I dont think it's necessary true (and certainly not helpful) to say the parent is being "edgy" - though I have noticed that's the new internet insult used to casually dismiss different ideas.
His point also could have been that the app exists literally to share your sensitive personal information with other parties...
This particular breach was, I admit, probably not a design purpose. Apparently they unintentionally exposed completely different personal data than they originally intended to.
On a broader scale, it makes sense that people who build vaccine passport apps and people who are passionate about personal privacy are non-overlapping sets of people.
> Hussein said Tuesday morning that the breach only lasted for minutes, and repeated that claim when CBC pointed out it had reviewed the personal information for more than an hour — and it's unknown how long the information was exposed before that tip was received.
That person doesn't make the impression that they're honest and humble enough to handle people's personal information.
> Alberta currently does not have an official proof-of-vaccination app, and the province's PDF vaccine record has been criticized for being easy to edit.
This confused me. Don't they have a QR code that gets read and verified and must match the person's name?
No, but they are planning one. The current proof of vaccination is a simple PDF with no verification features or signature. Anyone with a PDF editor can take an existing PDF and put their name on it. Alberta was not planning on having a vaccine passport system until about two weeks ago, when the number of cases and hospitalizations got so high the government could no longer ignore it. Because of the late start, it's going to take a while until the QR code system is ready.
alberta yet again drops the ball. Maybe you are thinking about BC who rolled out a signed QR code that could be saved on the phone/printed + an app from the government that does verification.
Out of the four big provinces, two (BC and Quebec) have released their vaccine passport app and QR code system and the other two (Alberta and Ontario) are still in the process of rolling one out.
I'm not sure how Quebec's system works, but BC's vaccine cards are based on the SMART Health Card [0] standard. The validation app they've put out is open source [1].
I haven't looked at the validation app's code, but I assume the main reason the have their own app instead of pointing businesses to one of the existing SMART Health Card validators is so they can bundle the public keys used for verifying the QR data wasn't tampered with allowing the app to work offline. The SMART Health Card system does provide a way to download the public keys (I've checked and BC does publish them as expected), but it's probably easier to guarantee offline functionality here.
Not with the bozos in charge of Alberta and Ontario.
I _believe_ that Québec _offered_ Ontario parts of its app (the backend medical systems part would require something different) and our chuckleheads said “nah; we can build this in less than 90 days” (it took Québec ~4 months).
Manitoba has had a system in place for several weeks. It's simple: the QR code is just a URL that exposes a yes/no and the person's name to be matched against photo ID.
The person scanning has to download the (free) official app to avoid someone setting up a copycat site, but that's trivial.
From what I understand the data is signed. So someone has the key? Who controls the keys? We have an EU wide passport so are governments sharing the keys? There is an app for validating the codes in some countries so is that happening by hitting an API or are the keys in the apps?
What I’m getting at here is how are they validating keys without leaking the keys used to sign?
just a pretty standard certificate hierarchy, in germany the pharmacies can sign your information (when given your paper vaccination pass) and give you a QR Code, or you get it right when you get vaccinated. Obviously those are then the weak points and afaik there are ~25 root(/revocable?) keys for germany alone. Contained in the QR code are your name, DOB and which vaccinations you already got. So the QR code is only valid together with your Photo ID.
> What I’m getting at here is how are they validating keys without leaking the keys used to sign?
Public and private keys. Pharmacies and doctors have control over private keys/keys signed by the "root" keys. The checking app has the public keys and can check if the signature of the data is valid (matches the data and the private keys).
This isn’t secure re: your last point. If every country in Europe has numerous private keys it’s inevitable they’re leaked and used to sign fake vaccine passes.
They have numerous private keys precisely because of leakage risk. In that case only one (or two) of them will get leaked (and then hopefully revoked), leaving the others intact.
In the USA, some states (including California) and private health care providers are using something called Smart Health Card [0] which is a signed JWT using public/private keys.
BC are QC are.. but they're terrible PII privacy leaks (unprotected legal name/DOB/vaccination record). It violates the health canada privacy act[0]:
> "The Act protects an individual's privacy by setting out provisions related to the collection, retention, accuracy, disposal, use and disclosure of personal information."
and the privacy act [1]
> "(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
> (b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,"
>"Someone that's out there is trying to destroy us here, and we're trying to build something good for people," he said.
>"There's holes, and what I'm realizing is I think there are some things that we need to fix here. And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are."
This is not very reassuring statements from the CEO of a company that is handling sensitive data!
Jeez… that’s about as much of a “fuck off it’s not our problem” response the CEO could have given… I bet it would be different if their data was open to the public.
I'm wondering how they were even allowed to store this data. Doesn't storing personal medical info of any kind require a bunch of official certifications?
The first party asserts information a to third party which only the second party can verify.
If the second party has no awareness of the third party or of a relationship between the first and third parties, how can the third party access the second party's verification without the ability to access the information of any first party?
Indeed, this quote shows the app is basically useless:
> > Hussein had denied that the app validated Yeung's false information, despite it appearing to do so, because he said the fake picture would be a giveaway.
