The vaccine passport has been rolling out in many countries around the world. Most notably France, Israel and the US. New York City, San Francisco and New Orleans now require vaccine passports to enter most businesses. The following are concerns from a computer scientist about the potential security and privacy issues of a vaccine passport from a reddit post 6 months ago.
“Unfortunately it is something that was probably going to happen someday regardless of a virus or not, particularly after the Chinese implemented social credit. The vaccine is used just as an excuse at this point. Personally I wouldn’t even mind the vaccine after waiting some time for long-term data, but the tracking that comes with a passport is unacceptable, and that is what we should be fighting.
Something I think should be clear is that there are two different, separate issues here, and they are both valid. The first is not wanting to take the vaccine. This is a valid standpoint, but basically solely an ethics question and a separate debate. The second is not wanting to present identification when entering all/a lot/some businesses, and this is the one I will talk about. The media/politicians will try to lump both together, but they are very distinct issues.
Technically the only thing you need to know is that you will have a barcode/QR code/ID number (doesn’t even matter if it’s on your phone or on a paper), and the place that you are entering has a digital scanner (a human checking papers is too easy to fool/too slow), so they are way ahead on that. To be able to admit you, your code has to be checked against a server-stored token, to prove your passport is legitimate.
Whenever a request is performed against the server, it follows a log will be produced of that identification request. Something like “Mr John Smith, at Walmart SW LA, 03/03/2021, 3:15pm, does he have a vaccine/negative test/etc.?”, to which the server replies “yes/no”.
Now all kinds of web servers produce some sort of log, maliciously or not, but you will never be able to tell whether the system you are using does it or not. And given that a chain of web servers interact with each other on modern architectures, and logging is a default on modern (or old for that matter) programs, it’s a given someone will do it.
My objective with this post is to clear some confusion around what you could do to cheat the system, or to counter some arguments software agencies and health officials have been propagating. I’m not targeting any system in particular, but I’m attacking the system architecture that is being proposed, using the arguments I would use if someone pitched me a new system and I played the devil’s advocate.
Discussing misconceptions/workarounds I have seen:
“I’ll use a paper one“: Irrelevant. As long as the code is read by a machine, that machine will have to consult a server, to where your ID is sent. This is not a “disable your location services” kind of system, the tracking is done by the scanning party. No scanner? Maybe the clerk just types a number on his phone, same thing from a privacy standpoint, your ID is sent somewhere out of your control. Given that the trend is to replace human agents with machines (ticket control, store assistants, etc) I hardly believe we will see a new human-based job appearing. It will be like scanning your ticket at the train station.
“I’ll get a fake passport“: Could work only if the store/gate agent/whatever didn’t have a digital scanner, and only looked at papers (knowing that this is cumbersome, and they know there will be cheaters, this will not be the case). If the verification is done on the server side nothing short of hacking that server would help you, and even then your “life log” could have already been backed up somewhere. “Things on the internet last forever” is true, in the sense that even if you delete something, you have no way of knowing if someone has saved a copy.
“I’ll share my passport with my friends to confuse them“: The owner’s photo might be stored on their server, and that will appear on their scanner, thus showing you are not the owner to a nearby agent/AI face recognition system (not sci-fi, and at this point in time, the system could evolve into being just a camera on their end that could check you are indeed vaccinated and hence track you, no need to even have a paper).
“I’ll get my doctor friend to forge an exemption“: Sure, you can escape the vaccine, but you still have to present your “exempt” passport, hence you are tracked just as anyone else. Same logic for negative tests, or for someone who was already infected. You are still an ID being associated with places. Should the purpose of the system be to track you, then it doesn’t matter whether you have a vaccine or not, just that you comply with mandatory identification.
“The scanner does not contact any server, my QR code has a verifiable signed token that the scanner reads locally“: Theoretically fine, but how can you be sure the scanner does what the government/ID provider tells you it does? Maybe it just stores your credentials locally for in-store tracking (the same way a store card would), but do you want that to be legally mandated? Maybe it shares them with some related companies for marketing. The point is if you do not know what the other party is doing, you do not participate. The best way for your nudes not to leak on the internet is not sharing them in the first place.
“The passport does not have my name associated“: You know bitcoin? It’s paraded as the private currency. It’s not controlled by any government. Yet, the police has been able to arrest people by using inference attacks. These sort of attacks are very powerful, it is detective work but on a digital scale. Maybe to the passport you are just “John Doe”, but you are the John Doe that checks-in every day to workplace X, that goes every week to Starbucks Y at a small town, that goes every month to state Z. It’s not hard for law enforcement to then go around and find out who you are if they know your routine. You have nothing to hide? Until you are in the wrong place at the wrong time again.
“The government would not do such a thing, they care only about health“: Let’s suppose it is so. There is still a system that is capable of logging your whereabouts. And no system in the world is perfectly safe. Let’s say it gets hacked. Now your life data is somewhere on the dark web being sold to the highest bidder. Maybe some house thiefs noticed that today you checked-in at a shop 1000 miles away from your workplace. The data is anonymized? Lets go back to the inference attacks. If the police is able to do it, so are hackers. And a database of life itself surely is a prime target for attacks.
“I really trust my friend’s hacking skills“: No system is perfect, so hacking it will be possible. But it’s only a matter of time until your exploit gets fixed, so it will always be a game of cat and mouse. It’s much easier for data to be stolen from the server as in the point above, since that attack only needs temporary access to the server.
“We are already tracked everywhere”: Sure. Visa tracks you. Mastercard as well. Facebook. Google. Your phone provider. But each has their own system. The police can request data from each one of them, which is a bureaucratic process. Banking in particular has old systems. And it’s not all put together neatly in a system built from the ground up, where a simple query can show everything a given person has done throughout his life. And all of the former are opt-in too.
“Vaccination passports already exist”: Come on, you are really telling me you have always shown a vaccination passport to buy groceries, to go to the cinema or for interstate travel? Might have been so to go to 4 or 5 African countries, nothing more.
“I have nothing to hide”: Until whatever you did that was legal and allowed is not anymore. Royalty and even landowners in general had nothing to hide in Russia until 1917. Plus you could be at the wrong place at the wrong time and be accused of something you did not do. Maybe you checked in to to a restaurant and a supermarket the same day as a suspect, and the police wrongly put 2 and 2 together. And if they tell you it is private, it’s a matter of time until someone decides it is not.
It’s still soon to know implementations of the passport, and how often or where it will be used (international travel vs buying groceries). But knowing how a system is designed, and regardless of the “privacy level” they are parading, there will always be a lot of flaws on the concept itself. And forcing people to abdicate their privacy in every aspect of daily life, for whatever reason, is just appalling and downright unethical.
We need to shift the focus away from this being about the vaccine, and focusing on it being about tracking.
Could have happened just as well after 9/11 if the tech was there. I know most people will cave in when they are told that they will not get a job without the passport, or won’t be able to buy food. Unless we are aware of the ramifications of such a system, and go outside to protest or boycott it.
Because once it’s accepted it is not going anywhere. And remember, a vaccination tracking system is, first of all, a tracking system.
TLDR: Don’t try to beat the covid tracking system, you need to prevent it from ever existing in the first place”