It has become in a few days one of the most downloaded applications in France: with more than a million users, Elyze is one of the successes of the new school year. Launched on January 2, this application for smartphones, available on iOS and Android, aims to help Internet users “find their candidate” for the next presidential election.
For this, it uses the codes of Tinder and other dating applications. After its installation, Elyze presents the Internet user with a series of proposals. We “swipe” (action of scanning the screen) to the right if we agree, to the left if we don’t. Over time, a profile takes shape, and the application displays the candidates who best match the validated proposals. “We built this tool to reconcile our generation with the presidential election,” explained Grégoire Cazcarra, one of the two creators of the application, at the beginning of January at World.
If the application had fairly positive initial feedback, the operation of Elyze did not please everyone. Quickly, several Internet users wondered about the proposed results. The “rebellious” candidate for the presidential election, Jean-Luc Mélenchon, denounced a “twisted blow”, Wednesday January 12, on his Twitter account, in response to a tweet affirming that in the event of agreement with all the proposals and therefore with all the candidates, “Macron finished first, Hidalgo second and Jadot third”.
The founders have quickly defended from any favoritism. In reality, each candidate had been assigned an identifier and, in the event of a tie, the algorithm put forward the candidate with the smallest identifier, explained Point, January 13. One “bug fixed by update” the next day, according to François Mari, co-founder of the application, interviewed by the magazine. This is not the only error since, beyond the bugs, Point also reported that the proposals related to Emmanuel Macron dated from his 2017 campaign, since he has not yet established a program for 2022, still not being an official candidate.
Furthermore, note Release, all the candidates do not have the same number of proposals, and only fifteen among the quarantine already declared are listed.
A false proposal “Fire Jean Castex”
The app also found itself back in the spotlight on January 15, after an engineer, Mathis Hammel, managed to modify one of the proposals. In Emmanuel Macron’s program, he had changed one by:
“Fire Jean Castex and appoint Mathis Hammel in his place”.
“The goal was not to do damage”, he explains to World. The application code is not yet public – this should be the case in the coming days, assured François Mari to Release – he embarked on a reverse engineering exercise to understand how the application works (and the reasons behind the bugs) and learn more about this “black box that tells us who to vote for”. This is how he discovered this security flaw. Immediately after successfully changing the proposal, he reverted his changes and sought to contact the Elyze team. The flaw was repaired the next morning.
In summary, the attack path was relatively simple to exploit: – recovery of the .apk file – extraction… https://t.co/enas9mBI7X
If he succeeded in accessing the database containing the candidates and their proposals, Mathis Hammel notes however that he did not succeed in accessing that of the users. “I had no access to data other than my own. It’s a bit reassuring.”, he says:
“I don’t want to overwhelm the developers. The app quickly gained momentum. It is also normal in the first versions to have problems. Especially since they probably did not expect the application to be so successful: basically, it had to be a toy. »
“We designed this app imagining that it would be downloaded by 20,000 people, not 1.2 million. We have been overwhelmed”, confirms François Mari, co-creator of the application, with BFM.
The CNIL monitors
A final problem has been added in recent days with questions regarding the confidentiality of users’ personal data collected by the application. At the first launch of the application, they are invited to fill in a few fields by revealing their date of birth, their gender and their postal code. The application can also be launched without, argue the co-founders, but the “Skip this step” button is much less highlighted than the “Continue” button, which calls for filling in the various fields.
The creators of the application have pledged not to sell “any data to a political party”
Aware of the “gold mine” on which they sit, the creators of the application are committed not to be sold “no data to a political party or campaign team”, while the memory of the Cambridge Analytica scandal is still in everyone’s mind. “We said to ourselves that it could be interesting to potentially work with polling institutes, with think tanks, complete, on the other hand, Grégoire Cazcarra in front of the camera of Brut. We also have researchers in political science and social science who wrote to us to tell us that they were interested in working on electoral behavior using the app. » In this case, François Mari ensures that the only personal data provided will be “the year of birth and the beginning of the postal code (just the department)”.
The only problem in the exploitation of this data, notes BFM, article 9 of the general regulation on data protection (RGPD), in which it is written that “the processing of personal data which reveals political opinions is prohibited”, unless “the data subject has given explicit consent for one or more explicit purposes”.
If the co-founders assured, Monday, January 17, that they were going to seek advice from specialized lawyers and from the National Commission for Computing and Liberties (CNIL) “to see how we can structure the project legally, in order to process and store the data”, the latter announced a few hours later that it had been alerted and was examining the operation of the application, while reserving the possibility of “use its powers of repression”, in the event of a breach of the GDPR, the General Data Protection Regulation. “Compliance with these obligations is particularly necessary when sensitive data [données qui révèlent les opinions politiques] are processed”, the regulator told Agence France-Presse, however, stating that it “cannot comment on the compliance of this application as it stands”.