> "That's not true. We saw it on the back end and we were watching it.… So even if that user showed up, he wouldn't be able to utilize that picture because that's not him. So you wouldn't be able to get in. Secondly, that QR code, if someone scanned it, it would show that picture again," he said at the time. So there's basically no point in using this middleman then? You can just show them your ID...
This app is just an overly complicated and dangerous middle man.
You might as well take a photo of your IDs + vaccine PDF with your phones camera and use the photo gallery...
I'm old enough to remember back when those of us who said vaccine passports were coming were conspiracy theorists, now we're calmly talking about implementation details.
There have been conspiracies put forth about covid, but with various other vaccine mandates already in existence I don't know how it would ever have made sense to call it a conspiracy that we'd add one more. Nothing's changed, qualitatively.
What's different here is that prior vaccine mandates were never weaponized into a mainstream culture war, so before this they weren't controversial to most and we rarely thought of them.
Given that culture war hesitancy over this vaccine was expected early on, I think it was predictable that employers and venues would need to require it in order for it to reach enough of the population to be effective.
Im old enough to remember that people thinking NSA/CIA is watching everyone's internet activity were universally considered deranged schizophrenics.
Whatever fears we have about privacy always turn out to be grossly optimistic underestimates. The next step is, of course, that these emergency measures will remain in place forever.
This isn't a new concept - You've been required to show proof of immunizations to register for public school (including college) and get a visa (or immigrate) for decades.
It's a bit annoying when you start college when you are 38 years old and you no longer have any of your pediatric medical records, which happened to a friend of mine. For my friend the school accepted an antibody test, which a friend of mine had to get.
The united states has required immigration visa applicants to show proof of immunization for years.
>Under the immigration laws of the United States, a foreign national who applies for an immigrant visa abroad, or who seeks to adjust status to a permanent resident while in the United States, is required to receive vaccinations to prevent the following diseases:
Mumps
Measles
Rubella
Polio
Tetanus and Diphtheria Toxoids
Pertussis
Haemophilus influenzae type B
Hepatitis B
Any other vaccine-preventable diseases recommended by the Advisory Committee for Immunization Practices
Not to mention the current administration has been very clear that they will enforce vaccination requirements on everybody they can EXCEPT those violating our immigration laws.
Where are you from? I've taken college classes at several different institutions after starting my career and never had to provide any medical information at all.
>Requirements apply to all full-time undergraduate and graduate students under 30 years of age and all full- and part-time health science students. Meningococcal requirements apply to the group specified in the table below.
>NYS Public Health Law Section 2165 and NYCRR Title 10, Subpart 66-2 require students attending post-secondary institutions, who were born on or after January 1, 1957 and registered for 6 or more credit hours, to demonstrate proof of immunity against measles, mumps, and rubella
> This isn't a new concept - You've been required to show proof of immunizations to register for public school (including college) and get a visa (or immigrate) for decades.
that's fine because you only have to present the id once. I'm okay with having to present my id every time I enter the country, but not every time I eat out.
1. "being 21" isn't a medical intervention. getting a vaccine is. I'd be equally pissed if they required me to show a statin[1] passport every time I want to buy fried chicken.
2. getting carded usually involves the server taking a quick glance at my ID. I can reasonably sure that my dining habits aren't being fed into a giant database somewhere. The same can't be said of a smartphone QR reader. If the bar was scanning my ID to check my age, I'd nope out as well.
How many times in your life have you needed to register for school? How often do you need to apply for a visa? How often do you do these things compared to how frequently you enter a public building like a restaurant or supermarket?
(And which visas are you applying for, by the way? I've crossed borders hundreds of times and have never once been asked for proof of vaccination?)
If you think existing vaccine mandates are remotely comparable to what's being newly rolled out, you're insane.
You constantly repeat this lie, but that doesn't change it from being a lie.
I am Canadian, and live and went to school including University for my entire life in Alberta. No I did not ever need to show proof of immunizations. And even in places where public schools did request that proof you could simply opt out with any religious exemption. These exemptions were never "verified" and there was never consequences such as multiple weekly tests like we have now.
Stop spreading this completely false lie. We have never had a system of vaccine passports.
An important detail - this was a third party app, NOT an official government one. So, people were essentially uploading their PII to some guy's server and hoping for the best.
This is what we all feared, and hoped wouldn't happen. But here it is.
Not sure how this is an "important detail," as it doesn't even make any difference: governments have a god-awful track record of securing data[1][2]. Any sane infosec professional realizes vaccine passports (or any other "passport" app) is a terrible idea. Heck, Apple has zero-day exploits like every other week.
Europe already has a simple, secure digital vaccine passport. You get a QR code that contains your name, date of birth, and the doses you've received. It's digitally signed by your national government, so that it can't be faked. Nobody needs to hold a centralized database of vaccinated people.
