"It is not a bug, it is a functionality" ... This ironic dicton used to make fun of the publishers of software reluctant to recognize the dysfunctions of their solutions can be declined in "It is not a flaw,This is a functionality »Regarding the application of the COVVID Swiss certificate?The question arises seriously in view of the discovery reported by our colleagues of time: the Cavid Certificate application, which is aimed at the general public, makes it possible to scan the QR code of the certificate of anyone.And therefore to have access to a priori confidential information.
As a reminder, the COVID Certificate Check app allows event organizers, customs, airlines, etc..to check if a person is vaccinated, immune or negative tested.In Switzerland, this verification app is designed to display only a minimum of information (name, first name, date of birth, certificate valid or not)).The information storage app for individuals collect and display more detailed data once the user scans the QR code transmitted by the competent authorities.These data concern for example the type of vaccine administered, the date of vaccination and that of the creation of the certificate.
Ordinance COVID-19 vs.Terms of use
Questioned by time, Sylvain Métille, lawyer specializing in data protection, believes that there is indeed a concern and that the possibility of accessing detailed data from third parties goes against the COVVI-19 on certificates.For its part, the Federal Office for Computer Science and Telecommunications (OFIT)), which oversees these applications, denies any confidentiality problem.Adding that using the storage app for the verification of certificates would violate the conditions of use of the application.
The federal data protection attendant also evokes a confidentiality problem.Still in the time article, he stresses that certificate data is not encrypted to comply with the specifications established by the European Union.These provide access to the detailed information listed previously.
It should be noted that a European system simply informing whether the certificate is valid or not would only work whether all the countries agreed on validation conditions (duration of immunity for each vaccine or for previously infected persons, acceptable periodAfter a PCR test, etc..)).