[HN Gopher] What's Inside the EU Green Pass QR Code?
___________________________________________________________________
What's Inside the EU Green Pass QR Code?
Author : zaik
Score : 622 points
Date : 2021-06-22 10:25 UTC (12 hours ago)
(HTM) web link (gir.st)
(TXT) w3m dump (gir.st)
| rjzzleep wrote:
| So after all this talk of how we're better than China and how
| invasive the wechat Green qr code is we decided to copy it?
|
| What exactly is the moral high ground we stand on?
| d0100 wrote:
| Freedom is always eroded by "good for society" reasons
|
| Of course, just because something is called "good for society",
| doesn't mean it actually is
|
| So it's just meaningless erosion of freedom
| martin_a wrote:
| I don't see any personal information besides the name and date
| of birth here. That's pretty good, don't you think so?
| nomercy400 wrote:
| It links 'a person' to 'a piece of health information'.
| Imagine what you or any data platform could do with that
| (big) data.
|
| Here we hide personal health information in a QR code and are
| expected to give random strangers 'consent' to this personal
| data to gain 'access' to a venue or 'service'.
|
| Sounds awfully lot like a cookie consent-popup.
| martin_a wrote:
| No, it links a name and a date of birth to a number of
| vaccinations.
|
| Without any kind of ID the QR code is useless.
| nomercy400 wrote:
| Yes, The name and date of birth are linked to a number of
| vaccinations, AND the exact vaccine, AND date it was
| administered, AND the country it was administered, (I
| also now have a good guess about you nationality) AND the
| disease the vaccine works against.
|
| Do you really need to know the last four if you all you
| really want to know if the identified person should be
| granted access?
| alkonaut wrote:
| But that's the exact information I want to pass to
| someone?
|
| I'm not sure how else to give someone the information
| that person X has had vaccine Y, other than actually
| transmitting that exact information?
|
| Yes, it's (slightly) sensitive information. But if one
| decides that we want to have a system based on this exact
| information, and it had to be "offline capable", what are
| the options?
|
| > Do you really need to know the last four if you all you
| really want to know if the identified person should be
| granted access?
|
| If the requirements are that verifiers must themselves be
| able to decide which vaccines are acceptable, number of
| doses or time since last dose, and which issuers are
| allowed, then yes.
| jhoechtl wrote:
| The magic happens in the reader app.
|
| Does it have access to a passport ID? Image database?
|
| How is the one verifying the validity of the certificate
| supposed to check if it's actually the holder of the
| certificate standing in front to clear admission?
| fabian2k wrote:
| You show your photo ID, and the person that is checking
| looks if the name on your ID matches the name in the QR
| code. The reader Apps are dumb, they only show the content
| of the QR code and verify that the signature is valid.
| emteycz wrote:
| Yeah sure, how am I going to verify that, and what about
| my grandmother - I foresee many problems with doing that
| even as a programmer?
| Aaargh20318 wrote:
| Your grandmother is a bouncer at a club ?
|
| Your granny doesn't need to verify this, these are used
| by employees of venues that want to limit access to their
| facilities to people who are either vaccinated or tested
| negatively.
| emteycz wrote:
| I'm talking about people like me or my grandmother who
| want to verify that the guard at a club uses application
| that works fully offline and doesn't save any data - the
| QR code we're handing over contains our personal data and
| on top of that we're actually cryptographically verifying
| our whereabouts while using it, so I want to be
| absolutely sure the government doesn't have access
| directly without a court order. // yes I have had a real,
| serious problem with the government using data it got for
| other purposes against me for its own gain (I won the
| court, but it nearly destroyed my life and I'm still not
| where I was before and won't be for a long time).
|
| I'm pretty sure the guard doesn't give a flying fuck
| about my personal information, just like the programmers
| - so how do I verify myself? Or am I to stay at home
| forever if I care about my privacy? The EU said very
| different things about these issues, is that forgotten
| now? The same goes for the other identity-related EU
| initiatives, where did all the talk about privacy go? Was
| it just propaganda, because it certainly seems so now, as
| there are so many so obvious loopholes it can't be an
| accident?
| Deukhoofd wrote:
| Check name, compare with identification, and done? Most of
| the EU has an identity document.
| markus92 wrote:
| The person reading can use their eyes to read a
| passport/photo ID ;) You don't need an app to do that.
| jeroenhd wrote:
| Many forms of ID also have some form of NFC/RFID to read
| out data wirelessly. I don't know why you'd buy something
| to do it automatically, but you totally could.
|
| You'd still end up comparing a picture to someone's face,
| though, so you can't really remove the middle man without
| going into some dangerous facial recognition tech.
| Kwantuum wrote:
| Your id does not contained a cryptographically signed
| vaccination status, which this is.
| avianlyric wrote:
| You know it's possible to carry ID and this QR code at
| the same time
| flotzam wrote:
| Name+DOB in digital form is more than enough to track people,
| even with an offline verification process: We can expect that
| any number of "interested parties" will attempt to get access
| to the computer systems of venues operating these QR code
| scanners, or of their suppliers.
|
| Having someone at the door look at a paper ICVP and a photo
| ID with their analog eyes has _much_ better privacy
| properties. (Still bad though.)
|
| https://en.wikipedia.org/wiki/International_Certificate_of_V.
| ..
| supermatt wrote:
| They are still using their "analog eyes".
|
| The verifier app is a dumb app that simply verifies the
| signature of the QR code payload and displays the relevant
| info on screen, which they look at with their analog eyes
| and compare to the photo id. The only network activity
| and/or storage is related to downloading the public keys of
| the issuing authorities.
|
| Source code is available on github.
| flotzam wrote:
| My point was that once you make that data machine-
| readable, it's not good enough to have privacy-by-policy
| of not storing it - IT security being what it is.
| bellyfullofbac wrote:
| Ah, the threat of the imaginary hackers ("interested
| parties").
|
| The QR code scanners will probably just be the official app
| installed on smartphones the venue will need to supply to
| the security personnel. Who's going to hack this? Banks can
| already track your credit card payments to figure out your
| profile, Google can track your location through your phone.
| Russian, Chinese or North Korean hackers probably don't
| care about where you spend your evenings.
| flotzam wrote:
| > Ah, the threat of the imaginary hackers
|
| "The imaginary is that which tends to become real" -Andre
| Breton
|
| > Banks can already track your credit card payments to
| figure out your profile, Google can track your location
| through your phone.
|
| For people who don't even avoid these easily defeated
| tracking vectors (with cash and de-googling), sure,
| vaccine passport tracking won't make a big difference.
| [deleted]
| bellyfullofbac wrote:
| Groan, "let me put a random name to some saying to
| justify my actions"...
|
| Just because you can find a quote you think is profound
| and attach a name to it, doesn't justify super-paranoia.
| Do you get out of the house, or are you avoiding the
| virus? Life's about judging risks and benefits, and IMO
| you're way overblowing the risk of these hackers. What
| Andre Breton thinks is irrelevant.
| supermatt wrote:
| Pretty sure the complaints were about allowing wechat/alipay
| and gov/police to track you and your health status. There was
| no transparency in what was stored/transmit, whereas here it is
| all documented. Its a static QR code you can carry, rather than
| an app that does a lookup and phones home. The reader app only
| verifies the signatures used to sign the (limited) id info,
| doesnt send info back to the mothership, etc.
| rjzzleep wrote:
| No, actually the complaint was that a central authority
| could, under the pretext of some obscure rule, forbid you
| access to certain or public services. The same concept
| applies here, whether it's open source or not.
| supermatt wrote:
| Pretty sure the complaints were as I mentioned - feel free
| to give links to the other discussions.
|
| The "central authority" already do forbid you from
| accessing certain or public services for the same rules -
| only you need to provide the relevant paper documents. This
| is effectively the paperless version thereof.
|
| You may personally disagree with the concept of proof of
| vaccination, but thats completely aside from the technical
| discussion we are having here.
| justinmchase wrote:
| Its not an aside, its centrally related. The technical
| version of the app enables the problematic activity to
| scale and thus the moral and ethical implications are
| centrally related to the technical implmenetation.
| mbesto wrote:
| > are centrally related to the technical implmenetation.
|
| You mean just like a centrally fabricated ID card that's
| used for entering an airport, making certain purchases,
| verifying ID for a CC purchase, entering the country,
| etc?
| miohtama wrote:
| Would you be happier by checking equivalent paper
| printouts, check done by hand?
| ajsnigrutin wrote:
| What public service does the government forbid me to
| access without my papers (except the ones where the
| document is needed to charge the state for the service -
| eg. medical stuff)?
|
| Just a year ago, saying that the governments will require
| you to produce a "vaccination passport" to enter a
| restaurant was laughed at as a crazy conspiracy theory,
| and currently, the difference between a "crazy conspiracy
| theory" and "reality" is about 6-12 months.
| supermatt wrote:
| "certain or public services" was the phrase the parent
| used. I just said the same rules apply as before. Maybe
| you are better off asking them for examples.
| neither_color wrote:
| We're not over it, the discussions were consistently buried
| and we skipped that part to "here's how the new QR systems
| work" to give the illusion of consent. They didn't even
| bother manufacturing consent this time. There was no
| healthy public discourse on it, just some states/countries
| banning them pre-emptively and some states taking for
| granted that you would accept it.
| Spooky23 wrote:
| Requirements for public health aren't new.
|
| Most countries, for example, require vaccination for
| contagious diseases for a variety of public functions like
| attending school. The need to validate vaccination status
| for functions like boarding airplanes or attending large
| stadium events is just common sense, as certain populations
| are refusing vaccination for mostly irrational reasons.
|
| These digital credentials allow people to conveniently
| provide this documentation in a reliable way.
| logicchains wrote:
| >refusing vaccination for mostly irrational reasons
|
| Depending on age and condition the risk to an individual
| can vary from one in ten million to under one in a
| hundred. In your mind, what is the risk that an
| individual must face from covid to make it rational to
| take a novel treatment with no long-term safety data that
| hasn't passed the standard FDA approval process? In any
| other context, would people here be so confident that
| there's a less than one in ten million risk from a novel
| MRNA treatment?
| WC3w6pXxgGd wrote:
| Saying something isn't new doesn't mean it's good.
| logicchains wrote:
| >certain populations are refusing vaccination for mostly
| irrational reasons.
|
| It's not irrational for people to be cautious about a new
| treatment for which there's absolutely no data about
| long-term safety (can't know the 2-3 year effects of
| something that's only been around one year), which has
| bypassed normal treatment approval processes (the covid
| vaccines only have FDA emergency use authorisation, and
| have not yet passed the requirements for full FDA
| approval, requirements which are strict for a reason),
| for which some previous attempts have failed
| significantly
| (https://pubmed.ncbi.nlm.nih.gov/22536382/), to prevent a
| disease that for many people has less than a 1/100,000 to
| 1/1,000,000 fatality rate (https://www.medrxiv.org/conten
| t/10.1101/2020.05.17.20097410v...), ten to a hundred
| times less dangerous than giving birth.
| psychometry wrote:
| Know what else we don't know the 2-3 year effects of?
| Fucking Covid-19. Unlike the vaccine, that one actually
| has a decent chance of killing you.
| anshorei wrote:
| Yes, and I'll take any reasonable precaution I can to
| avoid getting COVID: social distancing, wearing a mask,
| regularly using disinfectant, working from home, etc.
|
| The choice isn't between the vaccine or COVID.
