Unwanted disclosure of personal information

[adymorz]

There is a flaw in the concept of the cert app. Showing the certificate over the app allows to read out personal information.

1. Person A install the "COVID Certificate APP" on his phone
2. Person A scans the QR code to store the certificate on his phone
3. Person B pretends to use the "COVID Certificate Check APP" and scans the code displayed on Persons A phone

If the Person B uses the "COVID Certificate APP" instead of the "COVID Certificate Check APP", he is able to scan and permantely store the full name and birth date of the person, which would be an unwanted disclosure of personal information

To overcome this security issue, the certificate QR code should only contain some anonymous information stored on the "Swiss identity card" (e.g. the serial number) to verify if the certificate and identity card match.

[ypiguet-epfl]

I agree. In addition, the QR-code contains information such as the vaccination date and number of doses which have a high correlation with the age+health. Health is considered sensitive information by Swiss law. By using the certificate, i.e. showing it to somebody who scans it, we must trust the verifier to not use a rogue application which stores the information, or a compromised device.
The problem is that our Swiss certificate is an implementation of the EU digital green certificate. To use it abroad, Switzerland must comply. Hence the idea of a reduced certificate floating around for domestic use.

[adymorz]

I just submitted this issue using the form linked at the end of the text on https://www.ncsc.admin.ch/ncsc/de/home/dokumentation/covid-certificate-pst/infos.html

I did not read that far in the text 8 hours ago...

[nohillside]

Maybe I'm missing something here but

• The covid certificate is only valid in combination with passport or identity card, so at the point of verification both the certificate and the passport are to be presented
• Name and birthdate are (obviously) visible on the passport
• So personal information is disclosed anyway, either via the certificate or via the passport

To resolve this a fully anonymous scheme would be required (or rather "would have been" because at least for the Covid certificates it's probably too late now), ideally one which doesn't require validation against a central datastore.

PS: Using the ID card number might not work anyway, AFAIK you get a new number when you get a new card.

[ypiguet-epfl]

In theory, you're right (except for the health data). In practice, there is a big difference between showing an id card to a person and having the information scanned by an untrusted device. We should expect massive leaks.

Using the id card number could have worked. People would have to request a new certificate when they change their card, and the validity of the certificate is much shorter than id cards. But it would be impractical: slow to check manually, possible to do by scanning (id cards have all the information nicely formatted in three machine-readable lines) but then we have the same issue as with the current QR-code; and a major burden to issue the certificates (for security and privacy reasons, the central id/passport database could certainly not be used).

A central database (for each country) would avoid these problems. Some people would have trust issues, probably unjustified imo. But you would need an extremely robust infrastructure.

[nohillside]

The problem with the central database is that it allows to track who participated in which events and to identify groups of people who often join events together, based on the IP address of the verifier when accessing the database to validate a certificate. And given all the attempts of using contact tracing data for law-enforcement purposes in the last 18 months I think these trust issues are valid.

Also, I'm not sure whether a typical event visitor would complain (or even notice) if the validator would snap a picture of their ID card (or would challenge it if the explanation would be "we must do this due to regulations. If you don't like it, please leave").

[loics2]

Using the id card number could have worked

Not really, a solution based around the swiss id card would limit the availability of the certificate. If a foreigner Is vaccinated here, they wouldn't be able to get a certificate.

The only solution would be much more "low tech", where the data is written in human-readable form, like the old school paper certificate. Whatever we do, we have to choose between respecting privacy on the client side, on the server side or accepting that the certificates can be faked, and we can only have one of the three.

[qwertz7C1]

I just submitted this issue using the form linked at the end of the text on https://www.ncsc.admin.ch/ncsc/de/home/dokumentation/covid-certificate-pst/infos.html

I did not read that far in the text 8 hours ago...

Hi adymorz,

have you ever received a reply from NCSC ?

[adymorz]

No, I did not get an anwers from the NCSC.

I also sent the request to the Federal Data Protection and Information Commissioner (FDPIC) aka. Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB). I got an aswer:

First of all, we would like to point out that all standard details and outputs in the certificates and provided Swiss APPs follow the European specifications. This is a prerequisite for the acceptance of the Swiss Covid certificate by the EU. Furthermore, the use abroad and the verification of European certificates is easily possible without multiple APPs or adjustments to the APP logics.

With name and date of birth, it is also possible to identify certificate holders as easily as possible. In Switzerland, any official identification document with a photo (passport, ID, driving licence, ...) is sufficient for this purpose. It is important that the name and date of birth match the information in the certificate.

Regarding your point 3, we would like to point out that the number of possible stored certificates in the "Certificate APP" is deliberately limited to 10 in order to prevent widespread misuse, but to enable families with children and e.g. grandparents to travel easily in Europe. We also tried to keep the colours of the "Certificate APP" and "Certificate Check APP" as different as possible so that the certificate holder can easily recognise which APP is used by the examiner.

Since 12 July 2021, the certificate holder can prevent the risk of unauthorised reading of health data when checking the certificate itself by activating the "Certificate Light". The "Certificate Light" only contains the information necessary for identification and an electronic signature. The FDPIC recommends making use of the "Certificate Light" for events in Switzerland.

Since the certificate light has been available in the Android app, I have used it. Unfortunately, the workflow to create the certificate involves a lot of reading and scrolling, so I think few privacy-sensitive users make use of it.