You wouldn’t expect a secure login service provided by the Department of Internal Affairs to arouse strong emotions, but Dylan Reeve finds that RealMe is one of the nation’s most loathed public services. He explores why for IRL. 

For some people, the recent arrival of the My Covid Record and My Vaccine Pass services was the first time they’d encountered the government’s official online identity service, RealMe. For others, the RealMe logo sitting on the login page was like confronting an old nemesis again. 

“I hate RealMe with a visceral loathing,” begins one tweet from a user trying to setup their RealMe account, followed soon after by: “Every step is so convoluted, prone to breaking down and fucking pointless.”

“Who created RealMe and why do they hate people[?]” asked another Twitter user. But many other users describe a painless setup process and a good experience every time they use it.

Most New Zealanders can register for the various Covid-related web services without using RealMe, but for those without certain identity documents, especially immigrants to New Zealand, it may be the only option. Others simply didn’t realise they could avoid it. 

The service, managed by the Department of Internal Affairs, was launched in 2013, but went largely unnoticed by most New Zealanders for a couple of years. The mission is to provide a single secure login that can be used for multiple government and private sector services — one that can be used to verify your real legal identity online.

In 2015, the service saw significant growth when it was integrated with online passport applications and, a few months later, the StudyLink student loan service, and since then it’s been incorporated into most government online services, sometimes as the only way to register, and is also used by private businesses like banks and education providers.

In attempting to canvass opinion online about RealMe, there seem to be two basic experiences that broadly break down into either, “It’s a breeze” or, “Oh my god, this is a kafkaesque nightmare” – there really isn’t much middle ground. The difference between these experiences is often marked by whether the user has a “verified” account.

Maria Robertson, deputy chief executive of service delivery and operations at the Department of Internal Affairs, agrees about the division of opinion, but points out that the vast majority of interactions go well. “It’s used to access 139 different services about three million times a month,” says Robertson. “About 95-96% of the time it’s without any drama or concern.” A forgotten username or password is by far the most common issue. 

For some purposes, it’s enough to just have a basic RealMe account, which is not much more complicated than any other online account secured with a username and password, and attached to an email address and phone number. But for other services, especially the more sensitive government interactions, it’s necessary to have a verified identity – a process requiring a lot more work.

To become verified, you need to provide identity documents (passport, birth certificate, immigration records or citizenship certificate) and have a photo taken. This last step used to (and still does, for some people) require a trip to an AA location, although can generally be done online with a cellphone or webcam now.

The other key difference between the basic and verified RealMe identities is the need for 2FA (two factor authentication), either having a code sent to your phone by text message or using an authentication application. 

“We’re constantly looking at this and saying, ‘Where are the pain points, where are people getting stuck?’,” says Robertson. “It tends to be around users not having the right [documents] or they used a shared email address.”

For software engineer Michael Koziarski, the biggest problem with RealMe is its small scale and limited necessity. “You want an identity system to be something which people use regularly, but for most people the best case scenario is they use it three or four times a year, and then forget their login details and have to go through a complicated reset process,” he says.

The government’s resources are another issue. “Such a system needs substantial investment in constant improvements and world-class talent running it and securing it. Google has that. Facebook has that. The government doesn’t,” Koziarski continues. 

For those using RealMe for access to the My Covid Record site, it seemed that most people with an existing verified account had an easy breezy sign in, but for those who had let their account get out of date or hadn’t taken the steps to verify their existing account, the process was quite different. 

“I made the terrible mistake of trying to set up my [vaccine] pass via RealMe,” Brenda Leeuwenberg posted on Twitter. “Several days and multiple attempts later, still no joy and stuck in an endless loop of redirects. Has anyone actually made it work that way?” continued the tweet. The replies confirmed that many other people had been successful.

Speaking on the phone later, Leeuwenberg elaborated on the issue. “I set up the Health Record account a while back when it first came out and used one particular address that wasn’t the same as my RealMe address,” she explains. Apparently, when she tried to connect her RealMe verified identity to the Health Record account the email address discrepancy was too much for the system to handle, resulting in an endless loop in the application and no useful error message. 

The only option for Leeuwenberg was a call to RealMe’s helpline, a challenge in itself. “You call and you get cut off, or you call and you’re on hold for two hours… and then you get cut off,” recounted Leeuwenberg with a sense of remembered exasperation in her voice. 

One common issue that many people encounter when trying to use their years-old RealMe login for the first time in ages is very relatable: they have a new phone. They no longer have access to the phone number that the service was sending a code to, or their authenticator app is no longer installed. 

Auckland photographer Roger Baillie had this issue. “I decided to use [RealMe] for my vaccine pass, and when I went to login I noticed that it was sending the security number to my old phone number.” For Baillie, too, the only option was a call to the helpline, but his experience was not good. “I tried to call them and what I got was a message that said this phone number cannot be reached or doesn’t exist.”

Days later, Baillie reported he’d still had no luck getting through. He made it as far as the answering service, but after 15 minutes on hold had to abandon the call. He’s since been able to back out of the RealMe process for his vaccine pass, and managed to use the regular email address signup process. For now Ballie has decided to “park RealMe until after Christmas.”

Long holds and random disconnections might not be the worst part of a call to the help line, either. “Holy shit, the RealMe hold music is TERRIBLE,” tweeted Robyn Gallagher last month. “It’s a short clarinet piece that is looped ad nauseam. The only interesting thing is that the looping isn’t smooth, it restarts in the middle of the piece.” In a follow-up, she noted that she’d emailed the minister of internal affairs about the music, so fingers crossed on that issue, at least.

