The StopCovid tracking application, which will be available on June 2, is presented by the government as an “instrument” to fight the coronavirus epidemic. But the debates around its acceptance, the technical problems it still encounters, and feedback from abroad have raised the question of its effectiveness.
“StopCovid is not the magic weapon against the epidemic.” In presenting the tracing application wanted by the government, Thursday, May 28, Edouard Philippe did not show a blissful enthusiasm for this technology. On April 28 before the National Assembly, he admitted that he was “well in pain of [vous] say if it works, and how it will work precisely. “ “It is an instrument, complementary to other instruments”, then explained the Prime Minister, after a heated debate in the National Assembly.
For several weeks, the debate around the risks of invasion of privacy and individual freedoms that this technology would represent has not seen the emergence of a consensus between pro and anti “contact-tracing”. But beyond these ethical questions, many experts doubt the practical usefulness of such a tool. Baptiste Robert, a cybersecurity researcher, has been among those testing the application since May 27. He notices that, “The government never talks about feedback in countries that have already implemented this kind of application. However, they admitted that it was not terrible”.
This is particularly the case in Singapore, which launched its “TraceTogether” application on March 20. A month later, in a forum, Jason Bay, the director of the government agency for digital services drew the following observation: “If you ask me if any plotting application, existing or in development, anywhere in the world will replace manual plotting, I would say without hesitation that the answer is no”. According to him, because of its complexity, “tracing should remain a human-made process”. In Singapore, only 15% of the 5.6 million people have downloaded the app. A relatively low rate which can also explain these disappointing results.
In Iceland, the local application “Rakning C-19” was launched in early April. It is based on the geolocation of users, the local authorities having deemed Bluetooth insufficiently reliable. Despite this more radical technical choice, and one of the highest download rates in the world (40% of the population), one of the police officers responsible for tracing said he was also wary in an interview granted at the MIT Technology Review. “Technology is more or less … I would not say that it is useless”, said Gestur Pálmason. I would say that [Rakning C-19] has been helpful in a few cases, but it has not changed the situation for us. “
In Australia, local authorities have also returned from a technology that the Prime Minister had presented as a “key element of the return to normal”. Despite an honorable level of downloads (5 million out of a population of 25 million), in one month “Covidsafe” only identified … one person. The Australian government notably mentions compatibility problems with iPhones to explain this failure.
Australia, like France, has chosen to develop its own application without using the technology made available by Apple and Google. In an unprecedented collaboration, the two American “tech” giants have developed an “API” (programming interface) that can be used by all governments that choose to do so. To date 22 countries, among which Germany (which collaborated with France for a time before changing direction), Italy, Switzerland, the Netherlands have adopted this “platform” on which each has then developed its own application. France has refused it, notably for reasons of “digital sovereignty”.
According to the State Secretariat for Digital Affairs, the technology of the two American giants would present “flaw risks” and “the definition of the contact-tracing algorithm and the ability of the health authority to have all the statistical data cannot be left in the hands of another entity”. All the experts we interviewed are however formal: the use of the Apple-Google API does not mean that the data is hosted abroad. “No medical data is sent to Google or Apple servers”, explains to the Radio France investigation unit Guillaume Rozier, the creator of the Covidtracker platform. “Each state keeps its own servers, he specifies. It is all the more true that it is a decentralized architecture where the data is stored on each phone while the French system, centralized, calls on a central server which stores all the data. “
According to the French government, the “decentralized” system imposed by the API from Apple and Google is also less secure. Again an argument disputed by many experts. “Each solution has its advantages and disadvantages in terms of security”, explains Gaëtan Leurent, researcher at INRIA (the institute that served as a bridgehead for the development of StopCovid). With fifteen other researchers, he is the signatory of a document showing how the anonymity guaranteed theoretically by the tracking applications can be circumvented. According to him, “With decentralized systems, we can successfully detect who is sick among neighbors of buildings for example, while centralized systems will eventually allow false alarms targeting a person to be launched”. In an open letter, several hundred European researchers, including French people, expressed their preference for decentralized systems, as did the European Parliament in a resolution voted on April 17.
The government’s “digital sovereignty” argument also puzzles some experts. Paul Christophle, former digital advisor to Fleur Pellerin and opponent of plotting applications, notes that “The government maintains a certain inconsistency. On the one hand, it refuses the solutions of Apple and Google, on the other hand it authorizes the transfer of SIDEP and Contact Covid files [qui regroupent les données des tests positifs et des enquêtes de l’assurance maladie] to the ‘Health data Hub’, the platform he created and which is hosted by Microsoft! “ Cédric O also admitted before the Senate that on this issue, the government had indeed chosen an American solution for reasons health efficiency.