| fabian2k wrote:
| The vaccines have regular approval in the EU by the EMA,
| the US approval is the odd case here. And there is no
| reason to expect a significant risk for side effects that
| only appear after several years, for vaccines they
| generally appear reasonably close to the date of the
| vaccination.
|
| And you're seriously downplaying the risks of COVID-19
| here, of course it is relatively harmless for very young
| people. But it is seriously dangerous for a large part of
| the population that is older.
| logicchains wrote:
| >And you're seriously downplaying the risks of COVID-19
| here, of course it is relatively harmless for very young
| people. But it is seriously dangerous for a large part of
| the population that is older.
|
| It's not only "very young" people. Did you look at the
| link I provided? For people 20-30, it's around one in a
| hundred thousand. For people 30-50, it's around one in
| ten thousand (similar to giving birth). When someone's
| making a rational decision, it's with regard to their
| individual risk; the risk of covid to an eighty-year-old
| is irrelevant to a twenty-year-old deciding whether to
| take the vaccine, especially given the vaccine doesn't
| prevent them infecting others if they get it (see this
| data from the Singapore government: https://covid.viz.sg/
| ).
|
| >for vaccines they generally appear reasonably close to
| the date of the vaccination.
|
| The MRNA vaccines are quite different from normal
| dead/live virus vaccines and have never been used at
| scale.
| johncolanduoni wrote:
| > The MRNA vaccines are quite different from normal
| dead/live virus vaccines and have never been used at
| scale.
|
| Their closer relative, the viral vector vaccines (like
| J&J's), have been. You're right about calculating risk,
| but when's the last time a vaccine in normal, longer term
| stage three trials resulted in a higher fatality rate
| than COVID (for any age group)? The link for the SARS
| vaccine candidate was a failure that was caught in a
| mouse model, which unsurprisingly they also did with the
| new vaccines before the human trials started. To echo the
| parent comment, these were immediate side effects on
| challenge (which would likely been caught in stage 2
| trials even if they only happened in humans and not in
| animal models).
|
| If we want to go with unusual reactions that only show up
| over time, what about the chance that whatever long term
| side effect you're imagining from the vaccines instead
| happens for people who have been infected with COVID 5
| years from now? Once you decide to make decisions based
| on rare and novel events with unquantifiable risks,
| you'll find they show up absolutely everywhere if you're
| being intellectually honest.
|
| > given the vaccine doesn't prevent them infecting others
| if they get it (see this data from the Singapore
| government
|
| That data's N is a little low, but let's take it
| seriously for a moment. The vast majority of vaccinated
| people in that dataset did not go on to infect others,
| and none of them were epicenters for super-spreader
| events. Eyeballing it, it's consistent with a sterilizing
| immunity in excess of 80%. If the vaccines turn out to be
| that effective at preventing transmission, that's an
| _excellent_ outcome (it is higher than most vaccines).
| klapatsibalo wrote:
| The thing about covid is that you can't consider just the
| individual risk, you have to also think about the fact
| that this is contagious, so if you don't actively try to
| stop it, it will kill many more people.
|
| So yes, chances are I wouldn't die if I didn't vaccinate,
| but chances are I would kill my grandma if I caught
| covid.
| mardifoufs wrote:
| Wouldn't she be vaccinated at this point? And if we
| assume some people can't be vaccinated for health reasons
| and that we have to take the vaccine to protect them...
| Isn't it pretty awful that they will be denied access to
| most public places because they don't have a vaccination
| proof?
| logicchains wrote:
| If anything, it's irrational that people who would
| normally refuse to take a novel treatment that has not
| passed standard FDA approval procedures would suddenly
| decide to take it just to minimise a one-in-a-hundred-
| thousand risk, a risk lower than many other risks people
| usually take like giving birth and driving.
| mbesto wrote:
| > which has bypassed normal treatment approval processes
| (the covid vaccines only have FDA emergency use
| authorisation, and have not yet passed the requirements
| for full FDA approval, requirements which are strict for
| a reason),
|
| FDA approvals are largely based on the ability to provide
| reliable test cases. You literally have the largest test
| case known to human history. No amount additional FDA
| testing is going to make that change.
|
| > to prevent a disease that for many people has less than
| a 1/100,000 to 1/1,000,000 fatality rate
|
| This figure is meaningless. We have a steady history of
| "excess deaths" and can predict what annual death rates
| are on average on a yearly basis. This number jumped
| significantly even with mask mandates, lockdowns, etc
| over the last 18 months:
|
| https://www.cdc.gov/nchs/nvss/vsrr/covid19/excess_deaths.
| htm
| ectopod wrote:
| Businesses have shown an enormous appetite for hoovering up
| personal information. Why are you sure that businesses won't
| use an alternative verification app that stores the names and
| dates of births, shares them with their marketing partners,
| etc.?
| distances wrote:
| GDPR. No legit company would take such a risk in EU, legal
| and PR ramifications would be massive.
| sipos wrote:
| The problem with the GDPR is that it is only as good as
| the authority enforcing it. There are complex rules (from
| memory about a third of the text, but it is a while since
| I read it all and this was the bit I was least interested
| in) on which authority is the one in question that means
| you can somewhat choose your authority, and some of them
| are not enforcing it at all. This is how Facebook and
| Google etc are able to do things that clearly violate it
| I think.
| teataster wrote:
| Maybe in your corner of the EU that's true. In mine GDPR
| is well regarded as joke.
| tpm wrote:
| The moral high ground is that the EU Covid pass is basically
| only a convenience: the exercise of fundamental rights is
| untouched by this:
|
| > Will citizens who are not yet vaccinated be able to travel to
| another EU country?
|
| > Yes. The EU Digital COVID Certificate should facilitate free
| movement inside the EU. It will not be a pre-condition to free
| movement, which is a fundamental right in the EU.
|
| https://ec.europa.eu/info/live-work-travel-eu/coronavirus-re...
| ajsnigrutin wrote:
| No, it is not.
|
| You're basically given three options:
|
| - get vaccinated
|
| - get tested every 48 hours
|
| - intentionally infect yourself with covid
|
| Compare this to pre covid travel, and yes, it affects us
| greatly. Since pretty much all the countries have very low
| covid numbers, any such limitations are stupid.
| tpm wrote:
| > Compare this to pre covid travel
|
| No, don't. What we are talking here about is a Covid pass /
| QR code thing, not the pre-pandemic past.
|
| > Since pretty much all the countries have very low covid
| numbers, any such limitations are stupid.
|
| In just the Europe, Russia and UK have horrible numbers
| right now, Portugal joining them. So no, you are wrong, I
| am sorry but the testing/vaccine/quarantine rules make
| sense and will make sense in the foreseeable future.
| ajsnigrutin wrote:
| But we're striving for the prepandemic way of life, not
| some alternate reality postapocaliptic videogame world.
|
| And, does this "EU Green Pass" work in UK or russia?
| Because the "EU" implies EU only and the webpage[0] says
| that directly [1]
|
| [0] https://ec.europa.eu/info/live-work-travel-
| eu/coronavirus-re...
|
| [1] The EU Digital COVID Certificate will facilitate safe
| free movement of citizens in the EU during the COVID-19
| pandemic.
| tpm wrote:
| > And, does this "EU Green Pass" work in UK or russia?
|
| No, UK/Russia are an example that we are not yet safe. In
| fact, the current numbers in Portugal are a direct result
| of influx of visitors from the UK who imported the Delta
| variant there.
|
| > we're striving for the prepandemic way of life
|
| Yes, as soon as the virus is not a big threat, we can
| resume the prepandemic way of life. If you look at the
| current numbers of people getting sick and dying from
| Covid, it should be clear we are not there yet. But the
| Covid pass is a part of normalizing the situation. I will
| travel in July to a vacation. I will carry the covid pass
| with me and as a result of that, I will not have to be
| tested (several times) or quarantined, despite traveling
| through several international (Schengen) borders.
| mardifoufs wrote:
| What a ridiculous statement, Europe doesn't need to
| import the virus or any of it's variants when it's been a
| global hotspot for a year now. I guess it's nothing new
| though, contact tracing has been mostly used to shift the
| blame to an "outgroup" and seems to have worked in around
| 2 countries out of the hundred who tried doing it
| [deleted]
| input_sh wrote:
| Currently, each country does its own QR thing, a fair
| amount of which is just a link to some .gov.* website.
| Unifying it under one model makes sense. It makes it
| easier to verify and issue new EU QR codes. Otherwise,
| when presented with a proof, verifiers would have to know
| how to properly verify 20+ different QR codes.
|
| So we've got two realistic options: 1) non-EU countries
| teach people their own and the EU verification method, or
| 2) non-EU countries offer a way to "convert" EU QR scheme
| to their own at the point of entry.
|
| It's similar the other way around as well, because non-EU
| countries could either start issuing EU-compatible QR
| codes, or recepients could "convert" them to the EU-
| compatible QR code at the point of entry.
| 9dev wrote:
| That's nothing but a strawman. You don't have to get tested
| every 48 hours. You'll have to get tested if you intend to
| meet other people up close that you'd risk infecting with
| Covid, unless you're healthy. That's simply an assurance
| for all those that cannot get vaccinated, and a low price
| to pay for a controlled return back to normality, without
| sacrificing everything we've achieved over the last months.
| jansan wrote:
| A number of politicians have already declared that we need to
| become "more like China". Not sure what Soros' current position
| on this is, as he clearely warned of China's social credit
| score system in 2019.
| alkonaut wrote:
| > What exactly is the moral high ground we stand on?
|
| Umm that I elected the people who do this, and support it (or
| else I'd vote for someone else next time). The Chinese don't
| have that privilege.
| eplanit wrote:
| Freedom is the high ground. You can feel superior or safer in
| the knowledge that the government deploys strong tech to
| monitor and control you (in the name of public safety, of
| course) all you want.
|
| I'm vaccinated, the vaccine works, and I'm living accordingly.
| If a business wants proof, they don't get my business.
| avereveard wrote:
| you're comparing a signed certificate that exist locally with a
| credit score that continuously update centrally and track your
| behavior across your social interaction with the government,
| third private entity and your peers
| kderbyma wrote:
| and both are terrible when used to stop and restrict people
| and descriminate.....both which are done blatantly and in the
| open yet no one cares.....I call you a mean word and I am bad
| guy....people are regarded..
| lettergram wrote:
| Look at these threads and how positive they're discussing this.
| Or how any dissenting opinion about a plethora of topics get
| you banned off social media or flagged to oblivion even on HN.
|
| If you take a 10,000 foot perspective I think you can recognize
| the west was conquered (without force). Our media (news, AMC,
| Hollywood, etc), are presenting a narrative (they call it
| that).
|
| Why do we need this passport? For safety from an illness that
| kills 0.5% (or less now) of people? We have vaccines,
| treatments, etc and vaccines seem very effective and protecting
| people.
|
| It's hard to watch tbh.
| kderbyma wrote:
| It's because we let them say opinions were more important
| than freedoms....that's that. once people drank the
| coolaid....Jonestown was on....we are watching the suicide of
| our society in the name of progress......because to not
| progress is (enter fad strawman of the day - .... right now
| ultra right wing conspiracy....)
| benjaminwootton wrote:
| I agree. Seeing stuff like this take hold is both scary and
| tragic to me.
|
| It feels like a genuine turning point for our way of life
| when the government can control your life unless you have a
| brand new medical procedure which, with no hyperbole, can
| kill healthy people at no significant risk from the disease.
|
| I'm amazed how popular it seems to be here and the fact you
| have downvotes. This community like to tear companies like
| Facebook apart but cannot see the risks and impacts of what
| we are doing here?
