The Quebec vaccin passport project was doomed from the start.
Clearly no security expert was consulted or listened too prior to launching this eminent failure.
The system deployed builds on the governments failure to provide any form of digital ID and limit the damages of identity theft. After all, today, your birthday remains a very confidential piece of information…. that everyone knows.
Security experts are supposed to look at the entire process and assist a project so that the overall results are favourable based on calculated risks at each step.
Here is what should have been considered as an alternative.
First, let's understand that the current system involves an application used by businesses that does not talk to a central system. Let's put aside that it is possible to obtain a false QR code (based on falsified vaccination paperwork), the QR codes contain sensitive information such as birthdates that we now accept will be "scanned". This approach also transfers the burden of authentication to every business operator, as they now MUST ask everyone for ID so that they can check that the QR code matches the individual. Let's put aside that If I recall it is not even legal or acceptable to ask for a drivers license and that there is no way to check with a central system if the code is for the person in front of you. Pushing the authentication of the person and the validity of the QR code down to the business owner is literally the stupidness thing an expected secure system could do and expecting it to work is even more ridiculous.
The system could have been this:
1) A QR Code that is a fully random key
2) An application that reads the code and consults a central database to validate that this code is valid
3) The application then displays the photo of the individual taken from the RAMQ system since almost everyone has their photo already in that system.
Voila! The business owner no longer has to ask people for ID and the if the person in front of them matches the picture, then that person is vaccinated and compliant.
The only issue left to resolve would be how to handle the people who are not in the RAMQ system, and sending these folks to the SAAQ with their proof of vaccination so they can have their photo taken does not seem that complex. If it is, then having a few regional offices that offer the service certainly is attainable.
Bottom line, this system is a failure and unless some changes are made, will be a major pain in the ass for all business owners.
Let's hope that the Canadian and international versions learn from these mistakes and do not continue in this direction.
Eric Parent is a senior security expert, specialized in coaching senior executives. He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on:
LinkedIn : EVA-Technologies