You will find in this section the answers provided by the StopCovid team and its partners to technical questions related to the development of the StopCovid application. We will regularly update its content according to the current status of the project.
Technological choices & security
What is the ROBERT protocol?
It is a communication protocol - it means a procedure that describes how an application should work. It is proposed by scientists who have been working on the security and confidentiality of communication protocols for over 20 years. Any type of application can use the ROBERT protocol. The ROBERT protocol was built in the framework of a Franco-German partnership between Inria, the French digital research institute, and the Fraunhofer, a major German technological institute. Its main purpose is to guarantee compliance with European standards in terms of data protection, privacy and security. Subject to the advice of other scientists, the protocol is evolving to meet requirements and improvements. The StopCovid application is therefore developed using the Robert protocol.
What is the difference with a tracking application?
The StopCovid application is not a "tracking" application. The work that has been launched uses the ability to identify equipment using Bluetooth technologies and not people's movements. They do not therefore use at any time the location of people, in particular through GPS data from mobile phones, unlike the choice made by other countries.
What is the purpose of "contact tracing", what is it used for?
By "contact tracing", we mean the ability to inform a person, here through an application present on his smartphone, that he has been in contact during the previous days with people who have been diagnosed positive with Covid-19. This "contact person" therefore presents a risk of having been infected at the time of this contact and of subsequently becoming contagious herself and accelerating the spread of the virus. The "digital means" that enable this risk to be qualified are based on the ability of two smartphones to recognize that they are close to each other, through Bluetooth technology, which only operates at a short distance (a few meters). Medical services have a long practice of field investigations to trace the chains of propagation of an epidemic, but they are time-consuming and require strong human resources. As such, the type of application aimed at is therefore to be seen only as a complementary aid to these practices and to help automate the search for contact cases by the health authorities.
Why didn't you release the full source code on May 12?
The development schedule of the application takes into account several factors: scientific, technical, control by independent administrative authorities (such as the CNIL)... but also and above all human factors. It should not be forgotten that the operational project started mid-April and mixes several closely related dimensions. The development teams have been fully mobilized since the beginning of the project and developments are being carried out under pressure, within the framework of a very tight agenda.
As part of the transparency approach desired by all StopCovid project partners, it was decided to stagger the publication of the source code rather than wait until all the building blocks had been consolidated before making them available for consultation.
In order to finalize a first functional and deployable version of the application by June 2, several choices were made:
- Rapid developments have been initiated, in the form of tests and prototypes to check feasibility, to test technologies, etc.
- The initial use of internal source codes from companies (some of which are under proprietary licenses), which brought them in to speed up the project at the start, did not make it possible to publish them in Open Source. Ad hoc open source developments were made as the project progressed.
- The team of developers involved focused first on development, in the context of a very tight operational schedule, and then on taking into account feedback from the testing phases. Priority could be given in a second step to the management of contributions and the animation of the open source community of contributors.
What is the timetable for the publication of the source code?
- May 12: Start of the open source release (MPL2.0 license) of the Robert SDK on the Android and iOS apps side, in two projects ("ROBERT SDK for Android" and "ROBERT SDK for iOS").
- May 12: Publication of the global approach: README, AUTHORS, LICENSES, and general architecture documentation
- May 13: Open source release (MPL2.0) of the Robert server-side SDK in two projects ("ROBERT Server" and "ROBERT Client API Specs").
- May 22: Release in open source (MPL2.0) of the BLE calibration part for iOS and Android
- May 22: Publication of the sources of the section for generating and using the QR Codes for a person diagnosed positive for Covid-19.
- May 26: Publication of the StopCovid source code with the application under iOS and under Android in a provisional version in terms of design.
- June 1: Documentation of the scientific basis of the project is available on GitLab.
Note also, for all codes published under the MPL2.0 license:
- Before June 15 (indicative date, before if possible): an external person can ask the current developers, via an issue, to join the developers team. The developers will decide, exceptionally, to integrate a new account for the contributor.
- After June 15th: contributions will be facilitated and the procedure will be explicitly documented in the CONTRIBUTING.md file of the StopCovid home project.
What are the future evolutions?
As in any software project, many evolutions take place along the way. A notable example: following the deliberation of the @CNIL of 24/04 and a recommendation from @ANSSI_FR indicating that the 3DES algorithm should be replaced, a new algorithm has been implemented for encryption, with SKINNY-CIPHER64/192. It will be released in open source early next week...