Because it's just a QR code, you can store it however you'd like. If you want, you can print it out and carry it around in your pocket. It's easy to check: you just need to read the information and check that it's digitally signed by a trusted authority (both of these can be done by an app), and check the the person listed in the QR code is the person in front of you (e.g., by asking for an ID).
Utilizing zero-knowledge proofs and cryptography so things can be proven without sharing of the underlying data needed for traditional validation.
There has been a lot of progress both in fundamentals and implementations on this front over recent years but even decades old schemes using attestations would have been a huge improvement over “dump and read data through trusted server”.
Here’s a trivial one that anyone could implement without using anything new from the past decade: Whoever stands as “trusted party” could have signing certificates distributed to the verifier-side of the app. They sign hashes of the relevant info. All data sharing needed is once per issuance of “vaccination certificate”. No persistence of PII necessary. If you don’t want to have to disclose PII as part of validation, that’s where the fancier schemes come in.
If you can’t or won’t spend resources to do it properly then yes, physical card is preferred.
It’s still not great from a privacy perspective. Date of birth, names, and granular details on vaccinations are cleartext, among other things.
It’s not that terrible compared to what’s out there and falls in the “trivial” category (which is not necessarily a negative; less complexity is good) but it’s far from ideal and it’d have to improve before pushing it globally.
The whole point of a vaccine passport is to expose information about your vaccination status to third parties.
I don't see this as any different than carrying around any other ID in my wallet. My driver's license also has my name and date of birth (plus information about my eyesight and home address).
The nice thing about the vaccination passport is that it is like a card in your wallet. There's no centralized server that's being queried. It's offline and distributed.
I can confirm. See my comment upthread about recent trip to Switzerland.
I did all of these things (printed, screenshot, pulled up a webpage) and also had a successful scan of a picture of a QR code that I had in my photoreel (which showed the entire printout, of course, with my name, etc. on it).
The amount of tyranny people are willing to accept as a response to this is still baffling to me, it is like this is the first time humanity has ever encountered a communicable illness...
This is not the proper way to respond to said illness and does not bode well for the future of individual liberty
I'm coming at this from the perspective of Ontario, Canada.
eHealth, as cumbersome and obtuse as it is, is unquestionably secure. It's not perfect, but it's good enough. We have the IPC (https://www.ipc.on.ca/) and several other checks and balances that must be satisfied before a system can hold health data. Not to mention the federal requirements such as PHIPA.
These safety requirements are completely out the door when some guy runs a vaccine app. This leak wasn't a mishandled CVE or a zero-day - it was just lazy and sloppy design.
Personally, I'm neutral on the technological aspect of 'passports'. I would prefer a hard-copy if possible to keep tech out of the question entirely, but there are absolutely ways to do it well, or at least good enough. This isn't it - this was an opportunist seizing the disorganization of the Alberta government from what I gather.
Slight nitpicks, PHIPA is provincial legislation for health information privacy, and you're likely thinking of FIPPA and MFIPPA as federal.
A passport is going to be a debacle, and there will be leaks like this one and likely worse. If you happened to look at the clerks screen on their tablet when you got your last shot, the vaccination rollout was done using a salesforce app, and it's very likely it didn't go through the same checks and balances (like a privacy impact assessment) as internal govt apps.
IMO, it's got a huge legal problem where it doesn't collect consent in any meaningful way (an anonymous clerk ticks boxes on a screen you can't see, with no way of verifying they have obtained your consent). At least when you sign a physical consent form, you can write-in that you are getting the shot under duress from your employer, but the rollout doesn't track that, and that's by design.
The same can be said for public sector employers collecting vaccine certificate information as a condition of employment (have fun with the unions on that one), as they are also subject to PHIPA, and most of them do not have the facilities for PHIPA compliance in the handling of employee health information (PHI). There are so many technical issues with passports that it's going to be a complete discredit to government, but my impression is they don't actually care. This is a putsch to elevate a class of apparatchiks who do not assert their freedoms or rights, and where they are headed, they don't need legitimacy or credibility.
There is a generation of people in government and other institutions now who are basically terrible people whose plan is to squeeze the toothpaste out of the tube in terms of data, "temporary measures," and passing laws that won't withstand court challenges, and they imagine themselves as being muscular about policy. I'd predict it ends very badly for them, and if not for them, then definitely for the rest of us.
One wonders why they think it will work this time.
Indeed, being a HIC has a lot of liability. Unfortunately, I think the regulatory institutions and the media are compromised, and I do not forsee any principled resistance based on PHIPA getting traction.
The only way to get traction will be to find a way for it to be used to scapegoat conservative party politicians, otherwise, it's not going to go anywhere. Basically, unless you can pin it all on Doug Ford, the press is going to ignore it.
> and it's very likely it didn't go through the same checks and balances (like a privacy impact assessment) as internal govt apps.
> There is a generation of people in government and other institutions now who are basically terrible people whose plan is to squeeze the toothpaste out of the tube in terms of data, "temporary measures," and passing laws that won't withstand court challenges, and they imagine themselves as being muscular about policy.
