How safe and secure are digital vaccine passports?

Ontarians will soon be able to confirm their vaccine status using an app. TVO.org speaks to experts about how that works — and whether you need to worry about your private data
By Justin Chandler - Published on Oct 06, 2021
Quebec has introduced vaccine-passport apps called VaxiCode and VaxiCode Verif. (Graham Hughes/CP)

Comments

X

Update: On October 14, Ontario released its app, Verify Ontario, which allows businesses to scan QR code vaccine credentials. The QR code version of the vaccine receipt is now available to some Ontarians based on birth month and will be widely available as of October 18. TVO.org published the province’s update on the vaccine credential system in full.

The province says Verify Ontario is the only scanning app it endorses for use. Someone scanning a code with an iPhone on an app other than Verify Ontario might be able to save the receipt on their own device — a potential privacy risk.

A spokesperson for the associate minister of digital government told TVO via email that, "the function that Apple has chosen to put in place is outside the control of government and is not a feature of the official QR code or the Verify Ontario app." She added: "People should always take care not to share their QR code with others who are not required to view or scan it and keep it in a secure location."

Verify Ontario's code is available on GitHub.

Since September 22, Ontarians have been printing out COVID-19 vaccine receipts or saving them to their phones in order to go to restaurants, see a movie, or hit the gym. Soon, they’ll have another option: on October 22, the province is set to launch its vaccine certificate and verification app, which will make receipts available in the form of QR codes (square barcodes that hold small amounts of data and can be read by smartphone cameras). “Businesses need a smart, quick, and safe solution to verify vaccination,” says Kaleed Rasheed, associate minister of digital government, in a news release. Codes will be available for printing or digital storage.

A man filming in The Agenda studio

Our journalism depends on you.

You can count on TVO to cover the stories others don’t—to fill the gaps in the ever-changing media landscape. But we can’t do this without you.

In the coming months, Ontario will also release another credential called Digital ID. The province says the tool will be usable in-person and online to prove one’s identity and help prevent fraud in online transactions, such as those involving real estate and controlled substances. So how private and secure will these new credentials be — and how susceptible to fraud? For Cyber Security Awareness Month, TVO.org speaks to experts to find out.

Will these tools keep your information private?

Some vaccination-credential apps have been criticized for how they handle users’ information. CBC Calgary has reported that the private proof-of-vaccine app PORTpass may have exposed hundreds of thousands of users’ data. Cybersecurity experts have said that, while Quebec’s system protects data, it has a weakness: the code can be scanned using other apps, which might not. 

Agenda segment, September 24: Understanding Ontario's vaccine passports

However, the process Ontario has planned sounds safe, says Aaron Mauro, assistant professor of digital media at Brock University, adding that “the QR code holds very little information.” That information will point to a unique URL that will interface with the app to check a user’s vaccination status in a government database. Mauro notes that, at this point, we don’t know the system the app will use, how it will interface with the information contained in the QR code, or what kind of authorization that will take.

Ideally, he says, it will work in such a way that no information about one’s medical records is shown when the code is scanned (the current receipts include name, birthday, the last four digits of the health-card number, and which vaccines were received and where). The Ministry of Health has said the Ontario QR code will show only “the minimum amount of information required to verify vaccination” — one’s name and vaccination status — and the Associate Ministry of Digital Government has said no information about a person or their status will be stored on the scanning phone. Businesses will still need to check IDs.  

The government says the Digital ID will also be designed to limit the amount of information shared. For example, you could share proof of age but not your name and address. Mauro, though, is concerned about how this tool would work in certain situations, especially those involving law enforcement: “I could not imagine being pulled over on the side of the street by a police officer and passing my unlocked phone with my ID on it to them,” he says, noting that could grant an officer access to other information on that device. “No way.” 

TVO.org asked the ministry whether it will be possible to prove identity without having to unlock your device. The spokesperson writes that “the design of features and requirements to use a digital ID in various settings, including by law enforcement, is still evolving and involves necessary consultation and alignment with other jurisdictions and associations. Digital ID will not replace the use of existing plastic identity cards.”  