You run a Bounty Bug on the StopCovid application, what does it consist of?
From May 27th, a Bug Bounty program with the YesWeShare French company is launched to reinforce the security requirement, mobilizing a community of cybersecurity experts (called "hunters") to search for vulnerabilities on the application and fix them. This Bug Bounty will take place in two phases: from May 27th, the application will be submitted to a first phase of Bug Bounty, called private: about twenty ethical hackers spread all over Europe will test the security of the application. At the launch of StopCovid, the application will enter a public Bounty Bug phase, during which the 15,000 hackers in the YesWeHack community will be able to test the security of the application, continuously throughout its lifecycle. These results will be reported and the results of this program will be made public on the YesWeShare website.
More information about the Bounty Bug Program
How was the application tested beforehand?
The development of the StopCovid project is based on a set of functional tests of 4 types
- Unmoderated" user tests collected on 16 and 17 May. The first lessons are being integrated.
- Field tests in simulated conditions which took place on several occasions from May 18, mainly on Bluetooth.
- Functional integration tests in chambers to verify that each functionality of the application is operational.
- Tests in real conditions (panel of citizens in a real-life situation, micro pavement tests...) in order to evaluate and adjust if necessary the handling, reactions and behaviors of the users.
Who conducts these tests?
This campaign was carried out thanks to the contribution of different members of the StopCovid project team. In particular: Inria and Orange for conducting the experimental campaign and Capgemini for supporting the organization and running of the tests.
What points were particularly studied during the field test phase in simulated conditions?
The objective of these tests was first of all to check and improve the calibration of Bluetooth signals to detect high-risk 'contacts' between citizens, by prioritizing everyday life scenarios that could pose the most technical difficulties. These measures are essential to ensure that, once deployed, the application only records proximity levels deemed "at risk" by health experts, and thus that it properly alerts users with a high potential for contamination (logic of minimizing false-positives and, above all, false-negatives, to avoid alerting too large a part of the population).
More specifically, the tests aim to measure whether sending and receiving Bluetooth signals between mobiles using StopCovid generate comparable results under the following conditions:
- High / low density of citizens
- Surface and ceiling height high/medium/low
- Static / moving citizens
- Outdoor/presence of metal structures
Who is responsible for managing the central server?
The Direction Générale de la Santé (DGS) is responsible for the central server. The data are located in France, at 3DS/Outscale, a major French company in the field of digital technology.
Will all my contacts in my phone be known and tracked against their will if I download the application?
The StopCovid application has no technical means to access a user's contact database. This has never been considered and is not possible within the ROBERT communication protocol on which the application is based. The application will therefore neither be able to access the contacts in the user's phone, nor request authorization to access them.
Even if I uninstall the application, will personal data be kept on a server?
At any time, the user has the possibility of deleting proximity data (and thus permanently erasing any information that is uploaded to the server). When deleting the application from the smartphone, all data in the application will be effectively deleted.
If I lose my phone, how can I prevent access to my most sensitive data?
No usable personal information is stored or managed by the application. Only occurrences of matches with other owners of the application are recorded in encrypted form.
If I am infected, can the system check if I am in quarantine?
No, there is no location data in the application, the only purpose of which is to alert you if you are "at risk" or to allow people you have met to be at risk if you are tested or diagnosed positive.
Which healthcare professional will be responsible for giving the code to the user: the prescribing physician, the laboratory that performed the test, both?
In the case of the QR code, only the laboratories will be responsible for sharing it with their diagnosed positive patients. It can then be scanned (QR code) or entered in the application. If the prescribing physician delivers the diagnosis, he will also have access to codes that will not take the form of a QR code but a short code to be entered within minutes of its generation.
How will the QR code be transmitted to the patient?
The QR code will be shared from the patient's secure account via the results retrieval portal (CyberLab). After performing a test in a laboratory, the patient will receive an email inviting him/her to log on to the secure platform to access his/her results in the form of a pdf document. If the result is positive, the patient will find in the same document the QR code with the following information: "If you are a user of the StopCovid application (available on the most common mobile application stores), you can register on this application by scanning the following QR code or by entering the corresponding code located under the image. These items do not contain any data about you."
Is the Sidep information system expected to generate the QR code?
Sidep does not generate the QR code. It is a secure server approved for hosting health data which makes a set of codes available. In practice, every day codes are made available to Sidep which distributes these codes to laboratories. Each laboratory is autonomous in the distribution of codes to be associated with positive cases. The doctor requests the generation of a short code via a dedicated interface, after having authenticated himself.
