French research institute Inria has released a small portion of the source code that is going to power France’s contact-tracing app, StopCovid. It is available on several GitLab repositories under the Mozilla Public License 2.0. While the French government announced that everything would be open source, it’s going to be bit a more complicated than that.
As Inria wrote in the announcement, the project is now divided in three parts. Critical elements of the infrastructure are not going to be available on the GitLab repositories. Instead, Inria will only release documentation on the security implementations, as ANSSI and France’s data protection watchdog CNIL recommended some level of transparency on this front.
A second part is going to be released publicly, but Inria is not looking for external contributions or, as developers would say, pull/merge requests. You can expect front-facing work here and things that don’t interact directly with the contact-tracing protocol.
The third part consists of the contact-tracing protocol and its implementation. This time, Inria and the community of companies and research teams working on StopCovid are looking for external contributions. The idea here is to improve the protocol itself when it comes to privacy and security.
France is moving forward with its centralized contact-tracing protocol called ROBERT. I analyzed the pros and cons of the protocol when Inria and Fraunhofer released the specifications.
It’s very different from Apple and Google’s contact-tracing API, as ROBERT relies on a central server to assign a permanent ID as well as a bunch of ephemeral IDs attached to this permanent ID. Your phone collects the ephemeral IDs of other app users around you. When somebody is diagnosed COVID-19-positive, the server receives all the ephemeral IDs associated with people with whom they’ve interacted. If one or several of your ephemeral IDs get flagged, you receive a notification.
By choosing a pseudonymous system, you have to trust your government that its implementation is rock-solid. For instance, if the app sends too much information when it communicates with the server, it would become possible to put names on permanent IDs.
Inria says that StopCovid could be released in early June, if everything goes well. France’s digital minister, Cédric O, said in a TV interview that the government wanted to release StopCovid on June 2.