Aotearoa has a “world leading” digital identity system in RealMe, says deputy chief executive Robertson. She also promised to look into the hold music, but clarifies it “hasn’t been [the DIA’s] number one priority.” 

Unfortunately, the nature of RealMe, as a secured and identity-connected service, means that problem solving is often a complicated process requiring that call-centre staff take steps to verify the identity of those who call. As such it can be a complicated call, and the added demand placed on the service by the unprecedented roll-out of My Vaccine Pass has put pressure on the already in demand help line. “We’ve had about a 270% increase in calls and a 750% increase in email contacts since mid to late September,” says Robertson.

If you don’t already have a RealMe account, it’s worth taking the time to set one up. But it’s probably best not to wait until you’re facing an immediate deadline, just in case the process doesn’t go smoothly. And if you already have one, now’s a great time to make sure it’s all up to date and the login process works.

As My Vaccine Pass becomes a ticket to freedom, an illegal market is brewing for those who aren’t yet double-jabbed. Dylan Reeve investigates for IRL. 

New Zealand’s traffic light system comes into play today, and perhaps inevitably, it’s being accompanied by a new black market for stolen, shared and faked vaccine passes.

The My Vaccine Pass system is technically designed in a way that makes it functionally impossible to create fake passes, but that’s only true if passes are verified using the official verifier app. Because the only information on the pass is a name and date of birth, it would also be necessary to check some type of ID in order to confirm that a pass belongs to the person presenting it.

However, the government’s official advice to businesses about the passes makes it clear that both these steps are optional. Simply looking at a pass is good enough for the purposes of the Protection Framework.

The practical choices in the way the system is implemented mean that, in the real world, it’s probably trivial for an unvaccinated person to simply use another person’s pass, or possibly even present a totally fake one.

A Telegram seller who, when I last spoke to them, was selling fake vaccine record cards recently made a big pivot to buying and selling official My Vaccine Passes.

The seller, “Vax Card NZ”, told me via Telegram private message on Wednesday that they were diversifying: “Just transitioning to cover the digital passes, but we still are selling the cards.”

They went on to explain that they’re trying to build up a stock of official passes with a variety of names and birth dates. “We ideally need a variety of cards to cover the base demographics,” they said, in order to be able to offer suitable options to buyers. But so far they’ve not had much luck getting official cards, and have been raising the price they’re offering to buy the passes. “We started at $50 and are now offering $125, and will continue to raise prices until we are able to purchase enough stock,” they continued. 

As of Wednesday, Vax Card NZ reported that they hadn’t been able to buy any cards, but they were expecting that to change. “This will likely happen when the passes start to be used as people will be able to photograph other people’s passes and then sell them,” they explained, pointing out that all they needed was an image of the official QR code in order to recreate the pass for sale.

This functionally creates a market for stolen vaccine passes, incentivising people to capture images of strangers’ vaccine passes; a process Vax Card NZ has called “mining” in their online advertisements.

The way the official vaccine passes have been designed also means it’s possible to create an entirely fake pass with any name and date of birth. The fake pass would look real to any person reviewing it, but would neither pass nor fail if scanned by the official verifier app – it simply wouldn’t scan at all, leaving the person checking the pass with the decision of whether or not to trust it.

The practical realities of the system are the issue, according to Andrew Chen, research fellow at Koi Tū, the Centre for Informed Futures at the University of Auckland. “In an ideal world checking a vaccine pass would have three steps,” explained Chen. “Step one, a human would visually sight the pass to confirm it looks like a vaccine pass.”

Step two, according to Chen is: “Scan the QR code to confirm the pass is legitimately issued by the Ministry of Health, and that the name that appears on the pass is the same as the one that shows in the verifier app.”

Finally, step three is: “A photo ID check to confirm the person carrying the pass is the person named on the pass.”

In reality though, that three-step process probably won’t happen in most places. Even in cases where those steps are followed, businesses have no obligation (or power) to detain anyone who presents an improper vaccine pass, although a Ministry of Health spokesperson told The Spinoff that police will have the power to conduct spot checks at venues to verify passes and ID. “Fraudulent use or misuse of My Vaccine Passes will be taken very seriously,” said the ministry spokesperson, confirming that police and other agencies will investigate reported misuse and fraud on a case-by-case basis.

With a potential $12,000 fine or six months in prison, anyone using a fraudulent pass is making a fairly significant gamble that they’ll go undetected.

Conversations within New Zealand’s Covid denial and anti-vax online communities about the vaccine pass system have been getting increasingly urgent as the framework has moved from theory to reality. Some are seeking to establish their own alternatives to the mainstream services they’ll be locked out of, setting up groups and websites to facilitate direct trade and identify businesses still happy to serve those without vaccine passes.

Others are looking for loopholes and schemes to gain access to restricted events and businesses while not being vaccinated. Shelling out a few bucks for a fraudulent pass seems an easy choice for some, and it’s likely even more will jump on board if the early adopters report success. 

The idea of vaccine pass fraud can seem pretty daunting, but according to Chen we probably don’t need to get too concerned, as our high vaccination rates and past Covid experience play in our favour. “I’d say the impact of fraud in New Zealand is likely to be lower than other [countries],” he says, pointing out that we’re generally still pretty wary of high case numbers and more diligent with distancing and masks.

Phew.