Australians will soon rely on vaccination passports to get access to venues including pubs and restaurants. But there could be a problem.
From Monday, some Sydneysiders will be forced to prove they are vaccinated if they want to sit outside in a park, but there are concerns that certificates can be easily forged and fake documents can be bought for as little as $270.
It’s becoming apparent that vaccination passports will be crucial to freedoms in Australia as the country seeks to return to normal.
But there are already concerns about their reliability and whether they could later be used to track people’s movements.
In the past few weeks, flaws have emerged in the Federal Government’s digital certificate, which can be downloaded through the Express Plus Medicare mobile app or through the myGov website. It can also be added to Apple Wallet or Google Pay.
The certificate is downloaded as a PDF file and software developer Finn Bailey told the ABC there was a “high-school grade permissions password” to prevent people from changing or copying the certificates.
Forged digital certificates are reportedly being offered for sale on the encrypted message app Telegram for about $US200 ($A271).
Others have pointed out that it’s also possible to trick the federal Express Plus Medicare app into showing that someone has been vaccinated.
The shortcomings of the federal system may also cause problems for the NSW vaccination passport, which will be an added feature of the Service NSW app that is due to be trialled in early October.
The NSW vaccination passport will rely on information provided by the Federal Government on people’s vaccination status.
A Service NSW spokesman told news.com.au that the vaccination certificates were the responsibility of the Federal Government.
“Service NSW is working closely with the Federal Government to provide customers with an alternative way of showing their vaccination certificate through the Service NSW app,” he said.
He said the agency was looking at options to validate the customer’s identity against the Australian Immunisation Register, to ensure the certificate is linked with the correct MyService NSW account.
It’s understood customers will be able to “push” their certificate from the federal Express Plus Medicare app into the Service NSW app.
“Once the vaccination certificate is available in the Service NSW app, it will automatically be integrated into the COVID-Safe Check-In,” the spokesman said.
Software engineer Richard Nelson told the ABC vaccination certificates would remain easy to fake until a digital signature was added, similar to what is being used for the European Union’s vaccine passports.
This technology brings up a QR code on the person’s phone, which is scanned and verified by a service called the EU Gateway.
The Gateway checks only that the signature is correct and doesn’t store any information about a person’s vaccination status. The only party that has access to the vaccination status is the country that issued the certificate.
NSW’s app is expected to feature a QR code to help reduce the risk of fraud and the check-in screen will also feature a NSW Waratah logo hologram.
Asked whether the Federal Government was considering new digital signature technology, why it had not yet fixed problems with its app and if it was considering improvements to security, a spokesman for Employment Minister Stuart Robert said: “Since mandating the recording of Covid vaccinations on the Australian Immunisation Register, the Federal Government has iteratively updated proof of vaccination certificates – including bolstering security measures – and the Government will continue to iteratively update the proof of vaccination certificates”.
The introduction of vaccine passports have also raised concerns about privacy.
The Australia Institute’s Centre for Responsible Technology has noted the use of QR codes to check in to venues could open the door to widespread surveillance of citizens.
Centre director Peter Lewis said there had been some unintended long-term consequences from deploying technology during a time of crisis.
“After 9/11, government radically shifted notions of online privacy to address the terror threat, directly building the model of routine surveillance of our online behaviour for commercial ends,” Mr Lewis said.
“While we support vaccine verification, Australia needs to be vigilant that the technology does not summon a new era in spatial surveillance that could be adapted by government and business in ways contrary to public interest.
“Looking at vaccine verification as a single use technology, rather than a data generating exercise, would be an important guard rail against these risks.
“There is a place for vaccination passports but to get it right, safety and security risks must be addressed at the outset.
“The current verification process through the Federal Government’s myGov app falls short on several of the key criteria outlined by the Centre for Responsible Technology.”
The centre has developed 12 principles that it believes should be followed while developing vaccine passport technology.
They include that the design respects the privacy of Australians, data is only used for verifying someone’s vaccination status, that it only captures the minimal amount of data, is safe from fraudulent and harmful access, and that data expires once its intended use is fulfilled.
Read related topics:Vaccine