Comments (8)
I agree. In addition, the QR-code contains information such as the vaccination date and number of doses which have a high correlation with the age+health. Health is considered sensitive information by Swiss law. By using the certificate, i.e. showing it to somebody who scans it, we must trust the verifier to not use a rogue application which stores the information, or a compromised device.
The problem is that our Swiss certificate is an implementation of the EU digital green certificate. To use it abroad, Switzerland must comply. Hence the idea of a reduced certificate floating around for domestic use.
from covidcertificate-documents.
I just submitted this issue using the form linked at the end of the text on https://www.ncsc.admin.ch/ncsc/de/home/dokumentation/covid-certificate-pst/infos.html
I did not read that far in the text 8 hours ago...
from covidcertificate-documents.
Maybe I'm missing something here but
- The covid certificate is only valid in combination with passport or identity card, so at the point of verification both the certificate and the passport are to be presented
- Name and birthdate are (obviously) visible on the passport
- So personal information is disclosed anyway, either via the certificate or via the passport
To resolve this a fully anonymous scheme would be required (or rather "would have been" because at least for the Covid certificates it's probably too late now), ideally one which doesn't require validation against a central datastore.
PS: Using the ID card number might not work anyway, AFAIK you get a new number when you get a new card.
from covidcertificate-documents.
In theory, you're right (except for the health data). In practice, there is a big difference between showing an id card to a person and having the information scanned by an untrusted device. We should expect massive leaks.
Using the id card number could have worked. People would have to request a new certificate when they change their card, and the validity of the certificate is much shorter than id cards. But it would be impractical: slow to check manually, possible to do by scanning (id cards have all the information nicely formatted in three machine-readable lines) but then we have the same issue as with the current QR-code; and a major burden to issue the certificates (for security and privacy reasons, the central id/passport database could certainly not be used).
A central database (for each country) would avoid these problems. Some people would have trust issues, probably unjustified imo. But you would need an extremely robust infrastructure.
from covidcertificate-documents.
The problem with the central database is that it allows to track who participated in which events and to identify groups of people who often join events together, based on the IP address of the verifier when accessing the database to validate a certificate. And given all the attempts of using contact tracing data for law-enforcement purposes in the last 18 months I think these trust issues are valid.
Also, I'm not sure whether a typical event visitor would complain (or even notice) if the validator would snap a picture of their ID card (or would challenge it if the explanation would be "we must do this due to regulations. If you don't like it, please leave").
from covidcertificate-documents.
Using the id card number could have worked
Not really, a solution based around the swiss id card would limit the availability of the certificate. If a foreigner Is vaccinated here, they wouldn't be able to get a certificate.
The only solution would be much more "low tech", where the data is written in human-readable form, like the old school paper certificate. Whatever we do, we have to choose between respecting privacy on the client side, on the server side or accepting that the certificates can be faked, and we can only have one of the three.
from covidcertificate-documents.
I just submitted this issue using the form linked at the end of the text on https://www.ncsc.admin.ch/ncsc/de/home/dokumentation/covid-certificate-pst/infos.html
I did not read that far in the text 8 hours ago...
Hi adymorz,
have you ever received a reply from NCSC ?
from covidcertificate-documents.
No, I did not get an anwers from the NCSC.
I also sent the request to the Federal Data Protection and Information Commissioner (FDPIC) aka. Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB). I got an aswer:
First of all, we would like to point out that all standard details and outputs in the certificates and provided Swiss APPs follow the European specifications. This is a prerequisite for the acceptance of the Swiss Covid certificate by the EU. Furthermore, the use abroad and the verification of European certificates is easily possible without multiple APPs or adjustments to the APP logics.
With name and date of birth, it is also possible to identify certificate holders as easily as possible. In Switzerland, any official identification document with a photo (passport, ID, driving licence, ...) is sufficient for this purpose. It is important that the name and date of birth match the information in the certificate.
Regarding your point 3, we would like to point out that the number of possible stored certificates in the "Certificate APP" is deliberately limited to 10 in order to prevent widespread misuse, but to enable families with children and e.g. grandparents to travel easily in Europe. We also tried to keep the colours of the "Certificate APP" and "Certificate Check APP" as different as possible so that the certificate holder can easily recognise which APP is used by the examiner.
Since 12 July 2021, the certificate holder can prevent the risk of unauthorised reading of health data when checking the certificate itself by activating the "Certificate Light". The "Certificate Light" only contains the information necessary for identification and an electronic signature. The FDPIC recommends making use of the "Certificate Light" for events in Switzerland.
Since the certificate light has been available in the Android app, I have used it. Unfortunately, the workflow to create the certificate involves a lot of reading and scrolling, so I think few privacy-sensitive users make use of it.
from covidcertificate-documents.
Related Issues (20)
- How the Covid Certificate will be used? HOT 2
- Übersetzungsproblem :CovidZertifikat_Presentation_System_Integration.pdf HOT 1
- was 1 saubere sache, weiter so HOT 1
- ooooooh, ab in den süüüden :)))))))))))))))))))))))
- Language switch HOT 4
- Feature Request: NFC reader functionality
- CH
- Possibility of a smaller certificate? HOT 6
- EU certificate not accepted by the app due to invalid signature HOT 1
- Light certificate
- Source/Documentation of Transformation / Light Certificate
- Why not use the WHO International certificate? HOT 10
- OTP on API request
- Need Help with long term OTP HOT 1
- Setup documentation
- How do you handle requests for same person from diffrent locations? HOT 5
- Copy/Paste HOT 2
- Why not using the blockchain to approve the certificates? HOT 4
- terminology: OTP HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from covidcertificate-documents.