'Fraud or forgery possible': Ontario's vaccine certificate opens up risk of fake, doctored documents, expert says

Fake covid vaccination record card. Forgery of health certificate confirming vaccinations against covid-19. Printed blank cards, pen, scissors, paper knife and laminator on old dirty wood table.

Enhanced QR code vaccine certificates are now available to all of Ontario, alongside the brand-new Verify Ontario mobile app. Businesses can use the mobile app to scan customers’ QR codes from their phones or a printed copy. The province has called the new certificate “easier, more secure and convenient,” but a few questions have been raised about improving security and ease of use.

“From what I can gather, fraud or forgery could definitely be possible,” York University assistant professor Evan Light told Yahoo News Canada. Light added that while secure QR codes which lose some functionality when photocopied do exist, they seem to be different from the SMART QR codes Ontario is using.

Despite these enhanced vaccine documents being available to all Ontario residents, the old version - vaccine receipts people received when immunized - will still remain valid. The previous vaccine document is a Portable Document Format (PDF) file, which raised concerns from experts in past months about its susceptibility to editing and forgery. Given that the old document will remain in use, it appears that those safety concerns may remain unaddressed.

“People have been making fake IDs — for great and not-so-great reasons — for ages,” said Light, who specializes in communications policy and privacy and surveillance.

Some strategies Light suggested the province might undertake to mitigate this risk include issuing “actual cards with QR codes that can't be duplicated,” and making the website to obtain the certificate easier to use.

“I'm pretty savvy and got sent in circles before I finally landed at the right spot, and then jumped through five more hoops before I could download the thing,” he said. “Ease of use and secure use could go a long way.”

Light also has questions about the nature of the mobile app and the information it collects, with his main concerns being “the lack of clarity around geo-location and their vulnerability disclosure policy.”

He says the lack of clarity around geo-location may introduce a new level of information sharing with the Ontario government based on the IP address of the phone being used: “Usually governments don't know where we go to eat, drink and party.”

However, this may not prove to be out of the ordinary for many Ontarians. “Most people, having become used to giving up personal information in exchange for stuff — followers, likes, et cetera — probably won't have any concerns,” he said.

Light added that the current vulnerability disclosure policy “removes any incentive for security researchers to examine and test the code of the application out of fear of being persecuted or prosecuted for hacking.

“The Verify Ontario app should not collect any IP address information whatsoever,” he said. “Security experts should be given free rein to uncover bugs in the application without fear of prosecution.”

Access to vaccine passport isn't being discussed

Beyond questions of privacy and security, the introduction of what appears to be a more long-term personal vaccine certificate has also raised questions about accessibility.

“So many people in the world do not have smartphones nor access to a computer or printer,” said Light. “The onus is being put on individuals to create medical IDs for themselves in a way that hasn't been done before. That's a lot to ask from people who have been through what we've been through over the last 20 months, let alone from fellow humans who may not have the resources (technical, economic, social) one needs to be a part of this new world.”

According to the province’s newsroom, individuals can call the Provincial Vaccine Contact Centre at 1-833-943-3900 to have their enhanced vaccine certificate emailed or mailed to them.

“I'm a father of two kids in school too young to be vaccinated and absolutely support vaccination strategies for dealing with the pandemic,” concluded Light. “With the adoption of all new technologies to police people and their bodies, I think we need to continue to pay special attention to how these technologies can marginalize people or magnify the marginalization of people.”