The QR code - for “Quick Response Code” - is a two-dimensional barcode that has come to the fore in France in the context of deconfinement.
Two distinct uses have been developed.
They can be scanned at the entrance of certain places by a smartphone to help the health authorities to trace the chains of contaminations, and they can be used as a control document to access certain events or to travel within the framework of the famous “pass”. sanitary ”.
If the technology is presented as tamper-proof, according to the designers of the control application, risks exist.
We take stock of the best practices to be observed.
We have seen them blooming on the fronts of bars and restaurants for several weeks.
The QR codes - for "Quick Response Code", "quick response code", in English - know their moment of glory in this period of deconfinement.
In France, since June 9, two major uses are based on these digital barcodes.
They can either be scanned at the entrance to certain places by a smartphone to help the health authorities to trace the chains of contamination, or be used as a control document to access events or travel within the framework of the famous "health pass. ".
But what exactly is this technology and what are the risks?
How to use a QR code?
Born in 1994 in Japan, the QR code takes the form of a two-dimensional barcode, made up of black squares on a white background, which can be decrypted after being flashed or scanned with a smartphone camera. . In this new phase of deconfinement, the French can now obtain proof of non-contamination with a QR code: it can be a negative result on a PCR test or a vaccination certificate. These QR codes appear on the paper certificate provided by the laboratory or vaccination center and can be stored directly on the phone. This feature is available on the TousAntiCovid government mobile application.
A tab entitled "my book" offers the user to scan the QR code appearing on these certificates.
In the event of a control to attend an event of more than 1,000 people or to travel abroad, in Corsica or overseas, it is then sufficient to present this barcode.
"In reality, two codes are used in the health pass", specifies Bastien Le Querrec, lawyer within the association for the defense of digital freedoms, Quadrature du Net (QDN).
"A QR code to import your document into the TousAntiCovid app, and another code, entitled" 2D-Doc "or" Visible electronic seal (CEV) ", which aims to ensure the validity of this document in case of control, ”he explains.
What data is in these QR codes?
In an opinion delivered on June 7, the CNIL (National Commission for Informatics and Freedoms) indicates: “In accordance with the principle of data minimization, the persons authorized to check the supporting documents using the TousAntiCovid application [ …] Will only have access to the surname, first name and date of birth of the person concerned, as well as to the positive or negative result of holding a valid document. "
For La Quadrature du Net, this identification data is considered superfluous and dangerous.
“In our opinion, this amounts to trivializing and systematizing identity control.
To find out if a person meets the health criteria set by law, we do not need to check their marital status!
It is enough to know if the certificates presented are valid or not ”, underlines Bastien Le Querrec.
To contest this modality, La Quadrature du Net filed an appeal on June 11 before the Council of State.
What are the risks ?
In its opinion of June 7, the CNIL, guardian of the private life of the French, recalls that during checks carried out by the authorized authorities, "it is possible, for a malicious person, to access all personal data. integrated into the QR codes on the receipts, including health data ”. However, in the era of Covid-19, these health data can be very expensive, recalls Bastien Le Querrec. "Data brokers", companies specializing in the purchase and sale of our personal data, are very interested in health data, "he explains.
If the possibility of falsifying a QR code is low, the risk of data leaks exists, points out the lawyer: “We managed to develop in a few days an application which makes it possible to extract, read and export the data included in these two-dimensional codes. A development that requires technical knowledge, but invites users of the application to be cautious when presenting their code.
Finally, certain bad digital habits can also expose Internet users to malicious use, notes Matthieu Audibert, captain of the gendarmerie in the national center for the fight against cyberthreats: “Since vaccination has developed, we have seen Internet users share information. photos on social networks with, sometimes, their vaccination certificate.
By doing this, they expose their personal data.
»A practice that can result in identity fraud or illegal data collection.
How to protect yourself from this?
On social networks, the police are trying to make Internet users aware of the risks involved in publishing personal data.
“The idea would not occur to anyone to post on Instagram or Twitter a photo of their credit card or identity card.
It must be the same with regard to these QR codes, ”illustrates Matthieu Audibert.
The CNIL, for its part, invited the government to "put in place information measures in order to make the public aware of the need to protect their supporting documents and not to expose them outside the controls provided for by the health pass".
For your # Cybersecurity, do not share your vaccination certificates and anti # COVID19 QR codes on the Internet and social networks.
# OurCommitmentYourSecurity pic.twitter.com/3hpV1dM5LF
- CyberGEND (@CyberGEND) June 2, 2021
La Quadrature calls for a radical change in technology: “Solutions other than QR codes exist to fight against document fraud.
These are physical measures, already developed by the National Printing Office for driving licenses or vehicle registration certificates.
The question now is: "How far are we prepared to go in terms of privacy protection to fight against this fraud?"
Paris: A nurse suspected of having pretended to vaccinate patients
Deconfinement: How will the digital “reminder book” work in restaurants?
By the Web