| logicchains wrote:
| I grew up in Australia, thinking Americans were crazy for
| their obsession with guns. In the past year my opinion
| changed completely, after seeing the US states with high
| gun ownership like Florida and Texas are some of the few
| places in the world where this authoritarianism hasn't
| taken hold.
| lettergram wrote:
| The US is a bit different than portrayed. Even in
| Illinois, most of the state is hard red. They have "2nd
| amendment sanctuary counties". Masking, gun laws, etc
| aren't followed in the country, even suburbs.
|
| Honestly, there's a good reason people in Illinois
| believe their elections are stolen (there's lots of
| historic proof). It's an open secret that the democrats
| steal the state. If you ask around, almost everyone
| believes it.
|
| To be fair, Illinois has jailed a significant number of
| governors lol
| ryandrake wrote:
| I'm amazed at the amount of discussion, period. The article
| factually laid out the small amount of information encoded
| in the QR code, walked through the data format, and showed
| it to be pretty minimal and well-designed. No URLs, no
| hidden trackers, no evil ad salesman selling your browser
| history. Yet here we are at the #1 spot on HN and almost
| 400 comments. Full of conspiracy theories, COVID-
| downplayers and anti-vaxxers. I'm trying to connect the
| dots between a QR code and the New World Order, and I'm
| coming up empty. I thought HN was above this and wish this
| stuff could stay on Facebook and Twitter.
| mardifoufs wrote:
| > I'm amazed at the amount of discussion, period. The
| article factually laid out the small amount of
| information encoded in the QR code, walked through the
| data format, and showed it to be pretty minimal and well-
| designed. No URLs, no hidden trackers, no evil ad
| salesman selling your browser history. Yet here we are at
| the #1 spot on HN and almost 400 comments. Full of
| conspiracy theories, COVID-downplayers and anti-vaxxers.
| I'm trying to connect the dots between a QR code and the
| New World Order, and I'm coming up empty. I thought HN
| was above this and wish this stuff could stay on Facebook
| and Twitter.
|
| No one cares about the qr codes themselves and I think
| you are willingly ignoring the main point. The problem is
| that you need to show a government issued "pass" to
| access almost any public space. You may be okay with that
| but please don't pretend it's nothing new and it's always
| been like that. Asking for a digital certificate to live
| your life normally is unprecedented, but I guess at least
| it's not ads? Who talked about that anyways, can't both
| things be bad? I guess what the NSA does is alright since
| it's unrelated to a new world order or ad tracking?
|
| As for antivaxxers or covid downplayers, Imo pretending
| this whole apparatus is needed is the real anti vaxxer
| position. The vaccines work, and if someone doesn't want
| to take them the risk is on them. Downplaying covid now
| is the pro vax position, while yours imply vaccines
| barely work so we need precedent setting measures like
| these. I mean the comment that started this subthread is
| literally saying that vaccines work so the straw man you
| are building is absurd
| Twixes wrote:
| We need this passport so that we maximize the potential of
| vaccines and minimize that of virus mutations. I say this
| selfishly: I want to travel and when the risk that visitors
| will bringing a supertransmissible virus deadly to the
| population is high (and 0.5% is a shitton of people), we'll
| again have lockdowns and we'll be sitting at home. I don't
| want any of that. That's why I got vaccinated and I'm happy
| to have a way of proving that it's very unlikely for me to
| bring crap that will kill people down the line
| reedjosh wrote:
| > we'll again have lockdowns
|
| Enforced by an out of control government.
|
| This is such a funny argument. In my ears it rings as "We
| need to comply with our abusers so they'll stop abusing
| us."
| Twixes wrote:
| In what world is stopping a deadly disease that also
| paralyzes healthcare _for everyone_ abuse? The virus is
| abusing us, that 's for sure. Unfortunately it doesn't
| quite adhere to law, otherwise tens of thousands of
| people more would still be alive in my country. The only
| way to stand up to a force of nature like that is to
| stick to some common sense rules as a society, like
| "let's avoid crowds" or "let's all get vaccines".
| reedjosh wrote:
| > a deadly disease that also paralyzes healthcare
|
| VS.
|
| a tyrannical government that is ever encroaching on our
| freedoms using scare tactics.
|
| It used to be terrorism.
|
| I suppose we're both kinda motivated by fear here, I'm
| just way more afraid of losing my freedoms than I am
| COVID.
|
| The same messaging system that brought us the `terror
| meter` and pegged it to red
|
| https://www.activistpost.com/wp-
| content/uploads/2015/10/terr...
|
| is providing similar hyperbolic messaging about COVID.
| Twixes wrote:
| Terrorism very broadly kills a couple hundred people a
| year in the developed world, and has been around that for
| a long time. Obviously it's a bogus excuse most of the
| time.
|
| Meanwhile, this particular virus has correspondingly
| killed _~10 000 times_ more people. That is not
| hyperbole. That 's not even comparable to terrorism, much
| more like a war instead.
| reedjosh wrote:
| How many people died of the flu this year?
| skocznymroczny wrote:
| There isn't, it's just that western governments needed an
| excuse in form of a 'pandemic' to implement the same measures.
| kderbyma wrote:
| It went from conspiracy theory to fact....like everything else
| coincidental about this virus and pandemic.....
|
| ID2020 anyone? remember that was always the plan.....
| 9dev wrote:
| What exactly are you hinting at?
| kderbyma wrote:
| Generally speaking - I am suggesting that there was a
| coordinated effort to utilize the pandemic in order to
| better ID and track outside of the traditional means (ie.
| advertising to consumers) - they need to fix the ID problem
| so to speak (ie...online anonymity) - they want to final
| mile everything.....so they can fully track everything.
|
| The pandemic was the perfect opportunity - so they
| coordinated between big tech and government to setup more
| and more tracking systems - Apple and Google knew ahead of
| time, just like the politicians and CEOs who ran before the
| announcement with buckets of share sales....
|
| And then there is the solidarity and collective front to
| ensure that no dissent was heard (ie...fact checkers) and
| cartel like collusion between platforms to silence and
| coordinate news.
|
| Then there is the fact that they have managed to make
| health and science immune to the forces of criticism and
| public disclosure....
|
| or how about the media sucking at the tit of big tech for
| years trying to get at that sweet sweet ad nector....
| [deleted]
| fortran77 wrote:
| Is the California state QR code compatible?
| hedora wrote:
| How is this not a privacy nightmare? It has name and date of
| birth in it.
|
| The California version will certainly be used to generate
| databases that will be fed to marketers.
| JBorrow wrote:
| Well a lot of venues ask to see your ID to verify your age for
| entry. How is this any different? It's not like it contains any
| contact information.
| codeecan wrote:
| I think if every time you went to a venue, they would
| photocopy your ID, nobody would visit that venue.
|
| The doorman is not remembering/recording every person who
| came in, thats the difference.
| JBorrow wrote:
| But they are through CCTV
| mmcnl wrote:
| What's stopping people from robbing you at gunpoint? The law.
| GDPR is specific about consent and the purpose of collecting
| data. It's simply illegal to feed the data to marketers.
| slipframe wrote:
| If somebody robs me at gunpoint, I immediately know it
| happened. I can report it to the police, who will take the
| report seriously. If the police catch the guy (which is
| likely if he's a serial offender), the prosecutor will take
| it seriously. If convicted, the offender will go to prison
| for years.
|
| If a company violates privacy laws, I will not immediately
| know it happened. If I don't know it happened then I can't
| report it to the police, but even if I did, the police
| probably won't take it seriously. And prosecutors going after
| corporations? Even if that happens it will doubtlessly take
| many years for the court case to reach any conclusion. If
| convicted, the corporation will receive a fine that is a
| fraction of what it would take to put them out of business.
| The executives won't go to prison.
|
| The practical differences between these two scenarios are
| substantial.
| alkonaut wrote:
| Companies aren't allowed to keep that data in the EU. I thought
| California had something similar to GDPR? In any case, it's the
| minimum amount of information required for the task, and it's
| at least (hopefully) for a limited time.
| nomercy400 wrote:
| In my country, there have been awareness campaigns about not
| giving out our passport or copies of our passport, as it contains
| our Social Security Number, biometric fingerprints, and other
| information that can be used to create a profile and impersonate
| a person.
|
| This links 'a person' to 'a piece of health information'. Imagine
| what you or any data platform could do with that (big) data.
|
| Imagine that you are only allowed to visit certain countries
| based on your vaccination status. Advertising agents of tourist
| and traveling agents would love to get their hands on that
| information, to create a better profile of you. Maybe Google
| could even make a FLoC of 'COVID-19 vaccinated people'.
|
| Imagine that one year from now, one of the vaccines is known to
| cause health issue X, which would require over-the-counter
| medication Y. Advertising companies would love to know exactly
| what vaccines you have received, to add to their 'profile'. and
| would go to great lengths to get this information (create their
| own 'reader app' and supply this to events).
|
| Here we hide personal health information in a QR code and are
| expected to give random strangers 'consent' to this personal data
| to gain 'access' to a venue or 'service'.
|
| Sounds awfully lot like a cookie consent-popup, which the EU is
| so actively trying to prevent through legislation.
|
| Do you really need to link 'a person' to 'a vaccine profile'?
| Isn't it enough to link 'a person' to 'can access this
| service/venue according to local laws?'.
|
| In software development, you separate authentication and
| authorization. The authentication part is 'are you who you say
| you are', the authorization part is 'are you allowed to access
| this resource'. For authorization, you don't send the full list
| of all roles/permissions of this user for all authorized
| applications, you send a true/false based on the question
| canAccess(resource)? Otherwise a 'hacker' might find he has no
| permissions using the current authenticated account to resource
| A, but conveniently has full permissions to resource B.
|
| You wouldn't give a random webshop access to your Bank Balance
| and history, would you? Your bank should only tell them 'transfer
| of X dollar is approved'.
| cr1895 wrote:
| >Imagine that you are only allowed to visit certain countries
| based on your vaccination status.
|
| We don't need to imagine this scenario, because it has long
| been the case for certain countries with yellow fever checks,
| TB checks, etc.
|
| The difference now is that the restrictions are perhaps much
| more widespread.
| nomercy400 wrote:
| The difference now is that this information is being made
| digitally available outside of a personal health dossier.
|
| I have an international vaccination passport, paper-based,
| which is only shown to a customs officer of the country I am
| visiting. This has been 'good enough' to enter countries with
| vaccination requirements up until now. It has not been copied
| or entered into a computer system.
| cr1895 wrote:
| I agree with you that I wish the yellow card was "good
| enough." It is for some countries like Germany and Iceland.
| damagednoob wrote:
| > Imagine that you are only allowed to visit certain countries
| based on your vaccination status.
|
| How is this different from the uncontroversial practice of
| requiring yellow fever vaccinations when travelling to certain
| African or South American countries?
| nomercy400 wrote:
| The difference now is that this information is being made
| digitally available outside of a personal health dossier.
|
| When traveling to African or South American countries, you
| have to show proof to a public immigration agent. I have an
| international vaccination passport, on paper, which has been
| 'good enough' to provide this proof. My health dossier is not
| publically accessible.
|
| Currently, this check is
|
| - looking at a piece of paper for the correct stamps,
|
| - perfomed by a public immigration officer,
|
| - upon entering a country.
|
| With this QR code, I now put this check into the hands of
|
| - any QR code 'reader' app,
|
| - on a Google or iOS platform,
|
| - which can be connected to the internet,
|
| - performed by private companies (venue/event/organizer)
|
| - upon entering a variety of locations.