"Why are you opposing these temporary emergency measures? Are you a conspiracy theorist with something to hide? Flag this one in the system Gladys..."
Yeah, hugely important detail - this post should change title to what the article actually has as it's title: Portpass app may have exposed hundreds of thousands of users' personal data
Because it's just fueling misinformation and mistrust of what will eventually be the official apps. C'mon CBC. People stupidly using random third party apps and you're making it out like it's the official government 'should be trustworthy' one when it isn't and is just a random app data leak story.
Trust me, there is no additional help needed to make large swaths of the population distrustful of the government implementing a digital "papers, please" system in order to participate in human society.
And honestly, I think I would trust the government-developed app far less than a private one. Have you SEEN any government website before?
There's an argument to be made, not that I'm making it, that you need to have vaccine passports in order to get from 80-something % vaccinated to some higher key immunity threshold, since otherwise it's hard to convince the final group of unvaccinated stragglers to get vaccinated.
What kind of vaccine mandate are you talking about? In my province, there are only a few non-essential activities that require vaccination. I wouldn't call this "banning from basic society", at least not in our case. But your experience might be different.
In America, President Joe Biden is attempting to use OSHA to enforce vaccines upon all businesses in the nation, so that those who either cannot or refuse to take the vaccine will be fired.
This is highly unconstitutional on many levels, and will likely be dismissed by the Supreme Court, but the fact that it's even being considered by the administration as an option is disturbing.
Other nations such as France and Australia are locking people in their homes and preventing them from traveling or performing basic essentials activities like grocery shopping without proof of vaccination.
I don't think that's accurate at all. According to [0]:
> Federal employees, federal contractors and health-care workers at facilities that receive federal funding must show proof of vaccination, with no testing option.
> 80 million U.S. workers will have a choice between providing proof of vaccination or submitting to weekly Covid testing.
Your examples of France and Australia are also not accurate. According to [1]
> There may be circumstances in the future in which proof of vaccination will be required, such as border or re-entry requirements, or continued employment in particular areas. One example of this is the mandatory vaccination requirements for all residential aged care workers which will come into effect on 17 September 2021 in line with relevant state and territory directions.
For France there is no mandate like you described [2]. No one is keeping anyone from doing essential things like grocery shopping, I don't know where you got that from but I suggest you do some research.
I suggest you do some research as well. Joe Biden literally announced recently his plans to use OSHA to enforce vaccine mandates on any private business in America with over 100 employees. Now, chances are it won't hold up in court at all, but it's still there, it's still being attempted: https://apnews.com/article/joe-biden-business-health-coronav...
In Australia elderly and children are being tackled and pepper-sprayed by police for not wearing masks. They're returning to their prison colony past. Don't even try to pretend what they're doing is a remotely acceptable way to treat human beings.
The vaccine passport you describe in your attempt to "debunk" me still sounds harshly authoritarian, do you think you're quelling anyone's fears by describing how proof of vaccination will be required to participate in basic society?
Sure would be great if we could get to Denmark's vaccination numbers.
This is like saying "We should stop all the DUI checkpoints like this other country did," when that country doesn't have a DUI problem but 30% of drivers in our country are drunk.
You're talking about the UK, right? From what I understand they're still going to ID you one way or another (e.g. they'll just look you up in their database, just like police in the US will do if you don't have your license on your person).
Sorta works that way in Canada too. At a DUI checkpoint where they pull over everyone without reasonable cause, the stop is supposed to be strictly to check for DUI. They’re not supposed to go poking around for more things unless it’s incidental to the stop (if they see a dead body, they can investigate that, but not supposed to decide to check your immigration/license/insurance status as a part of the stop).
They'll ID you if you did something wrong. If not, for instance if they're randomly pulling over cars to check for drink driving and you're clean, then they don't need to ID you.
- It has broad support from every major medical and public health organization on the planet, who based their decisions on the empirical research demonstrating its safety and effectiveness.
It literally is experimental. We have never deployed an mRNA vaccine on this scale before. This is the first time it has been done. The standard years of testing vaccines traditionally go through has not happened with this one. So it is, undeniably, objectively, experimental.
It is literally gene therapy. While most vaccines present a neutered form of a virus for your immune system to safely respond to and develop antibodies that will be useful in counteracting the version of the virus in the wild, mRNA vaccines quite literally insert themselves into your cells and try to insert that "training" RNA code into your immune system artificially without your body doing it on its own terms. This is what gene therapy is.
The medical boards based their decisions on the empirical research that doesn't exist yet? That's wild, they're time travelers?
Still waiting on info on the vaccine passport app for Ontario, which is supposed to be rolled out on Oct 22. I'm hoping it'll be open source, but no one's mentioned it. Lot of potential for logging where everyone's going with an app like what is being proposed.
There is no "user" passport app - the BC Health Gateway website generates a standard (https://smarthealth.cards/) QR code that you can save on phone, or print.
The QR codes are signed, but not encrypted - you can dump the contents to verify the payload contains only what's described. Because it's just signature validation of the payload, they can be verified offline.
