Late last week, the government provided more details about its vaccine certificate system. For IRL, Dylan Reeve explains how My Vaccine Pass and My Covid Record will work, and why there’s no need to panic about privacy or security.
OK, let’s start with My Covid Record. What is it?
It’s a website, and soon-to-be smartphone app, which you can use to access your Covid vaccination history (Covid test results will also be added in the near future.) It’s like the little card you got with your jab, but you can’t accidentally put this one through the wash.
Alright, what about My Vaccine Pass?
That’s a vaccination certificate that can be generated from the My Covid Record site, to prove your vaccination status to any restaurant, shop, bar, airline and gym that requires you to be fully vaccinated to enter once the traffic light system comes into effect.
My Vaccine Pass will launch before the end of November, or so we’ve been assured.
The names are really clunky and repetitive.
Oh trust us, we know.
How will the vaccine certificate work?
Using a free smartphone app, businesses and other organisations will be able to verify the validity of the My Vaccine Pass you show them. The app will tell them your name and date of birth, much like our other ID documents do, and the fact you’ve been vaccinated – but not when, with what, or by whom.
Random strangers have no right to access my medical records!
That’s true. We’re facing unique circumstances, though, and like it or lump it, soon businesses will be permitted to verify your vaccination status in order to grant you entry to venues or access to services. To be clear, they won’t be able to access your medical records, but they will be able to ask you to show your vaccine pass, and if you can’t or won’t, you’ll likely be denied entry.
Is the website safe? I heard it was insecure…
There are some claims floating about the internet that My Covid Record is insecure, but we’d suggest you take them with a grain of salt.
These claims tend to be based on results from basic online security screening sites, which gave some aspects of My Covid Record a low score based on decisions the developers made not to use all the very, very latest technologies for aspects of the site’s underlying communication protocols. Without getting into the weeds too much, those tests don’t take into account the risks the site is likely to face given its function and design, nor the tradeoffs the government needed to make to ensure the system is as accessible as possible to New Zealanders, including those using older devices. None of the issues those tests have identified are fundamental security risks.
To put your mind at ease, consider that every online banking website in New Zealand (for example) scores equally poorly on those tests, but their online services are very secure. Plus, as part of the development process, the Ministry of Health hired outside expert consultants to conduct a detailed study on the security of the site and the technology that underpins it. While the study result isn’t public, the process requires that any identified security issues are rectified.
OK, but is it safe?
Yes. Like anything online, there’s always some security risks, but every reasonable precaution has been taken to protect the system.
Do I really need the certificate? My cousin who makes websites said he could make a fake version.
The Ministry of Health is one step ahead of your cousin, and has adopted measures to prevent forgery. My Vaccine Pass will show a QR code that contains your name, date of birth, and the digital equivalent of one of those fancy holograms they used to put on credit cards. When the QR code is scanned, the verifier app will confirm that the pass is valid and the details it contains are correct. Any forgery will be immediately identified.
Admittedly, no vaccine certificate system, short of issuing us all with physical passports, is going to be totally foolproof, and a motivated fraudster will be able to fake just about anything. But there are safeguards in place, including the law: anyone faking a vaccine certificate will face fines, according to Covid-19 response minister Chris Hipkins.
I don’t have a smartphone. Am I locked out of the scheme?
You can access the My Covid Record site on a computer. Or a tablet. Probably even on some smart fridges.
While the final details aren’t public yet, it should be simple from within My Covid Record to generate a copy of your vaccine pass that you can print out or save to your phone.
But if device access to My Covid Record isn’t practical for you or a loved one, the Ministry of Health will also make a good old-fashioned paper-based version – probably complete with long holds on the phone and annoying forms to fill out.
Is this just a way for the government to track me?
Um, no. It’s just a way to demonstrate your vaccination status. In fact, the verifier app that will be used to check My Vaccine Pass doesn’t need to be connected to the internet to validate the pass, and won’t be sending back data about your movements or storing information about the passes it has validated.
What do I need to do now?
There are two main things you need to do in order to get ready to use My Vaccine Pass when it launches: get vaccinated, and sign up for My Health Account (absolutely cursed naming system, we know). A My Health Account allows you to sign in securely to online health services, and you’ll need it to access My Covid Record, from which you can generate My Vaccine Pass. Clear as mud?
The My Health Account signup process can be a little laborious. If you already have a RealMe it’ll be a bit easier, but otherwise you’ll need to provide a raft of personal details and provide supporting identity documents, so it’s probably best to get started soon. The good news is that once you’ve jumped these boring administrative hurdles, freedom awaits – or at least, the closest approximation available during the plague times.
An earlier version of this article made reference to “an IT security expert” and claims he made about the security of My Covid Record. Those references have been removed.