| Pyramus wrote:
| Is there any indication that the WHO vaccination passport
| will stop to be good enough?
|
| It seems to me this is just a question of convenience.
| Mediterraneo10 wrote:
| The WHO yellow fever certificate is not digital, it is just a
| piece of paper. Plus, many of the countries which ostensibly
| require it don't check it carefully or at all (and in West
| Africa, it is not unusual for the soldier checking it to be
| illiterate and unable to actually grok the details on it).
| So, this old-school vaccine proof doesn't pose the risk of
| being used for ad targeting that worries the GP.
| Pyramus wrote:
| Yes, in rare cases that might happen but in general that
| sounds like a trope. In fact, I've heard stories of people
| being denied entry and also getting vaccinated on arrival
| in a back room at the airport, which is as dodgy as it
| sounds.
|
| Do you speak from experience?
| Mediterraneo10 wrote:
| Yes, I speak from repeat personal experience in both
| Africa and South America. That checking of the
| certificate in South America has dwindled is well known.
| Sure, some people may have bad luck, but there is a
| reason that many holidaymakers are no longer even aware
| that there is a rule on the books.
|
| The certificate is commonly checked in Africa, but as I
| said, often the official on the border checking it is not
| capable of understanding the details - they just look for
| the paper with the familiar color and logo. Also, it has
| been common for travelers unable to get the yellow fever
| vaccine in their home country (historically supplies in
| Eastern Europe have been scarce, for instance) to simply
| forge the certificate, which is easily done. The WHO is
| aware that some amount of certificates will be forgeries,
| but nevertheless believes that the policy of requiring
| vaccination will be enough to reduce the risk of
| outbreaks.
| bluefox wrote:
| Great tool for fascism.
|
| But hey, tech seems legit.
| JakaJancar wrote:
| Nice to see government tech that's well-designed and a positive
| article about it.
|
| Clicking the link, I must admit I was expecting a privacy or
| security disaster. We should highlight the good stuff more often.
| est wrote:
| > tech that's well-designed
|
| The only criticism I can think of, is the QR code is too "fat".
| It would have scanning difficulties in low-light conditions,
| especially QR readers with cheap cameras with low ISO
| tolerance. The Base45 encoded bytes should be cut at least by
| half to make fast scanning possible.
| radicalbyte wrote:
| We've tested it extensively and, on modern hardware it's very
| easy to scan from a screen.
|
| The paper version is less good as paper bends..
| dirkx wrote:
| It was tested pretty extensively (and was already in use in
| public transport) -- including tests in muddy fields @
| festivals with bad wifi and bad light.
| marcoc wrote:
| Do you have a source for this information?
| kiallmacinnes wrote:
| It's about as thin as it can be, given the requirements for
| offline validation, and the environment it's designed for
| (airports / other national borders etc).
|
| Nobody wants every verification resulting in a ping back to
| some central server doing who knows what.
| kolinko wrote:
| Low-light might not be an issue for people who will show the
| code on a mobile device. At least in Poland the code is
| available through the government id iphone/a droid app. Some
| people may print it, but most will probably just use the app.
| hanoz wrote:
| Not long ago this kind of technology and anyone working on it
| would have been given a pretty rough ride on this forum, no
| matter how well designed. Now it's those raising concerns who
| are being hounded out with down-voting. How times have
| changed.
| y04nn wrote:
| So now, bar/restaurant owners can reliably track their
| customers: age/name, how often they come in each branch. Large
| franchise would also be able to track where and how often their
| customers travel and what they eat. I think this is real
| privacy issue. If you what to store the data, please anonymize
| it first, at least when it leaks it would be a lesser privacy
| disaster.
| sltkr wrote:
| In the EU, using this data to track customers would be
| illegal. That doesn't mean it can't happen, of course, but it
| should deter particularly large franchises from abusing this
| data.
|
| In the US, bars often ask for photo ID to verify that
| customers are old enough to be served alcohol. That doesn't
| seem to lead to widespread customer tracking.
| radicalbyte wrote:
| Usage is explicitly limited by the EU law:
|
| https://eur-lex.europa.eu/legal-
| content/EN/TXT/?uri=CELEX%3A...
|
| Article 10
|
| Protection of personal data
|
| 1. Regulation (EU) 2016/679 shall apply to the processing
| of personal data carried out when implementing this
| Regulation.
|
| 2. For the purpose of this Regulation, the personal data
| contained in the certificates issued pursuant to this
| Regulation shall be processed only for the purpose of
| accessing and verifying the information included in the
| certificate in order to facilitate the exercise of the
| right of free movement within the Union during the COVID-19
| pandemic. After the end of period of the application of
| this Regulation, no further processing shall occur.
|
| 3. The personal data included in the certificates referred
| to in Article 3(1) shall be processed by the competent
| authorities of the Member State of destination or transit,
| or by the cross-border passenger transport services
| operators required by national law to implement certain
| public health measures during the COVID-19 pandemic, only
| to verify and confirm the holder's vaccination, test result
| or recovery. To that end, the personal data shall be
| limited to what is strictly necessary. The personal data
| accessed pursuant to this paragraph shall not be retained.
| y04nn wrote:
| Thanks, it makes the limits of the processing much
| clearer and should stop some start-up to develop a custom
| QR code scanner/app that would generate some customers
| analytics.
| pigeonhole123 wrote:
| It seems it does: https://onezero.medium.com/id-at-the-
| door-meet-the-security-...
| TedDoesntTalk wrote:
| > bars often ask for photo ID to verify that customers are
| old enough to be served alcohol.
|
| 1. This is a subset of all customers so it is not as useful
| as all customers
|
| 2. I've never seen a bartender or waitress scan my photo ID
| or record the data on the ID; without that it isn't highly
| unlikely the data is being stored.
|
| Your comparison is just not valid.
| hamandcheese wrote:
| There are some bars in Sacramento, CA that not only scan
| your ID, but scan your face, and use facial recognition
| to match you with previous scans, ostensibly to make sure
| you aren't sharing an ID with someone underage.
|
| It is extremely creepy.
| sunshineforever wrote:
| There's a gas station store that does this in Portland
| OR. They have a facial recognition camera at the door
| that scans each person to enter the store after sundown.
| BurningFrog wrote:
| I have a lot of sympathy for people working late night in
| crime prone jobs.
| ccn0p wrote:
| time to avoid those bars. extreme oversight to ensure a
| 20-year-old doesn't drink. but hey at least the same
| 20-year-old can drive a car, vote for our public
| officials, and join the armed forces.
| yread wrote:
| and buy a gun
| excitom wrote:
| Ever go to a cannabis shop in California? Your driver's
| license is scanned. I don't know about the facial
| recognition part, but it wouldn't surprise me.
| TedDoesntTalk wrote:
| Great! But I think we're talking about bars and
| restaurants.
| hungryforcodes wrote:
| I don't get the downvotes here - these are two good
| observations.
| jdavis703 wrote:
| Probably because it seems like personal experience. I can
| say most of the bars I go to check everyone's ID,
| regardless of age. And there are a couple near me that
| scan IDs in to some system (allegedly so they can ban
| unruly customers.)
| hungryforcodes wrote:
| Surely this is down to regional variation. I go into bars
| all the time in Canada and no one ever IDs me.
| ccn0p wrote:
| why has this been downvoted so much? what's false about
| these two statements? Should he/she have added "in my
| experience"?
|
| In my experience, both statements are accurate.
| vianneychevalie wrote:
| I disagree with you. I have regularly had my ID scanned,
| in some bars systematically (all customers). Although
| only in the UK.
| godelski wrote:
| > In the US, bars often ask for photo ID to verify that
| customers are old enough to be served alcohol
|
| If I saw the person pull out a notebook and write my
| information down I would physically take my ID back and
| walk away. I'm pretty sure most people would be put off by
| this action.
| flutas wrote:
| How about if they put it in a machine that verifies it as
| legit, but also just so happens to scan it in to a DB.
|
| I've seen this exact setup before, in an entrance to a
| club, but no one seems to care.
| godelski wrote:
| I mean now we're getting into human psychology. You're
| right that people don't care as much but I'd argue that
| they don't really understand what is happening and how
| that data is used.
|
| I'd wager that the vast majority of people think the
| machine only checks if the ID is valid and doesn't do
| anything else.
| quitethelogic wrote:
| I would be put off by it as well, but good memory and
| cameras are harder to spot, so the lack of a notebook
| doesn't offer much protection.
| baud147258 wrote:
| large franchise can already do that with customer fidelity
| programs anyway...
| y04nn wrote:
| They do, but you can opt out, here the check is mandatory,
| the same for paying by credit card, you can use cash.
| dirkx wrote:
| This is meant for traveling. Countries like the Netherlands
| use Zero Knowlege proof based solutions for domestic use.
|
| To exactly prevent this from happening.
| BurningFrog wrote:
| Even if you care about this, it's only used during the
| current Covid restriction phase. In 1-2 years at the most*
| any investment in such a tracking scheme will be obsolete.
|
| * Famous last words, I know
| gillesjacobs wrote:
| Then why specify a field in the format for "targeted
| diseases"?
| _ph_ wrote:
| An almost uncharacteristic case of reason and foresight.
| We are currently worried with Covid-19, but considering
| all the variants already present, lets just hope that
| there isn't a Covid-22. In any case, as soon as there are
| dedicated vaccinations against the variants, it is very
| likely that there is need for more fine-grained tracking.
| That is probably also the reason they include the
| vaccines used in the data set.
|
| And even if we don't have the need to check for our
| vaccination state when going to restaurants soon enough,
| it would be good if those certificates could be used to
| track any other vaccination you get. Just as the
| replacement or digital alternative for the usual yellow
| vaccination booklet. It would make checking your
| vaccination status for your doctor much easier than
| trying to decipher what a colleague has scribbled many
| years ago.
| pftburger wrote:
| The system is actually comprised of two apps, CovPass and
| CovCheck.
|
| Both are in the repo.
|
| The check app validates the pass in-app, and, as far as I can
| tell, doesn't phone home or report any data. IE there is no
| logging of the scanned persons data
| DeusExMachina wrote:
| And what prevents the checker from taking screenshots or
| recording the screen to harvest the data later?
| mmcnl wrote:
| It's illegal due to GDPR.
| 34679 wrote:
| The same thing that prevents them from stabbing you and
| taking your money. It's illegal and wrong.
| torgard wrote:
| For one thing, GDPR. It's illegal.
|
| Apps can also be configured to prohibit (or at least make
| it harder make) screenshots/screen-recordings. It can of
| course be circumvented, but still. It's illegal.
|
| I would consider it as safe as showing my ID to a
| bartender/bouncer. Safer, even, as they don't get as much
| data.
| moron4hire wrote:
| Mah dude, they're already doing that from your credit card
| information.
| zaarn wrote:
| GDPR Breach, plain and simple. No franchise would risk
| storing and leaking what amounts to medical records (since
| that is the source) in front of a GDPR Watchdog. Pretty sure
| you'd get the hammer if you did that.
|
| Either way, the official apps that let you check the record
| do not allow tracking, only verification. The simple solution
| is that if you don't see them using the official app, simply
| leave.
| michaelt wrote:
| _> the official apps that let you check the record do not
| allow tracking, only verification._
|
| So why are name and date of birth included in the QR code?
| bigiain wrote:
| I would guess so that they can use more traditional ID
| (like a drivers license) to confirm the vaccine record is
| yours.
