose a serious security problem by allowing the cross-checking of private information supposed to be compartmentalized thanks to the two protocols used by the application – Robert, for contact tracing via Bluetooth, and Cléa, for contact tracing using QR-codes in public places. According to their work and their demonstration, it would be possible to match different data sources that should be independent, to identify users and even to retrieve information on the private life of certain users (positive test, vaccination status, social relations). …). We would thus be far from the promised anonymity. Especially since this collection system is activated by default, the user’s consent is not requested, and the application’s confidentiality policy does not indicate the real nature of the processing of the data collected. Their verdict is final: for these researchers, “the collection of statistics contradicts the principle of data minimization and endangers the properties of security and protection of privacy”.

Forgetting, neglect; technical error: whatever. Still, this possibility of recovering and crossing confidential data brings water to the mill of all those who fear being filed and tracked. This potential use of information risks above all slowing down the use of TousAntiCovid and, by doing so, harming the fight against the Covid-19 pandemic.

Nothing says that this data is actually used. But to avoid any leak of personal information, it is better to adjust a few settings in the TousAntiCovid application, while waiting for the Government to correct the situation in a future version – the application being updated at a very sustained rate, at the latest. sometimes not to confuse regular users …

Several actions are possible, depending on your use of the application and your degree of mistrust.

  • Open the TousAntiCovid application on your mobile.
  • Scroll down to the bottom of the home screen and press Settings.
27318148
  • Scroll down again and, in the section Statistics and audience measurement, Press on the switch enabled by default to disable automatic information collection.
27318149
  • If you do not wish, go back to the previous section, My data on the server, and press the Delete button on the server to delete the pseudo-identifiers exchanged with other mobiles and stored on the application server.

Finally, to be sure not to be tracked, turn off Bluetooth, geolocation and even data on your mobile, when you don’t absolutely need it.

ccn5