"Earlier in the day, the Calgary-based company's CEO Zakir Hussein had denied the app had verification or security issues and accused those who raised concerns about it of breaking the law." ...
"'Someone that's out there is trying to destroy us here, and we're trying to build something good for people," he said.' ... 'There's holes, and what I'm realizing is I think there are some things that we need to fix here. And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are.' "
We're trying to do something good, so when someone discovers we've done something bad, they're automatically trying to destroy us. Uh huh....
Being from Calgary (which some call the 'Canadian Texas') and promoting a vaccine passport you'd think the guy would have pretty thick skin for criticism.
I just returned from Zurich[1] which involved, of course, two pair of International entry/exit.
While I was there, I availed myself of rapid antigen testing and my proof of vaccination with the canton of Zurich to attend several jazz shows and concerts (!) unmasked and with no covid restrictions.
I used QR codes throughout.
QR codes printed on paper, QR codes on a website that I pulled up in my phones browser, and once I even used a picture of a QR code in my photoreel that I pinch-zoomed into and properly scanned.[2]
It appears that there is no use for, nor appetite for, covid vaccine passport apps.
This makes me very happy because I have envisioned, through the entire pandemic, some perfect storm of pairing a smartphone to yourself, as an individual, and tying identification to it and being forced to register the phone and the app and yourself and the SIM card ... and what a mess that would end up being.
Instead, it appears we are all just going to produce QR codes in whatever way works best for us and if the scanner beeps and turns green, nobody cares what else is going on.
[2] ... and just to be clear, the photograph showed an entire printout with my name, etc., on it - so it still was a proof of identitiy. Once that was cleared up, she zoomed in on the QR code and scanned. Easy.
I am from Canada (not Alberta) and am waiting for an in-depth analysis of how this breach works.
The quotes from the CEO makes the development team has not carry out the basis of well-known security practices. The CEO denied the issue but the app has been offline. Playing catch up is too late. Security is something you stay ahead of the game continuously.
127 comments
[ 3.9 ms ] story [ 192 ms ] threadHis point also could have been that the app exists literally to share your sensitive personal information with other parties...
On a broader scale, it makes sense that people who build vaccine passport apps and people who are passionate about personal privacy are non-overlapping sets of people.
The barcode probably returns a userid or something else that's guessable or iterable.
That person doesn't make the impression that they're honest and humble enough to handle people's personal information.
> Alberta currently does not have an official proof-of-vaccination app, and the province's PDF vaccine record has been criticized for being easy to edit.
This confused me. Don't they have a QR code that gets read and verified and must match the person's name?
alberta yet again drops the ball. Maybe you are thinking about BC who rolled out a signed QR code that could be saved on the phone/printed + an app from the government that does verification.
I haven't looked at the validation app's code, but I assume the main reason the have their own app instead of pointing businesses to one of the existing SMART Health Card validators is so they can bundle the public keys used for verifying the QR data wasn't tampered with allowing the app to work offline. The SMART Health Card system does provide a way to download the public keys (I've checked and BC does publish them as expected), but it's probably easier to guarantee offline functionality here.
[0] https://smarthealth.cards/index.html [1] https://github.com/bcgov/BCVAX-iOS, https://github.com/bcgov/BCVAX-Android
An explanation: https://mikkel.ca/blog/digging-into-quebecs-proof-of-vaccina...
Not with the bozos in charge of Alberta and Ontario.
I _believe_ that Québec _offered_ Ontario parts of its app (the backend medical systems part would require something different) and our chuckleheads said “nah; we can build this in less than 90 days” (it took Québec ~4 months).
The person scanning has to download the (free) official app to avoid someone setting up a copycat site, but that's trivial.
To be honest, I think this form of passport isn't worthy to support, so I wouldn't condemn Alberta here too much (not from the US)
From what I understand the data is signed. So someone has the key? Who controls the keys? We have an EU wide passport so are governments sharing the keys? There is an app for validating the codes in some countries so is that happening by hitting an API or are the keys in the apps?
What I’m getting at here is how are they validating keys without leaking the keys used to sign?
> What I’m getting at here is how are they validating keys without leaking the keys used to sign?
Public and private keys. Pharmacies and doctors have control over private keys/keys signed by the "root" keys. The checking app has the public keys and can check if the signature of the data is valid (matches the data and the private keys).
It's up to each verifier (e.g. phone app developers) to decide which issuers to trust but there's a list: https://www.commontrustnetwork.org/verifier-list.
[0] https://smarthealth.cards/
> "The Act protects an individual's privacy by setting out provisions related to the collection, retention, accuracy, disposal, use and disclosure of personal information."
and the privacy act [1]
> "(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,
> (b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,"
Hopefully they adjust accordingly.
[0]: https://www.canada.ca/en/health-canada/corporate/about-healt...
[1]: https://laws-lois.justice.gc.ca/eng/acts/P-21/FullText.html
>"There's holes, and what I'm realizing is I think there are some things that we need to fix here. And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are."