| mtmsr wrote:
| Because you need a way for the pub to authenticate that
| this is indeed your qr code (matching your id)
| Mediterraneo10 wrote:
| The EU standard was developed for the purposes of
| avoiding additional quarantine or testing during cross-
| border travel, not going to pubs within one's own
| country. For domestic use of proof of COVID vaccination,
| some countries developed their own internal standards
| alongside the EU standard.
| solarexplorer wrote:
| To check with your passport/id card that this is your QR
| code and not someone else's...
| fsw wrote:
| To compare it with name and DOB in the government ID.
| [deleted]
| nottorp wrote:
| I don't think name and date of birth are enough for
| identity theft anywhere in Europe...
| gpvos wrote:
| _> The simple solution is that if you don 't see them using
| the official app, simply leave._
|
| It'd be easy to make something that looks like the official
| app but does store the information, especially if that app
| is open source (is it?).
| libertine wrote:
| That's beyond the point of GDPR, even if they collect the
| data illegally the value would be to reach the person (to
| give them promotional content, advertising, custom
| experience, what ever...)
|
| Basically even if they collected the data they wouldn't
| be able to use it. If they just collected your name to
| personalize your experience they'd be literally in deep
| shit if someone asked: "where did you get this
| information from?" - which to you may sound a weird
| question, but since 2018, at least in my country, more
| and more people ask this question.
|
| When in doubt, report. They'd need to show to authorities
| that the person gave explicit consent to store that data
| and to be used for personalized experiences.
|
| It's about consent. If the user didn't give consent you
| have no use for the data, and you'll be storing toxic
| material to get you fined.
| originalvichy wrote:
| And what has been stopping malicious companies from doing
| this before? To enter bars in most European countries you are
| already required to show identification prior to entering.
| zekica wrote:
| I have never been asked to show my ID at any bar in any
| country in the EU I travelled to.
| [deleted]
| refurb wrote:
| From a US perspective: 1) ID is usually not required but
| rather checked when is not clear and 2) it's usually a
| visual check not a scan of the ID (though I know some bars
| do do this) so nothing is electronically captured.
| mmcnl wrote:
| Never happened to me. Never heard of this happening. Seems
| anecdotal and likely not widespread at all.
| Dma54rhs wrote:
| Absolutely not true unless you're a kid.
| riffraff wrote:
| > To enter bars in most European countries you are already
| required to show identification prior to entering.
|
| this has never been a thing in any European country I've
| been in. Maybe if you look underage, but definitely not the
| norm.
| detaro wrote:
| If you want to store the data, don't, because it's a textbook
| example of illegal. And hopefully people will be paying close
| attention to what offered apps do.
| Mega1mpact wrote:
| But the chance of getting caught is next-to-zero,
| enfocement is very spotty when it comes to GDPR and I
| wouldn't be suprised if you could easilly sell that data to
| an off-shore company
| justinmchase wrote:
| It sure seems like a privacy disaster. How could you say its
| not?
| kevincox wrote:
| It does contain a bit more information than required, such as
| the specifics of the vaccine. But I think the personal
| information such as name is required. The code needs to be
| tied to some form of ID otherwise a single code could be
| copied and used by everyone. So the name and date of birth
| are likely used so that it can be compared to your drivers
| license or passport to ensure that the QR code actually
| belongs to you.
| rsynnott wrote:
| > It does contain a bit more information than required,
| such as the specifics of the vaccine
|
| That seems reasonable; it's totally plausible that a future
| variant defeats a vaccine, and at that point you would want
| to be able to detect people who'd been given that one.
| sunshineforever wrote:
| Couldn't someone just generate a fake QR code with their
| name and DOB on it?
| kevincox wrote:
| IIUC the data in the QR code is signed, the article
| mentions it but doesn't show the signature.
| distances wrote:
| They could also produce a fake vaccination booklet, or
| fake Covid test result. I'd guess both of these would be
| easier. All will result in forgery charges if caught. I
| think the chosen approach is pretty solid for the
| purpose.
| alkonaut wrote:
| At the very least it should be signed. Also, the issuing
| authority is on there so it should be possible to verify
| the information if necessary too.
| mmcnl wrote:
| DCC (Digital Covid Certificate it's called, not Digital
| Green Pass) is essentially a spec for a QR code (as
| demonstrated nicely in this post) + an EU signing gateway
| which is used for signing the certificates. The EU acts
| similar to a CA in case of SSL certificates.
| girst wrote:
| > _It does contain a bit more information than required,
| such as the specifics of the vaccine._
|
| between eu member states, the acceptance of e.g. sputnik-v
| (the russian corona vaccine) varies. having the name (or
| id) of the vaccine in the code allows countries who don't
| recognize a given vaccine to validate codes issued by other
| eu nations, who are more open to such a vaccine. (what a
| horriblly worded sentence, i hope you get what i'm trying
| to say)
| kevincox wrote:
| Yes what is "required" is controversial. What I meant to
| say is that they could have chosen to go for a yes/no
| type of verdict but instead they chose to let the reader
| decide if they consider the protection acceptable. Both
| decisions have pros and cons.
| distances wrote:
| What's "acceptable" can vary by country. They couldn't
| have done this with the acceptance bit only.
| lxgr wrote:
| Additionally, the situation is constantly changing. A
| vaccine effective today might be considered insufficient
| tomorrow, e.g. due to mutations, new studies etc.
| meibo wrote:
| No server is involved in scanning/verifying the QR codes, the
| only privacy violation would possibly be the people scanning
| the code taking the name/DoB for themselves but that would be
| a GDPR violation and I'd guess no legitimate business would
| try that.
|
| I'd be showing my ID/vax record to those restaurants either
| way so it just seems like a technicality in the end. If you
| don't like it, don't use it, like all covid apps in the EU.
| VOSgqcSyGdPhGWP wrote:
| This includes more information than necessary to verify
| whether a person has been vaccinated.
| looperhacks wrote:
| Which information do you think is unnecessary?
| VOSgqcSyGdPhGWP wrote:
| Almost all of it. The only thing it needs to contain is
| name, whether you are "immune" (vaccinated or natural
| antibodies), and a signature to verify it hasn't been
| tampered. When you were born, which vaccine you received,
| and when you received it are not necessary to show that
| you won't be spreading the disease.
| [deleted]
| Haemm0r wrote:
| In Austria you could use https://qr.gv.at to check the qr
| codes without installing an app. I don't think that it does
| any further verification than parsing the data.
| kmonsen wrote:
| Has someone tried this with the California QR code? I cannot find
| the specification for it.
|
| When I scan it on my I iPhone it just gores to the Apple health
| app with no information.
| imemyself wrote:
| I was also curious about this too, it took a few steps to get
| the SHC data into something human readable. I posted what
| worked for me here - https://github.com/ogarraux/california-
| vaccine-record-reader.
| jdkizer wrote:
| Sure, you can find the specification for the QR code format in
| https://smarthealth.cards/. The data payload is defined in
| http://build.fhir.org/ig/dvci/vaccine-credential-ig/branches...
| jeroenhd wrote:
| > there is no superfluous data inside,
|
| The Dutch government disagrees. Their app implementation will
| have the ability to generate two codes, one for events within the
| borders and one for the EU pass.
|
| The reason behind this is that the Dutch QR code only contains
| the bare minimum of personal information to identify you. By
| default this means the day and month of birth and your initials,
| unless you share those among many other citizens. In that case,
| more data may be added, such as your full first name or year of
| birth.
|
| While the amount of personal data exposed through the QR code is
| small and not a privacy risk in my opinion, it does have some
| points where it can improve. Still, it's not a bad system from a
| technical point of view.
|
| My problem with the entire system is that this code is basically
| a free pass for all the old people we've stayed inside for a year
| for to go on holiday, while everyone else gets to go through all
| the same hoops they've been going through for months. If the
| vaccinations were spread randomly across the population, I'd be
| perfectly okay with such a system, but in real life all the old
| people got their shots first. Things may be different in other
| countries, but here the vaccinations are still going, with only
| half the population having had a first shot.
|
| The underlying message is clear, there's no solidarity between
| the age groups. I had to pause my social life to protect the
| people aged 50+, but those people aren't willing to put off their
| holiday for me in return. I'm sure the underlying reason for
| implementing this system is economic, it's the EU after all,
| trying to save tourist-oriented economies and all that.
|
| I'll get my pass somewhere near the end of August (two weeks
| after my second shot), past the holiday period. Parents will have
| to wait for even longer if they want to travel with their kids,
| because kids are all the way at the end of the vaccination line
| if they even get them at all.
|
| With the Indian covid variant ravaging Portugal and the seasonal
| effect, I do wonder how long this system will last. It's only a
| matter of time before some mutant shows up that's resistant to a
| certain vaccine and we start from scratch.
| float4 wrote:
| > By default this means the day and month of birth and your
| initials, unless you share those among many other citizens. In
| that case, more data may be added
|
| This sounds like k-anonymity, in which case the k is usually
| made public. Any idea what value they chose?
| La1n wrote:
| It's the opposite isn't it? k-anonymity would remove data
| until you are the same as k others, whereas this adds data
| (such as first name), so you are not the same as many others?
| float4 wrote:
| There's the privacy-utility tradeoff in data anonymisation,
| but most algorithms focus primarily on privacy. There
| usually are no parameters that promise any kind of utility,
| only parameters that promise privacy.
|
| In this case it looks like they want a guarantee on both,
| which makes sense.
|
| (So yeah, you're right, this definitely isn't just
| k-anonymity)
| Tepix wrote:
| > My problem with the entire system is that this code is
| basically a free pass for all the old people we've stayed
| inside for a year for to go on holiday, while everyone else
| gets to go through all the same hoops they've been going
| through for months.
|
| I don't understand. Why does it bother you if someone else is
| allowed to meet her friends again after being vaccinated and
| you are not? If they sit alone at home instead, how does it
| benefit you? The reason why they had to isolate themselves
| (being at risk of dying and infecting others) is gone. That
| means there is also no _legal_ legitimation to restrict the
| people 's basic human rights any longer than necessary.
| jeroenhd wrote:
| You don't use this system to meet your friends, you use it to
| go to venues, events, on holiday. Your friends probably don't
| stand in their front door with a QR validator in hand.
|
| Everyone has had their lives interrupted for a year to save
| the old and weak, has had their life-saving vaccinations
| rationed towards the old and weak, and in exchange, the old
| and weak get to go to concerts without paying for a covid
| test.
|
| Is that the thanks we get for trying to save their lives? The
| government isn't helping the younger generations, they didn't
| vote for them anyway, and the news is full of entitles people
| demanding to get a stamp to go on holiday before the app goes
| live.
|
| Is it fair that my human rights are still restricted, while
| those of the people the restrictions are intended to protect
| aren't? It doesn't feel fair to me.
| cr1895 wrote:
| >the old and weak get to go to concerts without paying for
| a covid test.
|
| Be fair now...you also do not need to pay for the test.
| It's a hassle, true.
| grive wrote:
| > Is that the thanks we get for trying to save their lives?
|
| What kind of 'thanks' would you expect exactly?
|
| They have lived the year at higher risk of contracting
| dangerous symptom, while you were safer in comparison. Was
| it fair then? When you were able not to fear too much about
| your safety?
|
| Frankly, forcing people to stay inside while they have been
| vaccinated and are at an acceptable level of risk, under
| the guise of 'fairness' is pretty rich.
| andai wrote:
| I think he means the opposite -- that at this point (with
| the entire vulnerable population fully vaccinated) it's
| unreasonable to force _anyone_ to undergo restrictions.
| _ZeD_ wrote:
| "entire vulnerable population fully vaccinated"? where?
