Privacy protections of digital health passes in focus with Quebec questions, Yoti endorsement
Yoti contributed to the Good Health Pass Collaborative’s Interoperability Blueprint to ensure the protection of principles around privacy, security and user control is built into digital health passes, according to a company announcement.
The Good Health Pass Interoperability Blueprint was launched in August to establish a common standard for verifiers to request and receive the data they need to validate the authenticity of health status claims, while applying the principle of data minimization.
The company says that 62 million people around the world lost their jobs to pandemic in 2020 with the 49 percent retraction of the global travel and tourism sector.
“We’re delighted to see our work with Good Health Pass live with the Good Health Pass Interoperability Blueprint, it has huge potential to change the way people travel in the backdrop of Covid-19,” states Yoti Chief Technology Officer Paco Garcia. “I’ve been honoured to co-chair the identity binding working group of the Good Health Pass, working side by side with many competitors.
“We’re striving for interoperability as digital health credentials become more widely available and relied upon. We support the provision of health information in addition to vaccination cards or test results with flexibility for all relying parties and different country requirements. The goal is to give individuals one digital ID for all their identity needs.”
Yoti’s health status solution is currently in use by Virgin Atlantic for staff testing.
Quebec credential shows fine line between protecting and risking privacy
Opinions are mixed about the security of vaccination credentials being issued by the Canadian province of Quebec.
Quebec’s system includes the VaxiCode Verif scanning application for businesses, and VaxiCode for consumers to present a QR code for scanning.
Security experts told The Globe and Mail that the main security risk with the system is that someone could develop an app which stores the VaxiCode data it scans, which Verif does not.
Since then, hackers have reportedly obtained the QR codes for several prominent politicians in the province. Ed Dubrovsky, managing partner of incident response and penetration testing company Cytelligence, tells IT World Canada that “insert” and “update” functions must be carefully secured with measures such as multi-factor authentication.
VaxiCode provides QR codes from paper certificates provided by the province to prove vaccination, with the user scanning a photo ID to confirm they are the person identified by the vaccination credential.
Dubrovsky says that the more QR codes scanned by an entity, and therefore the more URLs it is directed to for information, the more likely that entity will be able to discover the relation between QR codes and URLs and access the URLs containing data from other people.
He warns that access to the URLs should involve an authentication mechanism to protect the data they contain.