That person doesn't make the impression that they're honest and humble enough to handle people's personal information.
> Alberta currently does not have an official proof-of-vaccination app, and the province's PDF vaccine record has been criticized for being easy to edit.
This confused me. Don't they have a QR code that gets read and verified and must match the person's name?
alberta yet again drops the ball. Maybe you are thinking about BC who rolled out a signed QR code that could be saved on the phone/printed + an app from the government that does verification.
To be honest, I think this form of passport isn't worthy to support, so I wouldn't condemn Alberta here too much (not from the US)
>"There's holes, and what I'm realizing is I think there are some things that we need to fix here. And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are."
This is not very reassuring statements from the CEO of a company that is handling sensitive data!
From what I understand the data is signed. So someone has the key? Who controls the keys? We have an EU wide passport so are governments sharing the keys? There is an app for validating the codes in some countries so is that happening by hitting an API or are the keys in the apps?
What I’m getting at here is how are they validating keys without leaking the keys used to sign?
It's up to each verifier (e.g. phone app developers) to decide which issuers to trust but there's a list: https://www.commontrustnetwork.org/verifier-list.
> What I’m getting at here is how are they validating keys without leaking the keys used to sign?
Public and private keys. Pharmacies and doctors have control over private keys/keys signed by the "root" keys. The checking app has the public keys and can check if the signature of the data is valid (matches the data and the private keys).
This is what we all feared, and hoped wouldn't happen. But here it is.
Because it's just fueling misinformation and mistrust of what will eventually be the official apps. C'mon CBC. People stupidly using random third party apps and you're making it out like it's the official government 'should be trustworthy' one when it isn't and is just a random app data leak story.
And honestly, I think I would trust the government-developed app far less than a private one. Have you SEEN any government website before?
Not sure how this is an "important detail," as it doesn't even make any difference: governments have a god-awful track record of securing data[1][2]. Any sane infosec professional realizes vaccine passports (or any other "passport" app) is a terrible idea. Heck, Apple has zero-day exploits like every other week.
[1] https://www.infosecurity-magazine.com/news/us-leaks-pii-two-...
[2] https://federalnewsnetwork.com/defense-news/2020/02/disa-exp...
eHealth, as cumbersome and obtuse as it is, is unquestionably secure. It's not perfect, but it's good enough. We have the IPC (https://www.ipc.on.ca/) and several other checks and balances that must be satisfied before a system can hold health data. Not to mention the federal requirements such as PHIPA.
These safety requirements are completely out the door when some guy runs a vaccine app. This leak wasn't a mishandled CVE or a zero-day - it was just lazy and sloppy design.
Personally, I'm neutral on the technological aspect of 'passports'. I would prefer a hard-copy if possible to keep tech out of the question entirely, but there are absolutely ways to do it well, or at least good enough. This isn't it - this was an opportunist seizing the disorganization of the Alberta government from what I gather.
https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
Official government software is systematically high quality after all [0].
I'm hoping that more countries will follow the danish example, where the vaccine passport was dropped on September 10, 2021.
This amount of control doesn't make any sense in countries with high percentage of vaccination such as Canada.
Another country about to make this mistake is Scotland.
This is like saying "We should stop all the DUI checkpoints like this other country did," when that country doesn't have a DUI problem but 30% of drivers in our country are drunk.
Whatever fears we have about privacy always turn out to be grossly optimistic underestimates. The next step is, of course, that these emergency measures will remain in place forever.
It's a bit annoying when you start college when you are 38 years old and you no longer have any of your pediatric medical records, which happened to a friend of mine. For my friend the school accepted an antibody test, which a friend of mine had to get.
that's fine because you only have to present the id once. I'm okay with having to present my id every time I enter the country, but not every time I eat out.
(And which visas are you applying for, by the way? I've crossed borders hundreds of times and have never once been asked for proof of vaccination?)
If you think existing vaccine mandates are remotely comparable to what's being newly rolled out, you're insane.