| tick_tock_tick wrote:
| Well the USA and some parts of Europe.
| Twixes wrote:
| That's pretty rich of you, I wonder how you'll look at this
| comment when you're say 60+ yourself :) You know, one of
| the _old and weak_ that we will all be
| ajsnigrutin wrote:
| > I don't understand. Why does it bother you if someone else
| is allowed to meet her friends again after being vaccinated
| and you are not? If they sit alone at home instead, how does
| it benefit you? The reason why they had to isolate themselves
| (being at risk of dying and infecting others) is gone. That
| means there is also no legal legitimation to restrict the
| people's basic human rights any longer than necessary.
|
| Because the young people could meet their friends and go on
| holidays with minimal risk[0], but they were not allowed to,
| because they had to "save grandma". Now grandma is "saved"
| and vaccinated, and they're still not allowed to go, with the
| risk still being minimal.
|
| [0] in slovenia, the have been 600k-1mio (depending on the
| expert) infections, and total number of 4(!) people died
| below the age of 35, 88 below 55 (including those 4) - for
| comparison, average number of deaths in traffic is ~100 per
| year.
| cr1895 wrote:
| The vaccine QR code only matters for large events or travel
| abroad, so the example about meeting friends makes no
| difference whether you're vaccinated or not.
|
| In any case, while it is certainly nicer to be vaccinated,
| it's possible to get free PCR tests for the equivalent
| access.
| ajsnigrutin wrote:
| So no football games with friends, and no friends abroad?
|
| PCR test cost around 100eur in slovenia, and take a day or
| two. Fast tests (HAT) are free, but the waiting lines are
| 1-3hours, because of all the groups that have to do
| mandatroy testings each week.
| cr1895 wrote:
| >So no football games with friends, and no friends
| abroad?
|
| No, that's not true.
|
| I've mentioned it in a few comments now, but for events
| within Netherlands there is no cost - you can either have
| your (free) vaccination check or you can get a free PCR
| test and have a time-limited entry code. PCR tests for
| this purpose are always free in NL.
|
| And the Netherlands is covering the cost of PCR tests for
| travel through July and August, by which point any adult
| who wants a vaccine can have had one.
| ajsnigrutin wrote:
| PCR tests in slovenia are in a ~100eur range.
|
| Time limited is how long? I'm guessing 48 hours? So, even
| if free, you need to take an hour or two out of your
| life, every two days to be able to go to the
| cinema/footbal match/concert?
|
| In slovenia, there are cases of people getting
| intentionally infected with covid, just to get "the
| papers", and to avoid the AstraZeneca vaccine (with,
| quoting the leader of our "expert team": "blood clot
| issues in a few per 100k people" - which is way more than
| the covid death rate in those age group).
|
| Add to this the famous saying, that "there is nothing
| more permanent than a temporary solution".
| cr1895 wrote:
| Sorry to hear PCR tests are so expensive there! They're
| like that in NL normally if you go to a private lab in
| order to get a certificate for travel. If you get a
| government one then there's no certificate for it
| normally.
|
| >Time limited is how long? I'm guessing 48 hours? So,
| even if free, you need to take an hour or two out of your
| life, every two days to be able to go to the
| cinema/footbal match/concert?
|
| Certainly not saying it is seamless or not a total pain
| in the ass, but in reference to the OP it is wrong to
| characterize this as young people suffering, locked at
| home at the expense of old people who are free to do
| everything.
| ajsnigrutin wrote:
| Yes, they're expensive. Fast tests are free, but waitint
| times are in the range of 1-3hours (those are ok to visit
| restaurants, etc.).
|
| The government here has been moving the goalposts a lot,
| because we're in the "green" phase now, where just a few
| months ago, pretty much everything was allowed, and now
| they've added the vaccine/recovered/tested requirement
| (called PCT here) to everything. Also, we've ended the
| "epidemy status", so no more help for businesses, while
| still limiting how they can operate (requiring PCT,
| limiting number of people per square meters or percentage
| of capacity), and night clubs are only allowed to be open
| until midnight (making it not worth it to open, but
| without any help to keep the employees employed).
| altacc wrote:
| The way I see it is that if you are going to restrict
| freedom's based on a status, then everyone should have had
| the option to attain that status before those restrictions
| are in place. If the government is controlling access to that
| status, then it is a selective infringement of rights as
| decided by the government.
|
| In this case the status is vaccinated status, which in many
| countries is not widely available and the distribution is
| controlled by the government.
|
| However at the point where everyone has equal access to the
| vaccination (and uptake is enough to provide herd immunity)
| such restrictions are unnecessary. So as soon as it's fair to
| put in place restrictions, they are no longer necessary.
|
| I see the issue here but for the government it's a case of
| damned if you do, damned if you don't, or a lesser of two
| evils. Keeping restrictions in place for everyone whilst
| waiting until herd immunity is achieved is a severe
| restriction of freedoms for everyone, whereas loosing
| restrictions for those who are vaccinated is unfair but
| allows society to slowly return to normal.
| iSnow wrote:
| > It's only a matter of time before some mutant shows up that's
| resistant to a certain vaccine and we start from scratch.
|
| That's not a given. There's an evolutionary space for mutations
| the virus that isn't endless. It seems far from clear that it
| can generate escape mutants that are resistant to the current
| vaccines, for that it would have to turn into a completely
| different virus.
|
| >We emphasize, however, that enhanced transmissibility, rather
| than immunoevasion or greater lethality, would be considered
| the most potent path for the virus to become more fit and
| viable.
|
| >Indeed, more-fit variants can be expected to emerge over time
| [...], but we believe that these will not continue to emerge
| indefinitely: nothing is infinite in nature, and eventually the
| virus will reach its form of 'maximum transmission'
|
| https://www.nature.com/articles/s41591-021-01421-7
| Pyramus wrote:
| That's exactly right. As of today, some virologists think
| that we are already seeing early signs of convergence among
| virus variants, i.e. the same mutations appearing in
| different variants.
|
| It's early speculation and there is no guarantee, but it's
| certainly not given that there will be a variant that forces
| us to start from scratch.
| cr1895 wrote:
| It's an unfortunate reality but why shouldn't people who are
| protected be able to take advantage of that? It's older
| generations in broad strokes, but also people who were at
| higher risk, healthcare workers, people who've been vaccinated
| already abroad, etc. It's not so simple as old vs young and
| even if it were I don't see the solution as keeping everyone at
| a disadvantage because you are bitter that others got
| vaccinated sooner.
|
| Furthermore, it is possible to take advantage of everything a
| person with a vaccine pass can do with a (free!) PCR test. It's
| even paid for by the government for July and August for travel
| abroad.
|
| Also, it's definitely far from certain that some mutation will
| evaporate all of the progress made. It's not helpful to
| speculate like that.
| novaRom wrote:
| Germany here. Life of many children has become a nightmare.
| Good luck with any travel with PCR tests, 120 Euro each, and
| you need at least 2 per child. There's no vaccine for
| children under 12, and it's officially not recommended for
| those who is healthy under 16. Many families are now
| struggling. Even getting a non-PCR quick test which is free
| requires lots of additional time (this is required for any
| indoor activity).
| morsch wrote:
| You can currently travel (and return) freely to loads of
| places without a vaccination, a test, or a document, or
| anything. Seems a bit disingenuous not to mention that.
|
| Also, PCR tests are available for way less than 120 EUR.
|
| That's not to say the past year wasn't particularly
| difficult to families with children and young people in
| general.
| novaRom wrote:
| Can you name those destinations where you can travel
| to/from without tests?
|
| If you have to fly, you have to do PCR test and again on
| return.
|
| PCR tests in most cities are 80-130 Euro. Only if you
| live in Bavaria, you may do it for free.
| cr1895 wrote:
| For Netherlands, this is the list of safe countries that
| do not require you to test/quarantine on return:
|
| https://www.government.nl/topics/coronavirus-
| covid-19/visiti...
|
| Granted, it is more complex to check what countries
| require to accept a person traveling from the
| Netherlands.
| 9dev wrote:
| Italy, for one! If you ride by car, you don't need
| anything; going by train, you'll need an antigen test,
| which you could do in Munich, for free, before boarding
| the next train heading to the Brenner pass. On your way
| back, you don't need a test either way.
|
| (Source: came back yesterday)
| morsch wrote:
| Sorry, I was wrong -- I thought you can freely travel to
| e.g. Austria, but you do in fact need to provide a PCR
| test or be vaccinated on arrival (just not on return). So
| the list may just be three countries, the Netherlands,
| Spain and Croatia. Mea culpa.
|
| At least Germany itself has lots of nice and diverse
| holiday destinations. That's what we're doing this year.
| cr1895 wrote:
| The context of the above was Netherlands, where there is no
| widespread quick testing-on-entry as there is in Germany.
| There is largely no restriction in day-to-day life in the
| Netherlands (and even less in the coming weeks), with or
| without a vaccine QR code; the code would apply for access
| to large events or travel. Also in Netherlands the
| government is paying for travel PCR tests through July and
| August. These countries have taken quite different
| approaches.
|
| You do raise an excellent point that this vaccine system
| excludes children.
| rovek wrote:
| Seems like a question of reciprocity and solidarity. I'm not
| sure if I agree with the sentiment of OP but I do understand
| frustration that those of us who had an inconsequentially
| small probability of falling ill to this virus have lost more
| than a year of the prime of our lives in an effort to protect
| others; others who will now enjoy all the freedoms we still
| don't have back despite there still being next to no risk to
| us.
| ajsnigrutin wrote:
| Yep... young people gave up a year of their lives to "save
| grandmas", and now that grandmas are vaccinated, are still
| not allowed to go on a vacation or party, even though
| there's a higher chance of dying in the car driving to/from
| the party (for healthy individuals from those age groups).
| Pyramus wrote:
| > Seems like a question of reciprocity and solidarity.
|
| I have to disagree here. There is neither reciprocity nor
| solidarity involved, because you gain/lose nothing by them
| having or not having additional freedoms.
|
| Don't get me wrong I understand OP's frustration and that
| he/she feels treated unfairly. But OP's frustration is not
| rational. As harsh as it sounds OP's feelings are driven by
| envy.
| rovek wrote:
| I don't see that anything in your comment precludes
| reciprocation of unnecessarily conservative limitations
| on one's life.
|
| It could be argued that keeping everyone home instead of
| just those at risk was irrational.
| Pyramus wrote:
| That's a completely different discussion whether the
| strategy was the right strategy in the first place, and
| unrelated to my argument.
|
| What I'm saying is that given the current situation,
| player A (OP) loses nothing while player B (the
| vaccinated) gains something (also called a Pareto
| improvement). It is not rational for player A to oppose
| this new situation where B gains something.
| akie wrote:
| > My problem with the entire system is that this code is
| basically a free pass for all the old people we've stayed
| inside for a year for to go on holiday, while everyone else
| gets to go through all the same hoops they've been going
| through for months.
|
| Would you have preferred to be one of the people whose lives
| were in danger because of this disease? There's a good reason
| they got the first vaccinations.
| jeroenhd wrote:
| I'm not opposed to vaccinating the weak and elderly first,
| but the choice to also give them their freedoms back first
| leaves a bad taste in my mouth. I'd like for everyone to be
| healthy, but also for everyone to be subject to the same
| restrictions.
|
| The youth sacrificed a year of their lives for the elderly,
| and in exchange they'll have their freedoms restricted for
| longer while the elderly they've sacrificed their time for
| get a free pass to holidays and concerts.
| distances wrote:
| You get the same freedoms with free covid tests, right?
