The information contained in the QR codes sent as proof of vaccination in Quebec are relatively easy to read since they are not encrypted, raising security issues.
Since May 13, people vaccinated against COVID-19 have received an email allowing them to download proof of vaccination in the form of a QR code. This contains information such as the person’s name, date of birth and gender, as well as the date, time and place they got their vaccine.
This information is not encrypted, but simply encoded, explained to the QMI Agency a former national defense security officer, Steve Waterhouse. This means that they are “converted without using a complex mathematical algorithm” and, therefore, that there is no need for a secret key to access the information that QR codes contain.
So if someone shares a photo of their QR code on social media, for example, it is possible to extract the information there.
For Mr. Waterhouse, this poses a risk to the protection of privacy. “Anyone who will scan the QR code will have access to this information,” he said.
“The file is very easy to decode,” added Guillaume Labbé-Morissette, co-host of the podcast on cybersecurity. La French Connection. It would be considered a test for beginners in a computer security competition ”.
“The confusion must come from a technical detail between encryption and signature,” replied a spokesperson for the Ministry of Health and Social Services, Marjorie Larouche. “[L]the information contained in the QR code is not encrypted, but it has a cryptographic signature to allow validation of its authenticity […] thanks to a “key” from the MSSS. ”
This secret key is used to sign the document and prove that it is valid. Without knowing this key, it is impossible to create proof of vaccination yourself or to falsify the document.
Ms. Larouche adds that this digital format does not contain “more information […] than what is required. The principle is to leave the citizen holding his own information, free to choose to whom he discloses it, with whom he agrees to share it. “
The spokesperson reports that as of May 31, 3,156,743 evidence had been uploaded. “No case of fraud in connection with the use of vaccine evidence has been brought to our attention,” she assured.