Cybersecurity experts say Quebec's vaccine passport is safe, and a model for the country
App follows international standard that avoids sending data to external server
Steven Lachance, a Montreal-based digital security analyst and entrepreneur, says he was worried when the Quebec government announced it would impose a vaccine passport system across the province to reduce COVID-19 transmission.
But after he took a look at the smartphone applications that became available for download Wednesday, he said Quebec's system should be the model for other provinces. Lachance and another tech expert interviewed by The Canadian Press say the applications do what they claim to do and are not capable of secretly gathering user data.
"I was very skeptical when I first heard of the government's intentions around this kind of technology — it could have gone wrong in so many ways," Lachance said.
Instead, he was pleasantly surprised to see the government adopt an international standard that he described as "unquestionably much better than anything (the government) could have come up with internally."
That standard, known as the SMART Health Card, is also being used for vaccine passports in New York state, Louisiana and California. The technology is based around a quick response (QR) code containing a person's name, date of birth and information about the vaccinations they have received.
Starting Sept. 1, Quebec residents will need to show proof of vaccination to visit businesses the provincial government deems non-essential, such as bars, clubs and restaurants. That proof is in the form of QR codes distributed to vaccinated residents by the Health Ministry.
On Wednesday, Quebec released the applications that will be used to power its vaccine passport system on Apple devices: VaxiCode Verif for businesses, and VaxiCode for patrons. Android versions are expected to be released later in the week.
Quebec residents are encouraged to download VaxiCode and upload their QR code into it.
VaxiCode Verif is a reader application that scans data contained in the QR code, including a cryptographic signature to verify the code's authenticity. That reader could scan a QR code uploaded to the VaxiCode application or to a paper version of the code, or to a photograph or PDF of the code.
"It's very, very easy to generate fake QR codes, but it's impossible to generate fake QR codes with the real signature," Lachance said.
"I can generate a million fake QR codes in a minute.… It's just like grabbing a piece of plastic and cutting out a debit card. Put it in the machine, do you think it's going to work?"
The cryptographic signature in each QR code is validated within the VaxiCode Verif app — without the need to connect to an external server or centralized database. That protects privacy, Lachance said, because no data is sent to the government or app-maker Akinox during the scanning process.
Felix Lapalme, an iOS developer at Montreal tech company Transit, said he downloaded the application and looked at the files inside.
"The app doesn't do anything really suspicious," he said in an interview Wednesday.
He said even if users allow the app to update automatically, there doesn't seem to be any files on the software that would allow the app to begin accessing location data.
Lapalme said his biggest concern is that the cryptographic keys used to validate the QR codes are only located on the application and not online, which is a feature that is part of the SMART standard.
"It might make things more complicated if Quebecers want their QR codes to be validated in other countries (that) don't have the specific Quebec app," he said.
Lapalme said one thing he likes about the VaxiCode application is that it shows users all the information stored in their QR codes, which he believes could assuage privacy concerns.
Lachance said the one weakness with the system is that while VaxiCode Verif doesn't save data, it wouldn't be hard for someone — like an unscrupulous club bouncer or business owner — to make another application that does and use it to scan patrons' QR codes.
But it would be difficult for an app like that to be distributed widely, he said.
However, the possibility that someone could create another reader application and use it to steal people's data concerns Steve Waterhouse, an information security lecturer at Université de Sherbrooke and a former information systems security officer with the Department of National Defence.
"The same thing as a credit card scam at a gas station — you have someone that will swipe the card twice, once for stealing the information, the other time for the right transactions go through," he said in an interview Wednesday. "The same thing can happen with someone just documenting QR codes over and over again."
Waterhouse said he also worries that if a new version of the app is released that does track location data, users might not notice the requests for additional information or changes to the terms of service and download it anyway.
He said he'd prefer the government use a paper-only system that doesn't involve smartphone applications.
This story was produced with the financial assistance of the Facebook-Canadian Press News Fellowship, which is not involved in the editorial process.