Without getting into the controversy of whether or not to extend the #SanitaryPass, or even the need to have one at all. In this article, I would simply like to understand if the security and the protection of our personal and health data are correctly ensured. It is indeed critical, given the systematic and recurrent nature of the use of this #HealthPass, that the French population can have a minimum of confidence in this widely deployed tool.
Security holes?
First of all, let’s focus on the application itself. According to the Cyberwatch Blog, there is indeed a critical flaw in the application. This flaw can allow a third party performing the check, either by mistake or intentionally, to retrieve on his smart phone by reading your QR Code, name, first name, date of birth, type of vaccine and date of injection … Even if you have nothing to hide, it is however more than annoying, right?
The CNIL indicated in its deliberation of June 7, 2021, that the source code of the “TousAntiCovid Vérif” application has not been made public, although Book III of the Code of Relations between the Public and the Administration provides for this, as the association InterHop has rightly pointed out.
Moreover, it is important to understand that the health data related to COVID-19 collected by the application are transmitted to the SNDS (National Health Data System) and thus in fact in the Health Data Hub hosted at the moment at Microsoft and thus depending on the American Law…
On this subject, I have already had the opportunity to write a few articles to alert on the problems that this posed (Articles 1, 2, 3 and 4)
In the process of tracking personal data, let’s then stop on the appointment booking. To go for a consultation or to get vaccinated, here again many questions come to mind, when we learn that the platform highlighted, #Doctolib is hosted by AWS Amazon, and that in addition once again, InterHop has been able to highlight areas of uncertainty on the processing of data (InterHopresponds to France Inter and Doctolib) …
To continue in the same vein, it seems – as I am not an expert, I allow myself to put the conditional, that the governmental site which is used to recover our certificates of PCR tests or vaccination points towards a US hosting (using the FlagFox extension on Firefox). If this is confirmed, we are walking on our heads, and we can really wonder if there is a pilot in the plane with two functioning neurons!
What to do?
Unfortunately, I do not have any firm recommendations to offer you. Indeed, your behavior will be dictated by the arbitration you will make taking into account the health situation and your sensitivity about the protection of your data, and the malicious use that could be made of it.
However, from my point of view, the generalization of the #SanitaryPass poses a major and structural problem on the security of our data. Unfortunately, the facts speak for themselves. The fact of collecting paper certificates does not solve the problem, indeed as demonstrated by the Cyber Watch Blog, the person who checks your QR Code is at risk of collecting your personal data even in an involuntary way, i.e. by a handling error.
For my part, I advise to file a complaint with the #CNIL, it is the only way to move the lines and ensure that eventually, the application will be secure. But I must admit that in a very general way, the accumulation of these “errors” imprecisions, bad choices make me wonder about the relevance of the systematic tracking organized (or so badly), without the minimal measures to ensure that the personal and health data of the French are protected!
Conclusions
In front of this negligence on major technological choices and structuring on the measures implemented, I wonder about the real capacity of our leaders to make the right decisions. That is to say, solutions that are relevant to health, while protecting the interests of the French population, and therefore of its #digitalsovereignty!
It is really to fear fraudulent and inappropriate uses of our personal data, in this crisis, as if the other scandals, the Data Hub Santé and the IQVIA affair were not enough (in the following article)…
