Stephen Lachance, a Montreal-based digital security analyst and entrepreneur, says he was concerned when the Quebec government announced that it would impose a vaccine passport system across the province to reduce transmission of COVID-19.
But after he took a look at the smartphone apps that became available for download Wednesday, he said Quebec’s system should be a model for other provinces. Lachance and another tech expert interviewed by the Canadian Press said the apps do what they claim they do and are unable to secretly collect user data.
“I was very skeptical when I first heard about the government’s intentions about this kind of technology — it could have gone wrong in many ways,” Lachance said.
Instead, he was pleasantly surprised to see the government adopt an international standard which he described as “undoubtedly much better than anything it (the government) could come up with internally”.
This standard, known as the SMART Health Card, is also used on passports for vaccines in New York State, Louisiana and California. The technology relies on a QR code that contains a person’s name, date of birth and information about the vaccinations they have received.
From September 1, Quebec residents will need to show proof of vaccination to visit businesses deemed nonessential by the provincial government, such as bars, clubs and restaurants. This proof is in the form of QR codes distributed by the Ministry of Health to the vaccinated population.
On Wednesday, Quebec released the apps that will be used to run the vaccine passport system on Apple devices: VaxiCode Verif for companies, and VaxiCode for recipients. Android versions are expected to be released later in the week.
Quebec residents are encouraged to download VaxiCode and upload their QR code into it.
VaxiCode Verif is a reader application that scans the data in a QR code, including the cipher signature, to validate the code. This reader can scan the QR code uploaded to the VaxiCode app or to a hard copy of the code, or to an image or PDF of the code.
“It is very easy to create fake QR codes, but it is impossible to create fake QR codes with a real signature,” Lachance said.
“I can generate a million fake QR codes in a minute. … It’s like grabbing a piece of plastic and cutting a debit card. Put it in the machine, do you think it will work?”
The cipher signature in each QR code is validated within the VaxiCode Verif app – without the need to connect to an external server or central database. This protects privacy because no data is sent to the government or app maker Akinox during the scanning process, Lachance said.
He downloaded the app and looked at the files inside, said Félix LaBalm, an iOS developer at Transit Tech in Montreal.
“The app doesn’t really do anything suspicious,” he said in an interview on Wednesday.
He said that even if users allow the app to update automatically, there doesn’t appear to be any files on the software that allow the app to begin accessing location data.
Lapalme said his biggest concern is that the encryption keys used to validate QR codes are only in the app and not online, a feature that’s part of the SMART standard.
“It may make things more complicated if Quebecers want to validate their QR codes in other countries (that don’t) have Quebec’s specific application,” he said.
Lapalme said one of the things he loves about the VaxiCode app is that it shows users all the information stored in their QR codes, which he believes can allay privacy concerns.
The system’s only weakness, Lachance said, is that while VaxiCode Verif does not save data, it wouldn’t be difficult for someone — such as an unscrupulous club guard or a business owner — to introduce another app that does this and use it to scan patrons. QR codes.
But he said it would be difficult for an app like this to be widely distributed.
However, the possibility that someone could create another reader app and use it to steal people’s data relates to Steve Waterhouse, an information security lecturer at the University of Sherbrooke and a former information systems security officer at the Department of National Defense.
“Same thing as a gas station credit card scam — you have someone swipe the card twice, once to steal information, and again to make the right transactions,” he said in an interview on Wednesday. “The same thing can happen with someone just documenting QR codes over and over again.”
Waterhouse said it’s also concerned that if a new version of the app that tracks location data is released, users might not notice and download requests for additional information or changes to terms of service anyway.
He said he would prefer the government to use a paper-only system that does not include smartphone apps.
This story was produced with financial assistance from the Facebook-Canadian Press News Fellowship, which is not involved in the editing process.