| Except when traveling abroad and having to pay for the same
| test. This is only about convenience as far as I see,
| greatly helping the tourism industry. What would be your
| ideal solution, requiring the same tests from everyone?
| mhitza wrote:
| I don't know where you live but in most countries PCR
| tests aren't free.
|
| There are some EU countries that will have you take one
| if you didn't bring your result along (and it will be
| free of charge), but then you might need to spend a day
| or more in self isolation till the test result is
| reported back.
| distances wrote:
| Yes, cross-border traveling is definitely harder and more
| expensive without vaccinations. Easier domestically.
|
| I'm just not convinced that we should require the same
| tests even after vaccinations even if it now leads to
| uneven amount of hassle.
| akie wrote:
| What you want is not possible. They were at a much higher
| risk of dying, so they got the vaccine first. Because they
| got the vaccine first, they get to live "normal" lives
| again before you do.
|
| Yes, that's unfair.
|
| It would have also been unfair to give the vaccine to young
| people first.
|
| Such is life. Whichever choice you make here, it is unfair.
| There is no "happy path".
|
| Or actually, we (here in the West) ARE on the happy path.
| Just have a look at what is happening in Brazil or India to
| see why we are the fortunate ones. We need to stick with it
| for a bit longer, and Corona will mostly be a thing of the
| past here. Many people all over the world would love to
| swap places with us. Also extremely unfair. Unfortunately.
| claviola wrote:
| Why are you talking about fairness in a context like this?
| Is there any actual health benefit from fully vaccinated
| people waiting until everyone else is vaccinated? Also, you
| probably also incur less healthcare costs than they do, but
| you still contribute to the public healthcare system. Is
| this also an issue for you? Remember that the elderly also
| have more actual urgency, as they are much more likely to
| have less time to live than you.
| r1ch wrote:
| This design looks pretty sound, revocation seems like the big
| missing piece but I guess that could be done by pushing an
| updated scanner.
|
| Here in The Netherlands our app is also used for proof of a
| negative test. I wonder if giving signing powers to however many
| hundreds of test locations will backfire at some point. Then
| again I don't know if our national QR codes are even
| cryptographically signed to begin with.
| lesquivemeau wrote:
| I don't know how the signing process is for this specific green
| pass, but the national France one is signed exclusively by the
| French healthcare system: vaccination centers and test
| locations can emit a signed pass remotely and print it, but
| they don't possess the private key locally.
| r1ch wrote:
| I'm speculating somewhat as I haven't been through the
| process, but it seems like the test centers give you a string
| that the app converts into the QR code. The app is supposed
| to work offline, though perhaps the initial string -> QR code
| does an online lookup and thus is signed externally to the
| test centers.
| bigiain wrote:
| From the qr generated and qr expiry timestamps, it looks like
| they are only valid for 2 days, so revocation isn't that much
| of a problem.
| r1ch wrote:
| I was thinking more along the lines of one of the signing
| keys leaking.
| cr1895 wrote:
| > I wonder if giving signing powers to however many hundreds of
| test locations will backfire at some point.
|
| In Germany the vaccine proof can be generated at (most?)
| pharmacies. If that would become an issue, I don't think it
| would only be one in the Netherlands.
| zaarn wrote:
| Should be most pharmacies but they have to check your
| vaccination booklet (or proof of vaccination, they give you
| extra papers at the vaccination location). It seems to work
| alright considering atleast one person I know is facing
| charges for falsifying medical documents and falsifying
| signatures due to them trying to fake their vaccination and
| bringing that to the pharmacy.
| dtech wrote:
| It's interesting that all of this is in there. In the Netherlands
| the health minister has multiple times promised that the checking
| party (like pub/work) would not be able to determine if you were
| OK because of vaccination, recent negative PCR test or recovered.
|
| Maybe that is only for the national check and not EU passport.
| Spooky23 wrote:
| You are correct. The national/intra-jurisdiction checks usually
| give you a thumb up / thumb down without context.
|
| The cross-border credentials provide context to allow the
| destination to make a determination if they wish. For example,
| some jurisdictions may not recognize Sinovac. Others may not
| recognize a COVID recovery + 1/2 dose series as valid. In the
| future, some vaccine series may need a 3rd dose.
|
| Each place in different. Some US jurisdictions adopted a "hold
| my beer" approach. Others have tight standards and vaccine
| registry, others have good immunization processes, but the
| integration with third parties is poor.
| markus92 wrote:
| The Dutch app will have two QR codes: a national one which does
| hardly contains any information - initials and day/month of
| birth - and the EU DCC which is discussed here.
| Deukhoofd wrote:
| Yeah there's different QR codes, one for usage in The
| Netherlands, and one for international usage.
|
| Dutch: https://coronacheck.nl/nl/faq/1-6-welke-informatie-
| staat-in-...
|
| English: https://coronacheck.nl/en/faq/1-6-welke-informatie-
| staat-in-...
| FreezingKeeper wrote:
| Somewhat related - here's [0] a report on the QR codes that
| public venues in England can display for patrons to 'check in'
| using the NHS COVID-19 app to assist with contact tracing
|
| [0] https://www.revk.uk/2020/09/how-not-to-qr-nhs-c19-app.html
| simias wrote:
| It's cool that all the data is embedded in the code instead of
| just containing a URL that points to some centralized server.
| This way people can't be (trivially) tracked by looking at the
| pings from the scans.
| distances wrote:
| There is no central server containing this vaccination data, so
| thankfully it would be impossible to implement.
| miguelrochefort wrote:
| There aren't that many different ways to design an immunity
| passport.
|
| Their design looks very similar to mine [1], but they use a
| compact and custom schema instead of FHIR and W3's Verifiable
| Credentials standard. Looks like they might be using LOINC code
| though.
|
| [1] https://miguelrochefort.com/blog/immunity-passport-2/
| jfrunyon wrote:
| > What we're looking at there is a Base45-encoded, compressed,
| signed binary data structure.
|
| ?!?!?!
|
| QR codes support binary natively. What the hell even is base45?!
| pyentropy wrote:
| Alphanumeric mode (which is 45 symbols: [A-Z0-9] and nine
| special symbols) is the only QR mode that's reliably supported
| among all scanner library implementations (latin1 is part of
| the extended mode, Unicode & raw binary get detected with
| implementation-dependent heuristics).
|
| The encoding is great, actually: 4n bytes will get encoded into
| 6n alnums (base45 symbols) which are 3n * 11 = 33n QR-bits. A
| loss of just 3% (33/32 - 1). This works because [ alnum1 alnum2
| ] by spec must get packed into [ 11 bits ] in the QR message
| bitstream.
|
| Wrote an explanation here:
| https://news.ycombinator.com/item?id=27592936
| RobinUS2 wrote:
| https://datatracker.ietf.org/doc/draft-faltstrom-base45/
| supermatt wrote:
| https://github.com/ehn-dcc-development/hcert-spec/blob/main/...
| devit wrote:
| The document says that the encoding is 11 bits for two
| characters, which means that Base45 plus that encoding is
| very efficient, since 45^2 / 2^11 = 0.988, so only 1.2% of
| the capacity is wasted.
| [deleted]
| dugmartin wrote:
| It is the first I've heard of it too but according to this
| draft spec QR codes can't support binary:
|
| https://datatracker.ietf.org/doc/draft-faltstrom-base45/
|
| "Even in Byte mode a typical QR-code reader tries to interpret
| a byte sequence as an UTF-8 or ISO/IEC 8859-1 encoded text.
| Thus QR-codes cannot be used to encode arbitrary binary data
| directly. Such data has to be converted into an appropriate
| text before that text could be encoded as a QR-code. Compared
| to already established Base64, Base32 and Base16 encoding
| schemes, that are described in RFC 4648 [RFC4648], the Base45
| scheme described in this document offer a more compact QR-code
| encoding."
|
| Here is the output alphabet: Value Encoding
| Value Encoding Value Encoding Value Encoding 00 0
| 12 C 24 O 36 Space 01 1
| 13 D 25 P 37 $ 02 2
| 14 E 26 Q 38 % 03 3
| 15 F 27 R 39 * 04 4
| 16 G 28 S 40 + 05 5
| 17 H 29 T 41 - 06 6
| 18 I 30 U 42 . 07 7
| 19 J 31 V 43 / 08 8
| 20 K 32 W 44 : 09 9
| 21 L 33 X 10 A 22 M
| 34 Y 11 B 23 N 35 Z
|
| My initial thought is using "Space" as a valid encoded value
| seems like an enormous foot gun.
| justinmchase wrote:
| To trim or not to trim, that is the question
| lymeswold wrote:
| (2^16)^(1/3) < 41 So why base 45?
| kubanczyk wrote:
| Yes, 41 characters would be sufficient.
|
| I would have omitted these four (the asterix being there
| only to have a consecutive subset): 36
| Space 37 $ 38 % 39 *
|
| Especially % can be confusing, as %20AA seems like a valid
| base45 both before and after urldecode. The $ is a lesser
| footgun.
|
| I'd be keen to learn why they decided to use full 45
| characters available in alphanumeric QR.
| lesquivemeau wrote:
| Because you encode using 45 different characters
| kubanczyk wrote:
| Because the "binary" in QR codes (actually they call it "byte"
| mode) is supposed to be ISO-8859-1 per the ISO/IEC 18004:2005.
|
| Which means it is a text mode, and actual scanners do treat it
| as text (although usually UTF-8 which goes against that
| standard, meh).
| dvh wrote:
| {-260:...} - why is key -260 ???, I mean who designs format like
| this?! Like in the middle of nowhere, bam -260. I would
| understand {type:-260, data:...} but this?! What is wrong with
| these people?
| notorandit wrote:
| Gabriele is a "he". Grabrielle is a "she".
| pzo wrote:
| Although apps are open source there is a lot of potential that
| all those information can be missued mainly for tracking:
|
| 1) Some other countries or commercial venues using their own
| version of VERIFIER app (based on open source) that pings some
| server online
|
| 2) Some other countries using their own version of ID app (based
| on open source) that pings some server online while QRCODE is
| rendered/generated
|
| I'm just wondering why they havent designed it in different way
| (only when applying for use in commercial venues):
|
| For application inside nightclubs, concerts etc. :
|
| 1) QRCode doesn't have any private data such as firstname /
| family name / date of birth etc (so that it's impossible to
| create profile ID)
|
| 2) While downloading your qrcode for the first time after
| installing the app (onboarding), it ask your for e.g scanning
| your National ID and/or holding your phone in front of mirror to
| verify your face (similar like other banking app do). After
| verification only then generates offline qr code for you
|
| 3) While onboarding it is mandatory that app is protected with
| your FaceId or TouchId
|
| 4) Such app can be installed only on one device (similar like in
| Whatsapp once trying onboarding on new device the previous app
| code is invalid) - any qrcode would be valid only for 48h
|
| 5) Bouncer still scan qrcode to check offline if is properly
| signed by authority + communicated with the app P2P via
| NFC/Bluetooth/Proximity to verify this is neither screenshot nor
| some unauthorized app.
|
| ad 5) Verifier maybe would have to ping some server to check that
| App is legit but wouldn't know who is checkin in
|
| edit - formatting
| remus wrote:
| Regarding your proposed scheme, what's to stop me taking a
| screenshot from the app and sharing it with all my friends? If
| the QR code contains no personal info then how does the person
| scanning it know who the code was generated for?
| mmcnl wrote:
| The QR code has the first letters of your fist and last name,
| as well as date of birth (without the year).
