Montreal

Could Quebec's vaccine passports expose your personal info?

With Quebec set to implement a vaccine passport system in some non-essential services September 1, cyber security experts say the QR codes the province is using and the app that's been developed to scan them pose privacy concerns.

Experts say risk is low but QR codes can be easily read by third-party apps

Starting on Sept. 1, Quebecers will have to show proof of vaccination to access some non-essential services like bars, restaurants, gyms and music festivals. Cyber security experts say because the codes are not encrypted, the personal info in the codes is fairly easy to access. (Submitted by the Government of Quebec)

Patrick Mathieu says creating an app that can read the contents of Quebec's digital vaccine passports isn't that hard to do.

The co-founder of Hackfest, an annual hacker event in Quebec City, says two of its members built an app that could access a person's name, date of birth and vaccination status by scanning the QR code provided to Quebecers by the Health Ministry.

"Two [people] that are not experts in this at all … built an application where you scan [the QR code]," said Mathieu. They built the app in about 20 hours.

Starting Sept. 1, Quebecers will have to show proof of vaccination to access certain non-essential activities. Businesses will have access to a free app from the government that simply tells the user whether or not a customer is adequately vaccinated.

But Mathieu says a less scrupulous business owner or employee could build or purchase a third-party app that instead saves their data, which also includes where a customer received their vaccinations and if they have contracted COVID-19. 

No location data is accessible from the QR code.

Patrick Mathieu is the co-founder of Hackfest, an annual event in Quebec City and a community of hackers in the province. The group pokes around online looking for possible security issues and alerts organizations so they can fix them. (Radio-Canada)

"Obviously the risk is low," said Mathieu. "But it exists because the government chose technology that is not secure for privacy."

Mathieu says it's not just the QR code that could be exploited — Hackfest also found a bug in the app when it was being developed that led to over 300,000 QR codes being exposed online. He says they notified the developer, Akinox, and the issue was resolved in 24 hours. But he doesn't have a lot of confidence in the company.

"Their development environment is exposed on the web. We can see their source code, they have bugs," he said.

Developer, Health Ministry insist system is safe

In a written statement to CBC News, Akinox CEO Alexander Dahl says the company has been working closely with government experts in cyber security, privacy and protection of personal information throughout the development process.

He says the vaccine passport and everything in the app was thoroughly audited and approved.

Much like people are responsible for protecting the information on their medicare cards and driver's licenses, Quebec's Health Ministry says it's important to not publicly post your QR code, and only share it with businesses that require proof of vaccination.

Risk of 'malicious intent'

Mathieu says someone with "malicious intent" who owns several restaurants and bars could track the movement of a specific client as their QR code is scanned by third-party apps at their establishments.

But he says a more likely scenario is an individual employee looking someone up online.

"You go to a restaurant, the person at the door who scans your QR code thinks you're super cute, gets your name …stalks you on Facebook, gets into your DMs and harasses you," he said. 

He says it's frustrating the government went with a system that has the potential to be exploited, when Quebecers already have physical proof of vaccination.

"They put...20 plus million dollars into something that is not privacy enabled, [has] tons of security issues and in the end you can still go with a piece of paper."

with files from Sarah Leavitt