This is not very reassuring statements from the CEO of a company that is handling sensitive data!
If the second party has no awareness of the third party or of a relationship between the first and third parties, how can the third party access the second party's verification without the ability to access the information of any first party?
> > Hussein had denied that the app validated Yeung's false information, despite it appearing to do so, because he said the fake picture would be a giveaway.
> "That's not true. We saw it on the back end and we were watching it.… So even if that user showed up, he wouldn't be able to utilize that picture because that's not him. So you wouldn't be able to get in. Secondly, that QR code, if someone scanned it, it would show that picture again," he said at the time. So there's basically no point in using this middleman then? You can just show them your ID...
This app is just an overly complicated and dangerous middle man.
You might as well take a photo of your IDs + vaccine PDF with your phones camera and use the photo gallery...
What's different here is that prior vaccine mandates were never weaponized into a mainstream culture war, so before this they weren't controversial to most and we rarely thought of them.
Given that culture war hesitancy over this vaccine was expected early on, I think it was predictable that employers and venues would need to require it in order for it to reach enough of the population to be effective.
Whatever fears we have about privacy always turn out to be grossly optimistic underestimates. The next step is, of course, that these emergency measures will remain in place forever.
It's a bit annoying when you start college when you are 38 years old and you no longer have any of your pediatric medical records, which happened to a friend of mine. For my friend the school accepted an antibody test, which a friend of mine had to get.
>Under the immigration laws of the United States, a foreign national who applies for an immigrant visa abroad, or who seeks to adjust status to a permanent resident while in the United States, is required to receive vaccinations to prevent the following diseases:
Mumps Measles Rubella Polio Tetanus and Diphtheria Toxoids Pertussis Haemophilus influenzae type B Hepatitis B Any other vaccine-preventable diseases recommended by the Advisory Committee for Immunization Practices
https://www.uscis.gov/tools/designated-civil-surgeons/vaccin...
Immunization requirements are going to vary based on your local laws, your school's policies, and if your school is public or private.
For example, here's who immunizations requirements apply to for college students in Massachusetts:
https://www.mass.gov/info-details/school-immunizations
>Requirements apply to all full-time undergraduate and graduate students under 30 years of age and all full- and part-time health science students. Meningococcal requirements apply to the group specified in the table below.
And New York
https://www.health.ny.gov/prevention/immunization/laws_regs....
>NYS Public Health Law Section 2165 and NYCRR Title 10, Subpart 66-2 require students attending post-secondary institutions, who were born on or after January 1, 1957 and registered for 6 or more credit hours, to demonstrate proof of immunity against measles, mumps, and rubella
/s
that's fine because you only have to present the id once. I'm okay with having to present my id every time I enter the country, but not every time I eat out.
2. getting carded usually involves the server taking a quick glance at my ID. I can reasonably sure that my dining habits aren't being fed into a giant database somewhere. The same can't be said of a smartphone QR reader. If the bar was scanning my ID to check my age, I'd nope out as well.
[1] https://en.wikipedia.org/wiki/Statin
(And which visas are you applying for, by the way? I've crossed borders hundreds of times and have never once been asked for proof of vaccination?)
If you think existing vaccine mandates are remotely comparable to what's being newly rolled out, you're insane.
I am Canadian, and live and went to school including University for my entire life in Alberta. No I did not ever need to show proof of immunizations. And even in places where public schools did request that proof you could simply opt out with any religious exemption. These exemptions were never "verified" and there was never consequences such as multiple weekly tests like we have now.
Stop spreading this completely false lie. We have never had a system of vaccine passports.
-Immunization requirements apply to ALL schools, both public and private schools
-There's no religious or other non-medical exemption allowed.
Those are facts, not lies.
My friend also had to get an antibody test prior to being allowed to register for classes. That's a fact, I saw the paperwork.
This is what we all feared, and hoped wouldn't happen. But here it is.
Not sure how this is an "important detail," as it doesn't even make any difference: governments have a god-awful track record of securing data[1][2]. Any sane infosec professional realizes vaccine passports (or any other "passport" app) is a terrible idea. Heck, Apple has zero-day exploits like every other week.
[1] https://www.infosecurity-magazine.com/news/us-leaks-pii-two-...
[2] https://federalnewsnetwork.com/defense-news/2020/02/disa-exp...
Yes. A passport is orders of magnitude harder to forge than for some app written by a random government contractor to leak data.
Because it's just a QR code, you can store it however you'd like. If you want, you can print it out and carry it around in your pocket. It's easy to check: you just need to read the information and check that it's digitally signed by a trusted authority (both of these can be done by an app), and check the the person listed in the QR code is the person in front of you (e.g., by asking for an ID).
There has been a lot of progress both in fundamentals and implementations on this front over recent years but even decades old schemes using attestations would have been a huge improvement over “dump and read data through trusted server”.
Here’s a trivial one that anyone could implement without using anything new from the past decade: Whoever stands as “trusted party” could have signing certificates distributed to the verifier-side of the app. They sign hashes of the relevant info. All data sharing needed is once per issuance of “vaccination certificate”. No persistence of PII necessary. If you don’t want to have to disclose PII as part of validation, that’s where the fancier schemes come in.
