The QR Code, infallible tool or risky technology?

0



QR codes can be used as proof of non-contamination as part of the health pass. – PASCAL POCHARD-CASABIANCA / AFP

  • The QR code – for “Quick Response Code” – is a two-dimensional barcode that has come to the fore in France in the context of deconfinement.
  • Two distinct uses have been developed. They can be scanned at the entrance of certain places by a smartphone to help the health authorities to trace the chains of contaminations, and they can be used as a control document to access certain events or to travel within the framework of the famous “pass”. sanitary ”.
  • If the technology is presented as tamper-proof, according to the designers of the control application, risks exist. We take stock of the best practices to be observed.

We have seen them blooming on the fronts of bars and restaurants for several weeks. The QR codes – for “Quick Response Code”, “quick response code”, in English – know their moment of glory in this period of deconfinement. In France, since June 9, two major uses are based on these digital barcodes.

They can either be scanned at the entrance to certain places by a smartphone to help the health authorities to trace the chains of contamination, or be used as a control document to access events or travel within the framework of the famous “health pass. “. But what exactly is this technology and what are the risks?

  • How to use a QR code?

Born in 1994 in Japan, the QR code takes the form of a two-dimensional barcode, made up of black squares on a white background, which can be decrypted after being flashed or scanned with a smartphone camera. . In this new phase of deconfinement, the French can now obtain proof of non-contamination with a QR code: it can be a negative result on a PCR test or a vaccination certificate. These QR codes appear on the paper certificate provided by the laboratory or vaccination center and can be stored directly on the phone. This feature is available on the TousAntiCovid government mobile application.

A tab entitled “my book” offers the user to scan the QR code appearing on these certificates. In the event of a control to attend an event of more than 1,000 people or to travel abroad, in Corsica or overseas, it is then sufficient to present this barcode. “In reality, two codes are used in the health pass”, specifies Bastien Le Querrec, lawyer within the association for the defense of digital freedoms, Quadrature du Net (QDN). “A QR code to import your document into the TousAntiCovid app, and another code, entitled” 2D-Doc “or” Visible electronic seal (CEV) “, which aims to ensure the validity of this document in case of control, ”he explains.

  • What data is in these QR codes?

In an opinion delivered on June 7, the CNIL (National Commission for Informatics and Liberties) states: “In accordance with the principle of minimization data, the people authorized to check the supporting documents using the TousAntiCovid application […] will only have access to the names, first names and date of birth of the person concerned, as well as to the positive or negative result of holding a valid document. “

For La Quadrature du Net, this identification data is considered superfluous and dangerous. “In our opinion, this amounts to trivializing and systematizing identity control. To know if a person meets the health criteria set by law, we do not need to check their marital status! It is enough to know if the certificates presented are valid or not ”, underlines Bastien Le Querrec. To contest this modality, La Quadrature du Net filed an appeal on June 11 before the Council of State.

  • What are the risks ?

In its opinion of June 7, the CNIL, guardian of the privacy of the French, recalls that during checks carried out by the authorized authorities, “it is possible, for a malicious person, to access all the personal data included in the QR codes present on supporting documents, including health data ”. However, in the era of Covid-19, these health data
can be cashed very expensive, recalls Bastien Le Querrec. “Data brokers”, companies specializing in the purchase and sale of our personal data, are very interested in health data, “he explains.

Yes the possibility of falsifying a QR code is low, the risk of data leaks exists, points out the lawyer: ”
We managed to develop an application in a few days which makes it possible to extract, read and export the data included in these two-dimensional codes. A development that requires technical knowledge, but invites users of the application to be careful when presenting their code.

Finally, certain bad digital habits can also expose Internet users to malicious use, notes Matthieu Audibert, captain of the gendarmerie in the national center for the fight against cyberthreats: “Since vaccination has developed, we have seen Internet users share information. photos on social networks with, sometimes, their vaccination certificate. By doing this, they expose their personal data. »A practice that can result in identity fraud or illegal data collection.

  • How to protect yourself from this?

On social networks, the police are trying to make Internet users aware of the risks involved in publishing personal data. “No one would think of posting a photo of their credit card or identity card on Instagram or Twitter. It must be the same with regard to these QR codes, ”illustrates Matthieu Audibert. The CNIL, for its part, invited the government to “put in place information measures in order to make the public aware of the need to protect their supporting documents and not to expose them outside the controls provided for by the health pass”.

La Quadrature calls for a radical change in technology: “Solutions other than QR codes exist to fight against document fraud. These are physical measures, already developed by the National Printing Office for driving licenses or vehicle registration certificates. The question now is: “How far are we prepared to go in terms of privacy protection to fight against this fraud?” “





Source link