While the health pass must be deployed tomorrow in closed places welcoming a public with a tonnage of more than 1,000 people, certain recommendations of the Cnil concerning the rules of data storage are in the process of being applied. A future update should resolve this issue and provide additional security regarding everyone’s data contained in the QR Codes of vaccination certificates.
Since May 27, it has been possible to register your vaccination certificate on the Health Insurance website, Ameli.fr or to keep a paper copy on you. Tomorrow, June 9, will mark a further step towards a return to normal with the opening of indoor sports halls, bars and restaurants and the extension of the curfew to 11 p.m. For the government, this also means the implementation of the French health pass and the famous QR Code 2D-DOC, which users will have to have scanned to access closed places subject to a maximum gauge. “The health pass will apply to all major events, such as Roland-Garros, the Cannes festival, the Vieilles Charrues or even football-related events starting in August. We hope it’s for good”, specifies Cédric O, Secretary of State in charge of the digital transition and electronic communications.
The CNIL validates the architecture
For its part, the Cnil transmitted its opinion, validating the health pass system as a whole, namely the operating architecture of TousAntiCovid Carnet and TousAntiCovid Verif (the verification application used by professionals), compliant with the GDPR. . However, it issued recommendations concerning storage rules.
“Today there is indeed a sending of data to a central server, requiring an internet connection. In the coming days, an update will make it possible to have everything locally without requiring an internet connection to check if the certification is in red or green (see image below)”, specifies Antoine Darodes, chief of staff of Cédric O The government ultimately wants to move towards a more protective system but claims to be working urgently.
Example of a QR Code scan in the TousAntiCovid-Verif application. (Photo credit: DR)
This is a response to the controversy that swelled this weekend on social networks, after the publication of tweets on the protection of health pass data. Thus, Mathis Harmel carried out reverse engineering on the QR Code and detected a risk of discovering more information than expected. The fault is notably linked to the use of the 2D-DOC format. Another controversy, concerning the involvement of GAFAM, was clarified by Achille Lerpinière, head of the decision support division of the general directorate for health, “components from Google were used to the use of TousAntiCovid Verif during experiments, then disconnected in the updates of the applications to date”.
The objective of a European health pass
Achille Lerpinière, specifies that “for reasons of development time, the health pass in 2D-DOC or QR code format will coexist for a time with the European health pass, entitled EU Digital Covid Certificate”. The aim is to be able to have 2D-DOC read by reading applications in the Member States and eventually beyond Europe (in DCC format).
“The current version of the vaccination certificate, folded in half, hides health information. The DCC version to come on the evening of June 22 will bend over backwards to display only the QR Code, with name, first name, and date of birth. Everything else will be hidden.” The 2D-DOC and QR-codes DCC will be valid in France and readable in TousAntiCovid Verif. “It will be possible to retrieve new proof in this format on sidep.gouv.fr and attestation-vaccin.ameli.fr, or to ask a healthcare professional to do so, or to use a proof converter integrated into TousAntiCovid . Outside of France, you will need the DCC”, concludes Achille Lerpinière.
In addition, the European Commission recommends that each injection be certified. For the health pass, the vaccination cycle must nevertheless be completed, including post-injection delays. As a reminder, here is the vaccination schedule presented by Coralie Giese, head of the TousAntiCovid project for the cabinets of the Ministry of Solidarity and Health and the Secretariat of State for the Digital Transition and Electronic Communications: “for two-dose vaccines , the time after injection is 14 days, for the single-dose vaccine it is 28 days, and for people vaccinated with one dose after an infection, the vaccination process is completed after the 15th day. The health pass will be requested from the age of 11 and all the Member States of the European Union intend to align themselves with this age. Below, only a negative antigen or PCR test will be required to travel.