There is “no rational reason” for the way Australian governments are currently planning to roll out digital COVID-19 vaccination certificates, which is less secure and more damaging to privacy than other approaches used elsewhere in the world, a prominent cryptography expert says.
National Cabinet recently agreed that states and territories will integrate digital vaccination certificates into their own check-in apps, with the exact details of how this will work left up to each jurisdiction. Australians are also now able to download a pdf version of their vaccination certificate, which can be added to a smartphone wallet.
It’s unclear exactly how these certificates will be integrated into the QR code check-in apps, and little further information has been provided so far.
The approach is significantly different to that taken by the European Union, which has adopted a QR code certificate with a digital signature to provide its authenticity.
This is now the biggest vaccine passport scheme in the world with more than 40 countries using it, including all 27 EU members. The EU has provided a digital platform, which acts as a gateway through which vaccination certificates from participating countries can be scanned and verified.
To do this, border security and venues can download an app which reads the QR code on the certificate and identifies whether it is legitimate or not. This is done by each country have its own digital signature key, stored in a secure database, to confirm that a certificate is valid. This allows the certificates to be validated without any personal information passing through the gateway.
Cryptography expert and Thinking Cybersecurity chief executive Dr Vanessa Teague has questioned why Australia hasn’t simply copied this approach, which she says would be quicker, safer and assist when international travel resumes.
The approach that Australia appears to involve state and territory check-in apps verifying an individual’s vaccination status using the federal Immunisation Register each time they check into a venue.
This comes with significant privacy concerns and a risk of making it easier to forge a certificate, Dr Teague said.
“We need to be worrying about how easy they might be to forge, and it’s not looking good at the moment. And we also need to be concerned about whether you are communicating with the server every time you’re showing your vaccination certificate,” Dr Teague told InnovationAus.com.
“The reason that’s a big deal is privacy. There’s no reason that displaying the vaccine certificate requires communication with the server that granted the certificate, and if it does then it reveals a great deal of information about where you’re going and when you’re going there, which is unnecessary.”
The EU approach helps to fix many of these issues, Dr Teague said, and Australia should be copying this.
“The EU is rolling out a simple standard that has neither of these problems. It uses digital signatures on the certificate so the authority that grants it signs the certificate with their digital signature,” she said.
“Then there’s a list of public keys available that people use to verify that signature on the certificate using the public key. They don’t need to go back to the authority to query it. We could copy and paste the EU standard.
“There are literally examples there, open source code and it’s completely free and easily available. There’s a well-documented standard sitting there, and all we have to do is control C and control V it.”
Dr Teague there are no advantages associated with Australia’s current approach.
“There’s no rational reason to go in other direction. There’s absolutely no reason to have an online lookup for vaccine certificates. I can only assume they’re confused or getting bad advice,” Professor Teague said.
It would also be very simple to add a digital signature to make the current pdf version of vaccine certificates in Australia more secure and harder to replace, she said.
“If anything it’s harder to organise for the myGov server or the Immunisation Register server to respond to online requests than it is to put a digital signature on the pdfs already available. They could’ve put those on the pdfs,” Dr Teague said.
“All they had to do was stick a QR code with a digital certificate on that thing we’ve already got. All they had to do was put a digital signature readable with a QR code and advertise their public key.”
Along with Yuval Yarom, a senior lecturer at the School of Computer Science at the University Adelaide, Dr Teague recently wrote a blog post on these issues, saying the integration of vaccination certificates with QR code check-in apps would be “very sad news for privacy in Australia”.
“There is a huge temptation to use data once collected, and mission creep is a known aspect of surveillance databases. It should surprise nobody that the police in some states have accessed the QR code check-in databases, given that mission creep already occurred for metadata surveillance databases,” the pair wrote.
“If we must have vaccine passports, they must not come with location surveillance.”
Professor Teague is also significantly concerned about a lack of transparency and publicly available information on how Australia is approaching its digital vaccination certificates.
“We don’t actually know what they’re doing. We never have a sensible public debate about these things until it’s too late because we never get any information about what they’re doing until it’s too late,” she said.
“It’s very hard to say what’s wrong with what they’re proposing because there’s no information about it. They won’t engage with a rational explanation of why they’re not doing the sensible, open thing.”
If Australian governments go ahead with integrating digital vaccination certificates in QR code check-in apps run by the states, this will lead to forgery issues and significant privacy concerns, she said.
“By incorporating in the QR check-in apps, it might mean that every time you check in you’re effectively conveying the information about where you are and the fact you’re checking in to a federal government server for the purposes of vaccination certification,” Dr Teague said.
“I don’t think the upload of information associated with QR check-ins was justified in the first place, but it’s definitely not justified to be effectively copying equivalent information to a federal government server as well.
“If that is what they’re doing then I don’t think it’s justified, it’s not necessary and they’re not communicating clearly about why that’s happening and why they didn’t use the other options.”
Do you know more? Contact James Riley via Email.