TousAntiCovid now collects statistics and audience measurements. However, this feature undermines the security and protection of the user’s privacy.
Three researchers have published a risk analysis of the statistics system integrated in the application TousAntiCovid Its use and effectiveness should be evaluated from June. The result is clear: in their opinion, ” Data collection is against the principle of data minimization and jeopardizes security and privacy protection features “.Explanations.
Clia and Robert enter a bar …
It starts out as a bad joke. TousAntiCovid combines two different protocols: Robert for Bluetooth tracing (Contact tracing) And Klia to locate places according to QR code. But now, the system’s detailed event log and its exact time stamping allow us to jump to conclusions that contradict the government’s promise of privacy. On his Twitter account, Gaithan Laurent, One of the three researchers at the origin of this analysis, illustrates several examples that allow the use of data sent to a statistics server.
Problem # 1: User overlap
Each QR-code scan with the Klia protocol is recorded by the statistics system and sent to a server with the exact time stamp. So by cross-checking the scans of several people in the same place in less time unit, we can know if two people have gone to different places at the same time so that they can know that they know each other.
If Alice and Bob were eating at the same restaurant at the same time every day of the week, for example, they would definitely come together.
Problem n ° 2: Health data leak
TousAntiCovid’s statistics system simultaneously synchronizes information from Clea and Robert. However, when a user checks that the Covid is positive, they have no reason to go to a public place and scan their QR-code. Clea stops synchronizing data and only Robert continues.
Since Klia’s data synchronization has been stopped, the user can understand that it has tested positive, thus revealing confidential health data.
Problem n ° 3: Accurate identification of a person
Sure, this data is understandable, but Statistics hides the user’s personal identifier with a unique identifier (UUID) that differs from the server name + first name pair. Unfortunately, the certificate converter saves a specific entry with a time stamp. By crossing its data using the application’s converter usage timestamp, the identity of a person hidden behind a UUID can be accurately determined.
Similarly, the data of Roberts and Clea are recorded using different identifiers. But by cross-checking the timestamp of this data, we can see the correlation between these two parameters.
How to turn off statistics
Since June, this collection of statistics has been automatically activated for all TousAntiCovid users. However, it can be deactivated manually.
To do this, open the TousAntiCovid app, scroll to the bottom of the home page, and then click “Settings”. Below again, you will see a deactivate “Statistics and Audience Size” box. Take advantage of the opportunity to click “Delete my data”.
Prone to fits of apathy. Unable to type with boxing gloves on. Internet advocate. Avid travel enthusiast. Entrepreneur. Music expert.