I am Canadian, and live and went to school including University for my entire life in Alberta. No I did not ever need to show proof of immunizations. And even in places where public schools did request that proof you could simply opt out with any religious exemption. These exemptions were never "verified" and there was never consequences such as multiple weekly tests like we have now.
Stop spreading this completely false lie. We have never had a system of vaccine passports.
What's different here is that prior vaccine mandates were never weaponized into a mainstream culture war, so before this they weren't controversial to most and we rarely thought of them.
Given that culture war hesitancy over this vaccine was expected early on, I think it was predictable that employers and venues would need to require it in order for it to reach enough of the population to be effective.
The barcode probably returns a userid or something else that's guessable or iterable.
His point also could have been that the app exists literally to share your sensitive personal information with other parties...
On a broader scale, it makes sense that people who build vaccine passport apps and people who are passionate about personal privacy are non-overlapping sets of people.
Edit:
Looks like the BC one is not open source, can't find it on GitHub: https://github.com/bcgov
I can't find the Quebec gov GitHub account, so no idea on that. Probably closed as well.
There is no "user" passport app - the BC Health Gateway website generates a standard (https://smarthealth.cards/) QR code that you can save on phone, or print.
The QR codes are signed, but not encrypted - you can dump the contents to verify the payload contains only what's described. Because it's just signature validation of the payload, they can be verified offline.
"'Someone that's out there is trying to destroy us here, and we're trying to build something good for people," he said.' ... 'There's holes, and what I'm realizing is I think there are some things that we need to fix here. And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are.' "
We're trying to do something good, so when someone discovers we've done something bad, they're automatically trying to destroy us. Uh huh....
If the second party has no awareness of the third party or of a relationship between the first and third parties, how can the third party access the second party's verification without the ability to access the information of any first party?
> > Hussein had denied that the app validated Yeung's false information, despite it appearing to do so, because he said the fake picture would be a giveaway.
> "That's not true. We saw it on the back end and we were watching it.… So even if that user showed up, he wouldn't be able to utilize that picture because that's not him. So you wouldn't be able to get in. Secondly, that QR code, if someone scanned it, it would show that picture again," he said at the time. So there's basically no point in using this middleman then? You can just show them your ID...
This app is just an overly complicated and dangerous middle man.
You might as well take a photo of your IDs + vaccine PDF with your phones camera and use the photo gallery...
While I was there, I availed myself of rapid antigen testing and my proof of vaccination with the canton of Zurich to attend several jazz shows and concerts (!) unmasked and with no covid restrictions.
I used QR codes throughout.
QR codes printed on paper, QR codes on a website that I pulled up in my phones browser, and once I even used a picture of a QR code in my photoreel that I pinch-zoomed into and properly scanned.[2]
It appears that there is no use for, nor appetite for, covid vaccine passport apps.
This makes me very happy because I have envisioned, through the entire pandemic, some perfect storm of pairing a smartphone to yourself, as an individual, and tying identification to it and being forced to register the phone and the app and yourself and the SIM card ... and what a mess that would end up being.
Instead, it appears we are all just going to produce QR codes in whatever way works best for us and if the scanner beeps and turns green, nobody cares what else is going on.
[1] https://twitter.com/rsyncnet/status/1435981763864584201
[2] ... and just to be clear, the photograph showed an entire printout with my name, etc., on it - so it still was a proof of identitiy. Once that was cleared up, she zoomed in on the QR code and scanned. Easy.
Portpass app may have exposed hundreds of thousands of users' personal data
Don’t digitalize anything that you don’t want to share with the entire planet.
Why? So that vaccination status won’t be private health data anymore, it will slowly work it’s way towards being public information.
With the data public, non-compliers can be harassed, threatened or worse without governments having to lift a finger to oppress them.
The quotes from the CEO makes the development team has not carry out the basis of well-known security practices. The CEO denied the issue but the app has been offline. Playing catch up is too late. Security is something you stay ahead of the game continuously.
Authoritarians were insanely opportunistic in using this Chinese virus to ruin people's lives.