Are precautions taken to prevent the QR code from being attached to a person and/or to his data stored in Sidep?
Each QR code is linked to the results of a person diagnosed positive. Sidep will not have any information on this subject. The back end of the StopCovid application allows codes to be generated but under no circumstances can a link be established between a person and the information concerning him or her and the QR code.
Will the QR code be generated randomly and separately from the Covid positivity status?
Yes, the generation of the codes is done upstream. A server generates codes which will then be used as needed by Sidep. The responsibility of associating a patient with a code rests with the health laboratories and doctors.
De quelle manière le Bluetooth est géré spécifiquement avec les iPhones ?
Le fonctionnement du Bluetooth Low Energy (BLE) est limité sur iPhone dès qu’une application est mise en arrière-plan : « l’advertising » BLE (= l’émission de messages) est restreint mais le « scan » BLE (= l’écoute des messages des appareils aux alentours) peut lui continuer. La présence d’un ou plusieurs appareils Android à proximité d’un iPhone va permettre à l’application d’être réveillée et les modèles Android seront donc bien détectés par l’iPhone. Par contre, les appareils Android ne peuvent détecter l’iPhone directement car celui-ci n’émet pas de messages d’ « advertising » complet pour se signaler. Pour résoudre cette limitation, un échange Bluetooth explicite est initié de l’iPhone vers le ou les appareils Android pour les informer de la présence de l’iPhone à proximité.
Si je ne télécharge pas l’application, mon Bluetooth sera-t-il perçu par le Bluetooth d'un contact qui a activé l'application ?
L’application StopCovid n’enregistre pas tous les signaux Bluetooth qu'elle croise. Elle capte uniquement les « pseudonymes » d’un téléphone envoyés périodiquement par l’application StopCovid. Il faut donc avoir activé l'application pour qu'un signal Bluetooth identifie un autre signal Bluetooth. Ce sont ces pseudonymes que les téléphones enregistrent et qui permettront ensuite d’alerter ou non les contacts d’une personne testée positive.
Sur des téléphones non récents, est-ce que la batterie ne va pas se vider en laissant actif le Bluetooth en permanence ?
Ce paramètre a été identifié et étudié. Les tests effectués préalablement ont montré un impact limité sur la batterie. StopCovid utilise le Bluetooth « low energy », qui consomme moins d'énergie et donc limite l'impact sur la batterie. Il est utile de rappeler que l'application peut être activée et désactivée facilement.
How is Bluetooth handled specifically with iPhones?
Bluetooth Low Energy (BLE) operation is limited on the iPhone as soon as an application is put in the background: BLE "advertising" (= sending messages) is restricted but BLE "scanning" (= listening to messages from nearby devices) can continue. The presence of one or more Android devices close to an iPhone will allow the application to be woken up and the Android models will be well detected by the iPhone. On the other hand, Android devices cannot detect the iPhone directly because the iPhone does not broadcast full advertising messages to signal itself. To resolve this limitation, an explicit Bluetooth exchange is initiated from the iPhone to the Android device(s) to inform them of the presence of the iPhone nearby.
If I don't download the application, will my Bluetooth be perceived by the Bluetooth of a contact who has activated the application?
The StopCovid application does not record every Bluetooth signal it encounters. It only captures the "pseudonyms" of a phone sent periodically by the StopCovid application. Therefore, the application must be enabled for a Bluetooth signal to identify another Bluetooth signal. It is these pseudonyms that the phones record and which will then make it possible to alert or not alert the contacts of a sick person.
For non recent phones, won't the battery run down and leave Bluetooth permanently active?
This parameter has been identified and studied. Previous tests have shown a limited impact on the battery. StopCovid uses "low energy" Bluetooth, which consumes less energy and therefore limits the impact on the battery. It is useful to remember that the application can be easily activated and deactivated.
Why do Android devices require access to geolocalization to use the application?
Android does not allow applications to use Bluetooth without asking permission to access the location. This is a constraint imposed by the phone and not by StopCovid. However StopCovid will not use the GPS function of your phone: the application will only use Bluetooth and will not be able to locate you. In order to ensure transparency and to make it possible for all those who wish to verify that StopCovid does not use the geolocation of people at any time, the source code of the application has been published and is available on GitLab Inria StopCovid.