If you can’t or won’t spend resources to do it properly then yes, physical card is preferred.
It’s not that terrible compared to what’s out there and falls in the “trivial” category (which is not necessarily a negative; less complexity is good) but it’s far from ideal and it’d have to improve before pushing it globally.
As an example, some jurisdictions might declare individuals with single doses protected.
Another real example: the EU is unwilling to accept Covishield vaccinations, despite it being AstraZeneca/Vaxzevria manufactured in India.
I don't see this as any different than carrying around any other ID in my wallet. My driver's license also has my name and date of birth (plus information about my eyesight and home address).
The nice thing about the vaccination passport is that it is like a card in your wallet. There's no centralized server that's being queried. It's offline and distributed.
I did all of these things (printed, screenshot, pulled up a webpage) and also had a successful scan of a picture of a QR code that I had in my photoreel (which showed the entire printout, of course, with my name, etc. on it).
How about that.
The amount of tyranny people are willing to accept as a response to this is still baffling to me, it is like this is the first time humanity has ever encountered a communicable illness...
This is not the proper way to respond to said illness and does not bode well for the future of individual liberty
https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
eHealth, as cumbersome and obtuse as it is, is unquestionably secure. It's not perfect, but it's good enough. We have the IPC (https://www.ipc.on.ca/) and several other checks and balances that must be satisfied before a system can hold health data. Not to mention the federal requirements such as PHIPA.
These safety requirements are completely out the door when some guy runs a vaccine app. This leak wasn't a mishandled CVE or a zero-day - it was just lazy and sloppy design.
Personally, I'm neutral on the technological aspect of 'passports'. I would prefer a hard-copy if possible to keep tech out of the question entirely, but there are absolutely ways to do it well, or at least good enough. This isn't it - this was an opportunist seizing the disorganization of the Alberta government from what I gather.
A passport is going to be a debacle, and there will be leaks like this one and likely worse. If you happened to look at the clerks screen on their tablet when you got your last shot, the vaccination rollout was done using a salesforce app, and it's very likely it didn't go through the same checks and balances (like a privacy impact assessment) as internal govt apps.
IMO, it's got a huge legal problem where it doesn't collect consent in any meaningful way (an anonymous clerk ticks boxes on a screen you can't see, with no way of verifying they have obtained your consent). At least when you sign a physical consent form, you can write-in that you are getting the shot under duress from your employer, but the rollout doesn't track that, and that's by design.
The same can be said for public sector employers collecting vaccine certificate information as a condition of employment (have fun with the unions on that one), as they are also subject to PHIPA, and most of them do not have the facilities for PHIPA compliance in the handling of employee health information (PHI). There are so many technical issues with passports that it's going to be a complete discredit to government, but my impression is they don't actually care. This is a putsch to elevate a class of apparatchiks who do not assert their freedoms or rights, and where they are headed, they don't need legitimacy or credibility.
There is a generation of people in government and other institutions now who are basically terrible people whose plan is to squeeze the toothpaste out of the tube in terms of data, "temporary measures," and passing laws that won't withstand court challenges, and they imagine themselves as being muscular about policy. I'd predict it ends very badly for them, and if not for them, then definitely for the rest of us.
One wonders why they think it will work this time.
Oh, it’s a lot more than the public sector that will be finding themselves to now be health information custodians by collecting this data.
The only way to get traction will be to find a way for it to be used to scapegoat conservative party politicians, otherwise, it's not going to go anywhere. Basically, unless you can pin it all on Doug Ford, the press is going to ignore it.
> There is a generation of people in government and other institutions now who are basically terrible people whose plan is to squeeze the toothpaste out of the tube in terms of data, "temporary measures," and passing laws that won't withstand court challenges, and they imagine themselves as being muscular about policy.
"Why are you opposing these temporary emergency measures? Are you a conspiracy theorist with something to hide? Flag this one in the system Gladys..."
Because it's just fueling misinformation and mistrust of what will eventually be the official apps. C'mon CBC. People stupidly using random third party apps and you're making it out like it's the official government 'should be trustworthy' one when it isn't and is just a random app data leak story.
And honestly, I think I would trust the government-developed app far less than a private one. Have you SEEN any government website before?
I'm hoping that more countries will follow the danish example, where the vaccine passport was dropped on September 10, 2021.
This amount of control doesn't make any sense in countries with high percentage of vaccination such as Canada.
Another country about to make this mistake is Scotland.
Hmmm that is an odd spelling for coerce, force, threaten...
This is highly unconstitutional on many levels, and will likely be dismissed by the Supreme Court, but the fact that it's even being considered by the administration as an option is disturbing.
Other nations such as France and Australia are locking people in their homes and preventing them from traveling or performing basic essentials activities like grocery shopping without proof of vaccination.
> Federal employees, federal contractors and health-care workers at facilities that receive federal funding must show proof of vaccination, with no testing option.
