Focus on... Claude Castelluccia and the contact tracing apps

on the December 14, 2020

Claude Castelluccia is co-header of our WP5: Data Governance, Data Protection and Privacy. He is a research director in the Inria Privatics team working on privacy protection in the digital world. He has been actively involved in the design of TousAntiCovid, the smartphone application deployed by the government to curb the coronavirus epidemic.
Contact tracing has existed for centuries. When people are sick, doctors investigate to find all the persons that the patient could have been in contact with. The novelty is to use new technologies to help doctors. With the Covid19 epidemic, several countries deployed contact tracing apps. These tools can be very intrusive, especially when they use geolocalisation such as those used in China. France and Europe decided to deploy contact tracing solutions that respect privacy and conform to the GDPR (General Data Protection Regulation). The proposed solutions use the BLE (Bluetooth Low Energy) interface to broadcast random identifiers that change every 15 minutes, providing pseudo-anonymity.

Although most solutions in other European countries use a so-called “decentralized” approach based on the Google-Apple API (GAEN), France decided to develop its own sovereign solution. There were two main motivations. The first one is that although decentralization is preferable in general it is too intrusive in the context of contact tracing since it requires to send to all mobile apps the information about the infected users. Any malicious users can then easily identify infected users.  This is what is called the “small brother attack”. The second motivation is that relying on a solution that is solely provided and designed by Google-Apple does not provide the level of flexibility and transparency required for such an important application. The application developed by the government is based on the protocol ROBERT, designed by the researchers of the Inria Privatics team. This solution relies on a server to secure users’ data and compute the notification, providing full control to the health authority while preserving privacy (all collected data are pseudo-anonymized).

The TousAntiCovid application is fully operational since May. However, since it uses a different architecture it is not interoperable with the solution provided by Google and Apple. As a result, roaming is not provided within Europe. The Inria Privatics team is currently working on these interoperability issue and developing a solution, called DESIRE, towards this goal.
Claude is very proud to be involved in this interdisciplinary project. The research team has been working with the CNIL, ANSSI and the secretary of state for digital to deploy an application that is secure and preserves privacy. Moreover, this research has a direct impact on society.

Published on December 14, 2020