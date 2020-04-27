A group of 471 French cryptography and security researchers has signed a letter to raise awareness about the potential risks of a contact-tracing app. A debate in the French parliament will take place tomorrow to talk about all things related to post-lockdown — including contact-tracing app StopCovid.

Among the group of researchers, 77 of them are affiliated with Inria, the French research institute that has been working on the contact-tracing protocol that will power the government-backed contact-tracing app, ROBERT. With this letter, it appears that Inria is conflicted about ROBERT.

“All those applications induce very important risks when it comes to protecting privacy and individual rights,” the letter says. “This mass surveillance could be done by collecting the interaction graph of individuals — the social graph. It could happen at the operating system level on the phones. Not only operating system makers could reconstruct the social graph, but the state could as well, more or less easily depending on the approaches.”

The letter also mentions a thorough analysis of centralized and decentralized implementations of contact-tracing protocols. It includes multiple attack scenarios and undermines both the DP-3T protocol as well as ROBERT.

Ahead of the debate in the French parliament tomorrow, researchers say that “it is essential to thoroughly analyze the health benefits of a digital solution with specialists — there should be important evidence in order to justify the risks incurred.”

Researchers also ask for more transparency at all levels — every technical choice should be documented and justified. Data collection should be minimized and people should understand the risks and remain free not to use the contact-tracing app.

Over the past few weeks, multiple groups of researchers in Europe have been working on different protocols. In particular, DP-3T has been working a decentralized protocol that leverages smartphones to compute social interactions. Ephemeral IDs are stored on your device and you can accept to share ephemeral IDs with a relay server to send them to the community of app users.

PEPP-PT has been backing a centralized protocol that uses pseudonymization to match contacts on a central server. A national authority manages the central server, which could lead to state surveillance if the protocol isn’t implemented properly. ROBERT is a variant of PEPP-PT designed by French and German researchers.

While the French government has always been cautious about the upsides of a contact-tracing app, there’s been little debate about the implementation. Inria, with official backing from the French government, and Fraunhofer released specifications for the ROBERT protocol last week.

Many (including me) have called out various design choices, as you have to trust your government that they’re not doing anything nefarious without telling you — a centralized approach requires a lot of faith from the end users as the government holds a lot of data about your social interactions and your health. Sure, it’s pseudonymized, but it’s not anonymized, despite what the ROBERT specification document says.

Moreover, ROBERT doesn’t leverage Apple and Google’s contact-tracing API that is in the works. France’s digital minister, Cédric O, has been trying to put some pressure on Apple over Bluetooth restrictions with a Bloomberg interview. Given that Apple and Google provide an API for decentralized implementations, they have little incentive to bow to French pressure.

On Sunday, Germany announced that it would abandon its original plans for a centralized architecture in favor of a decentralized approach, leaving France and the U.K. as the two remaining backers of a centralized approach.

France’s data protection watchdog CNIL released a cautious analysis of ROBERT, saying that the protocol could be compliant with GDPR. But it says it will need further details on the implementation of the protocol to give a definitive take on StopCovid.

The European Data Protection Supervisor (EDPS) also said on Twitter that the debate in front of the French parliament is particularly important. “Decisions will have an impact not only on the immediate future but as well on years to come,” they say.