- The compulsory certificate in the event of displacement can be filled online since this Monday.
- What risks does it present for personal data?
- 20 Minutes takes stock with specialists.
A spy in your pocket? This is what some internet users fear, after the online posting, this Monday on the website of the Ministry of the Interior, of a digital travel certificate. Since the entry into force of containment to fight against the coronavirus, this document is mandatory when leaving.
The principle of its digital version? Internet users go to the dedicated page, enter their personal information (name, address, date of birth, reason for traveling, etc.) directly on the online form. The site generates a PDF, which can be downloaded to a smartphone or tablet. In the event of an inspection, the security forces verify the information entered on the certificate by scanning the QR code written on the digital certificate.
A message widely shared on Facebook relays the concerns of Internet users about this new device: the certificate "will be read by a code by the police, can we read in this message." But, once done, you will be on file and they will know everything about you. So let's keep our paper certificates, because many of us have saved our bank details, appointments, photos and others on our phones. So everything will be stored and centralized. "
FAKE OFF
How does this certificate generator work? 20 Minutes has contacted developers who have studied the subject. "When generating this certificate, I checked it for my part, there is no personal data that is sent to the servers of the Ministry of the Interior," develops Baptiste Robert, cybersecurity researcher and hacker. This attestation generation process is done locally. "
Johann Pardannaud, whose attestation generator inspired that of the Ministry of the Interior, confirms "having seen nothing [in that of the government] which changed the use of data" in relation to the tool he had program. He had also posted the source code of his generator online. The ministry imitated it on Monday evening, in turn publishing the code used to create this generator.
The specialist rules out the risk of seeing the ministry accessing photos or data stored on the phone: “I can tell you 100% that it is impossible to access photos or text messages. Your phones need to provide permissions to your browser when it wants to view the data, otherwise it would allow any website to retrieve your personal information permanently. "
"What you fill in the form stays on the phone"
The analysis is shared by François Best, developer: “There is no sending of personal data, everything you fill in the form stays on the phone. "
However, he identified "a shadow point" to this device: a cookie generated by an American company. The Ministry of the Interior details on its site the four cookies used and their purpose. It is one of them that catches François Best's attention: “It can be used to trace the generation of a form. With this cookie, the American company knows which terminal asked to download a form, but it does not have access to the data entered in the form. It is also possible to deactivate it, "either deactivate cookies in the browser, or switch to incognito mode on the browser", advises François Best.
Control by the police "is more opaque", underlines Baptiste Robert. To check the certificates, gendarmes and police use the CovidReader application, which is used to flash the QR codes on the certificates. "We don't have access to the application itself, nor to the source code, so we are not able to actually audit it *. However, we still know things: we have seen screenshots of the application, which show that basically, it looks like a simple QR code reader and that's it. We have testimonies from gendarmes who complain that it's too simple, that it only reads QR codes, we have big clues that tell us that there is no sending of data to servers outside when the QR code is read by the police. We generated a certificate and then flashed it using a QR code reader. Only the information entered in the certificate is visible.
The researcher underlines a legal point: "If there was processing of personal data, we are in a state governed by the rule of law, there are procedures, there must be a decree at the Council of State and a publication in the Official Journal, this that there is not. "And to conclude with a reminder of common sense:" If we want as much privacy as possible, we avoid digital ".
Do you want the Fake off team to verify an info, photo or video? Fill out the form below or write to us on Twitter: https://twitter.com/20minFakeOff
20 Minutes is a partner of Facebook to fight against fake news. Thanks to this device, users of the social network can report information that they believe is false.
Politics
Coronavirus: “Not necessary” then encouraged… The government's about-face about wearing a mask
Society
VIDEO. Coronavirus: In France and England, signs of loosening in containment were observed last weekend
- Fake Off
- Coronavirus
- By the Web
- Covid 19
- Containment
- Ministry of the Interior