How well do these systems guard against fraud?

“When it comes to the health and safety of our communities, we are confident the overwhelming majority of Ontarians will do the right thing,” a spokesperson for the Ministry of Health tells TVO.org via email.

But, while it may make sense to work according to that assumption, “some would say that hope is not a plan,” says Julia Zarb, currently on sabbatical from the University of Toronto’s Dalla Lana School of Public Health, where she directs the Master of Health Informatics program. 

There have been reports, of people attempting to sell fake credentials, and the PDF receipts have been criticized for being editable through commonly used software. People could, for example, put a different name or date on their receipt or change their first-dose receipt to look like a second. Mauro calls that “an open invitation to flout the vaccine mandate.” 

graphic titled "verifiable data registry"
Graphic illustrating the verification process. (ontario.ca)

Mauro says it appears as though the ability to edit PDFs was turned on by developers. The Ministry of Health did not answer questions from TVO.org about whether this was the case or whether it had considered using PDFs that cannot be edited. A spokesperson did tell TVO.org that the PDFs are securely watermarked. Such watermarks, however, do not prevent editing.

Both Quebec and Manitoba have already introduced vaccine-credential apps — CBC News reported in August that a programmer had figured out how to create a false QR code and get it verified by the Quebec system. Experts have said that the standard used has been adopted in multiple jurisdictions and is generally thought to be safe and privacy-respecting.

Mauro says that the QR codes generally will be much harder to tamper with than Ontario’s PDFs: “They've been used globally for upwards of a year. So there are other open-source examples available out there. This is not rebuilding something from scratch. This is a solved problem.”

The Associate Ministry of Digital Government says Ontario will release the vaccine-credential app as open-source software, meaning the code will be publicly available. Mauro approves of this since it will allow the public to inspect it for flaws and understand what the app does and does not do. The government will also share how the Digital ID works when that tool comes out late this year. “We have already published the tech stack, and will add further information as appropriate including, open-source code, [application programming interfaces and] toolkits where possible and as available,” the ministry writes.

Vass Bednar, executive director of the Master of Public Policy Program at McMaster University, says the government should actively solicit feedback from people who’ve spotted flaws in the open-source code:  “I think as long as politicians [acknowledge]: “This is new and we've got to iron some of this out together … that's where I think the bargain needs to be maintained.”  She says the state could even go so far as to offer a prize for catching flaws or for sending in design improvements. “I think when the state pretends that it has done everything perfectly and it will be perfect, then that sets everyone up for disappointment.”

Misinformation and disinformation

COVID-19 has been a frequent focus of baseless conspiracy theories — for example, that vaccines contain microchips. Vaccine passports and digital IDs also make an appearance and are linked to alleged plots by pharmaceutical and tech companies and governments to surveil and control populations.

There’s a notion that passports are being “used to control our behaviours beyond this public-health crisis, as if there are all sorts of electronic layers embedded in the vaccine [credential] to monitor and survey all of our activities, and not just whether we've been vaccinated or not," says Barbara Perry, who directs the Centre on Hate, Bias and Extremism at Ontario Tech University, in Oshawa. “It fits nicely into that broader narrative about medical tyranny and the overreach of the state and public authorities.” 

Agenda segment, September 29, 2021: Are vaccine passports dividing us?

Most people are unlikely to buy into conspiracies like that, she notes, but those who do won’t be won over with open-source code. “You can't reason with these people, because everything becomes part of the conspiracy. I think the key is to continue the messaging and to be very clear and explicit about what information is included in that app so that there's broader public awareness,” she says.

“It's that mushy middle who are unclear that I think we can still pull back.”

Ontario Hubs are made possible by the Barry and Laurie Green Family Charitable Trust & Goldie Feldman.

Author
Thinking of your experience with tvo.org, how likely are you to recommend tvo.org to a friend or colleague?
Not at all Likely
Extremely Likely

Most recent in Coronavirus