For Tariq Krim, “by definition, when you develop on IOS or Android, you are not sovereign”. The creator of Netvibes, former vice-president of the National Digital Council, believes that Apple “is in its role by refusing that any software, whatever its creator, takes control of the phone without the user being fully aware of it”. For another sector expert: “The government pretended to believe that Apple was going to allow them to break their rules when they have always refused, even the American government! They probably wanted to send a signal by dismissing a collaboration with Apple and Google and preferring national companies to them, but basically, that won’t change much… “
This Franco-French choice will nevertheless have a consequence: StopCovid will probably never be compatible with most foreign applications. Questioned by the deputies in law committee on May 26, Cédric O admitted that at “Today there are strong doubts about the ability to make French and British solutions interoperable on the one hand, with German Italian and Swiss solutions on the other”.
The Secretary of State was notably questioned on this subject by the deputy Modem of the Vendée Philippe Latombe, for whom “the question is: will the systems protect against the creation of clusters linked to population movements [en Europe] this summer for the holidays? “. The answer is apparently no at the moment. Aware of this limit, the British government has launched a contract for the development of an application compatible with Apple and Google systems, in case the current one, comparable to StopCovid in its operation, should be replaced.
The choice of France will probably have another annoying drawback: Apple iPhones will only work very imperfectly with StopCovid. The American firm has refused to work with the government to lift restrictions on the use of Bluetooth on its devices. “If an iPhone is idle, or the app is running in the background, explains Baptiste Robert, the iPhones operating system does not allow access to Bluetooth for privacy reasons. This is also true with the latest generations of Android. “
The Secretary of State for Digital claims to have found the solution to circumvent this problem: a feature of mobiles equipped with Android would have the possibility of “waking up” the Bluetooth of iPhones when they pass nearby. This possibility was actually observed during the first tests carried out since Wednesday. Despite everything, this parade does not seem to work every time. “I had trouble getting apps to communicate with each other, including between Android devices, without knowing whether it came from the app itself or from the operating system”, says Adrien Jeanneau, one of these “ethical hackers” who are looking for flaws and bugs to fix them before the official release of StopCovid.
For many experts, one thing seems almost certain: two iPhones equipped with StopCovid that will be nearby will not communicate in the majority of cases. A “hole in the racket”, implicitly recognized by Cédric O, when he claims that “the app finds 75 to 80% of nearby devices”. Whether by chance or not, this non-detection rate roughly corresponds to Apple’s market share in France, around 21%. Solicited, the Secretary of State for Digital did not answer our questions on this subject, any more than Apple and Google.
These technical concerns are far from anecdotal as to the overall effectiveness of the application. “Problems with iPhones may eliminate many contacts and give some users a false sense of security”, estimates a researcher. This would generate what specialists call “false negatives”. Conversely, the vagueness of Bluetooth technology could create “false positives”, people who receive alert messages when they have not been in close contact with a potential patient.
“You have to understand that Bluetooth was not developed for this, and that it is a relatively imprecise technology”, explains Baptiste Robert. “Besides, we are not all equal, continues the cybersecurity researcher. Depending on the age of your phone, the type of Bluetooth chip or the version, performance can be very different. “ In Singapore, the director of the government digital agency believes that these limits in the effectiveness of these applications are not trivial. “There are lives at stake, he wrote. False positives and false negatives have consequences in real life. “
It remains to be seen how many French people will download and actually use StopCovid. In countries that have already launched their application on a voluntary basis, the rates range between 10 and 50% of the population. A study carried out by the University of Oxford estimated in March that a minimum of 60% of a population would be necessary for this type of application to be a real help to stem the epidemic. In a column published on the internet, Cédric O claims that “in a population like a city, the application begins to be effective from a few percent”. An assertion which does not convince certain specialists. “If you’re 10% of the population who have the app, recalls Gaëtan Leurent from INRIA, on arrival you can only detect at best 1% of the contacts since both people must have the application. “
Other researchers also recall that the mode of spread of the disease has been unpredictable and that some people were contaminated well over a meter away, while others were not as a result of contact. close. “We are launching a tool whose efficacy is very doubtful, telling us that if it only saves one person, it will be good”, laments Paul Christophle. “But at what cost ?, he wonders. I know this is difficult speech to make politically in times of crisis, but what is the price of creating a file that brings together a lot of personal and sensitive information and which, by definition, is not inviolable? “
The financial cost of the StopCovid device is unknown to date. Before the Senate, Cédric O explained that the companies associated with the project had worked for free so far and that the management of the application should cost “a few hundred thousand euros a month”. A web entrepreneur who has been watching the project for several months sighs: “We don’t know if this app will really be used, but I can already see a lot of people who are starting to swarm around, because they understood that there were budgets that were going to be released.”