The flawed technologies behind vaccine passports
Israel’s green pass system relies on a central, government-run database that stores and checks all vaccination data. The system is an inspiration for Boris Johnson, who publicly announced his intention to develop a replica app days after Israel's software launched.
"This is an area where we're looking at a novelty for our country, we haven't had stuff like this before, we've never thought in terms of having something that you have to show to go to a pub or a theatre," he said.
However, experts warn that relying on one centralised system could produce issues with everyone’s personal information kept in one place - an attractive target for hackers.
“Part of the problem in Israel is that they've got this central database,” says Peter Yapp, a partner at law firm Schillings who previously worked at the National Cyber Security Centre, a division of GCHQ. “They have also used some encryption which is not necessarily top notch encryption, so might be vulnerable. They've done it very quickly.”
A better option, experts say, would be to rely on a decentralised database as the UK ended up doing for contact tracing using software built by Apple and Google that kept information on people’s phones instead of a central server.
“The privacy angle on all of this is it's far worse on a centralised database because you don't know where that data is going to sit, how secure that data is going to be and who that data is going to be shared with,” Yapp says.
However, building such a database is no mean feat. A system that relies on people’s devices to store data will likely be much trickier to develop than simply having an entire NHS database with information on who has and who has not been vaccinated, and which can then grant companies access to that data.
The debate is not just around how the data will be stored, but also how venues or restaurants will be able to verify the data they’re receiving.
Many of the systems being designed rely on QR codes that people can have on their smartphones or on physical cards. Venues would be able to scan people’s QR code, which would then provide them with information on whether someone had received a vaccination or had a negative Covid-19 test.
But, says VST Enterprise boss Louis-James Davis, there are huge pitfalls to relying on such technology.
“There's many different ways that you can hack a QR code,” he says. One of the most popular methods used by fraudsters is something known as “attagging”, where valid QR codes are replaced with cloned ones created by bad actors that then redirects those scanning the codes to websites where their data can be breached.
“That's what a lot of the fraud in the world is at the moment,” Davis says.
It is not just fraudsters who may look to exploit loopholes. For many Britons, desperate to get back to normality, there may be the temptation to try to get around systems, Davis adds.
“If QR codes were used for the pub vaccine passports, one person could have a genuine vaccine passport, and all his friends could clone it and they could go to the pub together”.
Gloss