> 80 million U.S. workers will have a choice between providing proof of vaccination or submitting to weekly Covid testing.
Your examples of France and Australia are also not accurate. According to [1]
> There may be circumstances in the future in which proof of vaccination will be required, such as border or re-entry requirements, or continued employment in particular areas. One example of this is the mandatory vaccination requirements for all residential aged care workers which will come into effect on 17 September 2021 in line with relevant state and territory directions.
For France there is no mandate like you described [2]. No one is keeping anyone from doing essential things like grocery shopping, I don't know where you got that from but I suggest you do some research.
[0] https://www.cnbc.com/2021/09/10/what-you-need-to-know-about-... [1] https://www.health.gov.au/initiatives-and-programs/covid-19-... [2] https://www.rfi.fr/en/france/20210930-health-pass-becomes-ma...
In Australia elderly and children are being tackled and pepper-sprayed by police for not wearing masks. They're returning to their prison colony past. Don't even try to pretend what they're doing is a remotely acceptable way to treat human beings.
The vaccine passport you describe in your attempt to "debunk" me still sounds harshly authoritarian, do you think you're quelling anyone's fears by describing how proof of vaccination will be required to participate in basic society?
- Full liability for vaccine manufacturers
- No censorship of dissenting views
- Open discussion with all views represented instead of suppressed
- Honesty on unvaccinated vs vaccinated case, death numbers
- Following the science instead of what’s convenient for politicians at the moment
This is like saying "We should stop all the DUI checkpoints like this other country did," when that country doesn't have a DUI problem but 30% of drivers in our country are drunk.
Denmark: 76.7% / 75.1%
Canada: 77.5% / 71.4%
Scotland: 76.7% / 70.2%
Canada will most likely overtake Denmark as more people have had the first vaccine shot.
- It's not 'experimental'
- It's not 'gene therapy'
- It has broad support from every major medical and public health organization on the planet, who based their decisions on the empirical research demonstrating its safety and effectiveness.
It is literally gene therapy. While most vaccines present a neutered form of a virus for your immune system to safely respond to and develop antibodies that will be useful in counteracting the version of the virus in the wild, mRNA vaccines quite literally insert themselves into your cells and try to insert that "training" RNA code into your immune system artificially without your body doing it on its own terms. This is what gene therapy is.
The medical boards based their decisions on the empirical research that doesn't exist yet? That's wild, they're time travelers?
Official government software is systematically high quality after all [0].
[0] https://en.wikipedia.org/wiki/Phoenix_pay_system
Edit:
Looks like the BC one is not open source, can't find it on GitHub: https://github.com/bcgov
I can't find the Quebec gov GitHub account, so no idea on that. Probably closed as well.
There is no "user" passport app - the BC Health Gateway website generates a standard (https://smarthealth.cards/) QR code that you can save on phone, or print.
The QR codes are signed, but not encrypted - you can dump the contents to verify the payload contains only what's described. Because it's just signature validation of the payload, they can be verified offline.
Portpass app may have exposed hundreds of thousands of users' personal data
Don’t digitalize anything that you don’t want to share with the entire planet.
"'Someone that's out there is trying to destroy us here, and we're trying to build something good for people," he said.' ... 'There's holes, and what I'm realizing is I think there are some things that we need to fix here. And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are.' "
We're trying to do something good, so when someone discovers we've done something bad, they're automatically trying to destroy us. Uh huh....
While I was there, I availed myself of rapid antigen testing and my proof of vaccination with the canton of Zurich to attend several jazz shows and concerts (!) unmasked and with no covid restrictions.
I used QR codes throughout.
QR codes printed on paper, QR codes on a website that I pulled up in my phones browser, and once I even used a picture of a QR code in my photoreel that I pinch-zoomed into and properly scanned.[2]
It appears that there is no use for, nor appetite for, covid vaccine passport apps.
This makes me very happy because I have envisioned, through the entire pandemic, some perfect storm of pairing a smartphone to yourself, as an individual, and tying identification to it and being forced to register the phone and the app and yourself and the SIM card ... and what a mess that would end up being.
Instead, it appears we are all just going to produce QR codes in whatever way works best for us and if the scanner beeps and turns green, nobody cares what else is going on.
[1] https://twitter.com/rsyncnet/status/1435981763864584201
[2] ... and just to be clear, the photograph showed an entire printout with my name, etc., on it - so it still was a proof of identitiy. Once that was cleared up, she zoomed in on the QR code and scanned. Easy.
The quotes from the CEO makes the development team has not carry out the basis of well-known security practices. The CEO denied the issue but the app has been offline. Playing catch up is too late. Security is something you stay ahead of the game continuously.
Authoritarians were insanely opportunistic in using this Chinese virus to ruin people's lives.
You visit the Circus, expect a show.
Why? So that vaccination status won’t be private health data anymore, it will slowly work it’s way towards being public information.
With the data public, non-compliers can be harassed, threatened or worse without governments having to lift a finger to oppress them.