|
| Let's say your name is Gerrit de Winter, born May 3 1973. The
| QR code would then contain: G W 5/3
|
| Nothing is stopping you from sharing the code with your
| friends as long as they share these limited credentials, but
| those chances are very small. It's easier to get a valid QR
| code than finding a credential twin.
| pzo wrote:
| You would have to share your phone which you are probably
| less likely. Scanner doesn't need to know who the code was
| generated for only if this is a legit authorized app - it's
| easy to check if this is a real app with some challenge-
| response instead of one way-communication
| petre wrote:
| > 2) While downloading your qrcode for the first time after
| installing the app (onboarding), it ask your for e.g scanning
| your National ID and/or holding your phone in front of mirror
| to verify your face (similar like other banking app do)
|
| This is already way over the line. I can understand banking
| apps do it but for a vacvination certificate? No way. The QR
| code implementation is fine. It would also be fine if it would
| be printed on paper or in a PDF and valid for a year.
| Yaina wrote:
| I think you can totally print the current QR code on a piece
| of paper and show that to someone. It's not more or less safe
| than having it in an App.
|
| The QR code is essentially like a Covid-only digital
| vaccination pass; it doesn't provide any more or less
| information.
|
| The only valid point in pzo's original comment is that a
| scanner app from a bad actor could collect the personal
| information within the code. So we need to be able to trust
| that the person scanning the QR code is using a legitimate
| app.
| pzo wrote:
| I'm not worried that much about personal information (that
| someone will know that someone has been vacinated). I'm
| more worried that this personal information can allow
| tracking (politicians, activists, journalists, etc.) in an
| automated way in the same way cookies, etc. tracks us today
| while browsing.
| pzo wrote:
| I agree this is more hassle but the QR code implementation is
| only fine if you trust that some EU governments or companies
| won't try to abuse the system in the future. I'm not saying
| that this will happen but why not design the system so that
| it is not possible?
|
| If verifier app will at some point start pinging some server
| having a QRCode in PDF or printed on paper won't save you
| from someone tracking all places you are going to. Imagine
| how useful it can be for tracking some politicians, activists
| or journalists and correlating that check-in information who
| they might be meeting with.
| radicalbyte wrote:
| With CoronaCheck (https://coronacheck.nl) we have implemented
| one of the most privacy preserving EU Green Systems for use
| within our country.
|
| We use IDEMIX, a form of Verifiable Credentials. The nice
| feature of IDEMIX is that - unlike W3C VC - it also has the
| property of being able to create unlinkable credentials.
|
| Guess what? That's the reason that we've used them :)
|
| Read our technical designs here: https://github.com/minvws/nl-
| covid19-coronacheck-app-coordin...
| pzo wrote:
| Only gave it a fast look at technical designs and it seems it
| is still _not_ tracking proof since QR code has: "The
| person's initials and birth month/day."
|
| This should be enough to create a pretty much unique profile
| ID especially for countries like Netherlands with small
| population.
| radicalbyte wrote:
| That's why we do partial issuance - so in practise you have
| some combination of First_Name_Initial, Last_Name_Initial,
| Birth_Month, Birth_Day.
|
| I have a very common combination, and I get only my
| First_Name_Initial and Birth_Month.
|
| EDIT: I quite literally built this for the first version of
| the app. It's all in the repo (unless someone has cleaned
| it up since I last looked).
| radicalbyte wrote:
| The Ministry of Health here have been commendable in the way
| that they've approached these apps.
|
| The key re-usable components of the system been development
| in public and in open and made available with a permissive
| license.
| gillesjacobs wrote:
| I wish the standard would have adopted your proof of concept!
| I don't think you will get a lot of support here though,
| privacy skepticism regarding COVID seems to be met with
| downvote brigades.
| mmcnl wrote:
| It's not a PoC, CoronaCheck is the app that will be used in
| The Netherlands for generating QR codes. The domestic QR
| code will be much more friendly with respect to privacy as
| explained by radicalbytes. The reason that it's not been
| adopted by the EU is because member states want to set
| their own rules for entry. For example, some countries
| consider previous infection + 1 dose as fully vaccinated,
| others do not. Some countries approve non-EMA approved
| vaccines, most do not. That's why it's necessary to include
| more details. I think you have to remember that everything
| is a trade-off, if you want a more privacy-friendly
| solution, there will be a cost at some point.
| radicalbyte wrote:
| I wish that I could share my thoughts on that in public :(
| gillesjacobs wrote:
| > there is no superfluous data inside, so the QR code is not a
| privacy nightmare, as some have feared.
|
| I strongly disagree. If the goal is to determine the COVID19
| immunity status of a person on-site the only thing that should be
| contained is vaccination information. There is no need for full
| names, place of birth, issuer, targeted disease to be encoded in
| a QR-code that will be read by businesses. Especially since the
| information is presumably signed and verified by the official
| issuers anyway.
|
| Any other personal details such as age can be checked via already
| existing IDs. The "targeted disease" field betrays function scope
| creep. So much for the EU's moral high ground regarding privacy:
| needlessly sharing personal details for entering a cafe is not
| good privacy practice!
| markus92 wrote:
| How can I verify that the QR code is of the person in front of
| me, if there's no name or anything included? Screenshots are
| old you know.
| gillesjacobs wrote:
| There are zero-knowledge and differential privacy solutions
| to this issue. For more critical applications there probably
| is an ID cross-check and online verification being performed.
| The nightclub does not need to know my full name, residence
| and birthdate.
| skeeks wrote:
| On most ID cards, there is the full name and the birthdate
| of the person. So it does not matter if it's on the QR code
| too. The place of residence is neither on the ID card nor
| on the QR code.
| nomercy400 wrote:
| Name seems like a good field to include, but you will want to
| remove the 'vaccination details'.
|
| Does a bouncer at a nightclub really need to know I received
| one dose of a Pfizer vaccine against COVID-19 in Austria on
| February 18, 2021? Or does he need to know that 'I am fully
| vaccinated to enter this venue according to local laws'?
| jeroenhd wrote:
| How would you encode the local laws into a code that is
| generated by an app, published by another government?
|
| The type of shot, and the amount of shots, even the date of
| the shot, are all perfectly valid requirements that can end
| up in local law. Astrazenica doesn't work well against the
| British covid variant, so in an outbreak you might end up
| with laws restricting the type of vaccination, easily.
|
| To determine what is and what isn't allowed, the logic
| should be built into the verification code, which each
| government can make their own for.
|
| If all of Europe were to use the same laws and regulations
| then I'd agree that this information does not need to be
| stored in the QR code. This is impossible to manage in
| practice, though.
| nomercy400 wrote:
| I'm not sure.
|
| What or who generates these QR-codes? Can't that system
| also provide the verification check? It is a European-
| wide 'system' after all.
|
| Who do you trust more with your data: your (european)
| government or a (non-european) government/private entity?
| skeeks wrote:
| The official validation apps will not show this detail to
| the user. Unofficial apps may come up but app stores will
| probably quickly ban those (they are very careful about the
| whole COVID topic in the playstores). There is still the
| chance of sideloading the app, but one does also need to
| consider if the vaccination information must really be
| protected that hard. In most countries, it's more or less
| randomly when and with what kind of vaccine you got
| vaccinated. And the really important information in my
| opinion is: is someone vaccinated or not? And this
| information is what the bouncer needs to know to let you
| in...
| nomercy400 wrote:
| Imagine Facebook sending any app that would have 'Login
| with Facebook' functionality, your full profile,
| including your plaintext password.
|
| Would you trust every and all third-party applications
| with this 'Login with Facebook' functionality, to not
| look at your plaintext password? Or would you rather have
| Facebook not send your password in the first place?
| yarcob wrote:
| You could include a photo of the person in the QR code, but
| I'm pretty sure most people would prefer just the name to be
| included.
| baby wrote:
| I'll tell you why it's not great: it doesn't interop with other
| vaccination passport. I got vaccinated in the US and I'm in
| France now and my vaccination is worth nothing. Perhaps it will
| be a good thing for the short term and to incentivize people to
| get vaccinated, but I'm not sure what other purpose this really
| has.
| WC3w6pXxgGd wrote:
| Vaccine passports are dumb.
| jeffrallen wrote:
| Thank you for this. I've been casually reading the Swiss Covid
| Certificate verifier to find the same info.
| sschueller wrote:
| Here is the source code the Swiss version for anyone interested
| which in theory (I have not tested it) is EU compatible.
|
| Edit: I am able to scan the code in the OPs link with the Swiss
| App and I can import it however the certificate seems to be
| currently not accepted.
|
| https://github.com/admin-ch/CovidCertificate-App-Android
| harikb wrote:
| Thanks for the link! It is amazing to see a government app talk
| about reproducible builds and the importance of it!
| denysvitali wrote:
| To be fair, the app was developed by a private company with
| government money, AFAIK, but at least it's open source and
| good in quality :)
| xcambar wrote:
| A government that can balance what to do internally and can
| carefully choose their contractors, all the while pushing
| towards openness, is a dream come true.
| vbezhenar wrote:
| In my experience government either choses cheapest
| contractor (will all sort of consequences you can
| imagine) or bribes are involved (which might lead to a
| better outcome, surprisingly, but at much higher
| expenses). I wonder how Switzerland manages to avoid that
| plague.
| throwaway8451 wrote:
| I think that I once heard that in Switzerland the second
| cheapest bidder is the one to get the contract, exactly
| to discourage someone aggressively underbidding all
| others. I could not verify that now though.
| blocked_again wrote:
| What is the right solution here from a game theory
| perspective?
| bhaak wrote:
| Own two companies that agressively underbid all others?
| xcambar wrote:
| That is deceptively simple. It might just work :D
| z77dj3kl wrote:
| Auction design is a very active research area and what
| the "right solution" is, is not so easy to figure out.
| This has huge applications in... adtech.
| [deleted]
| sschueller wrote:
| Sadly not the rule at the moment in Switzerland. Lots of
| mistakes have been made but there is a strong push
| towards this kind of work. E-Voting and E-Id was a
| disaster and we hope it gets pushed into this kind of
| openness and focus on privacy for all future government
| software.
| jeffrallen wrote:
| Some reality from someone who is involved:
|
| E-voting was a poorly implemented transparency process to
| check a not totally terrible (and also, not correct)
| implementation of a pretty good design. Lessons were
| learned on the transparency side, and they are on
| HackerOne now, doing things approximately right. Security
| is hard and they will probably fail again, but they are
| failing according to industry standards now, at least. (I
| was a reviewer of the original system.)
|
| e-ID was rejected by the voters as a gift of a service
| that should have been in government control to private
| industry for them to make profit on it. There was nothing
| technically terrible about the design for outsourcing
| eIDs to private industry, it was just a concept the
| voters found unacceptable. (I voted no along with a
| majority of my fellow citizens.)
| CaptainZapp wrote:
| It didn't really help that one of the prime candidate
| company to issue the eId couldn't get even basics, like
| cert management, straight.
|
| I'm quite thankful for Die Republik (slightly leftist
| daily internet "paper", which is ad free and subscription
| only) because I think they were quite instrumental in
| uncovering some of the shenanigans being pulled by those
| companies.
| wdroz wrote:
| This was developed by Ubique[1] and they aren't at their
| first app.
|
| [1] -- https://www.ubique.ch/
| AmericanChopper wrote:
| Do the verification apps do an online validation? If yes then
| where is there any PII in there at all, and if no then why
| isn't it signed?...
| ewidar wrote:
| > and if no then why isn't it signed?
|
| It is indeed signed, according to the blog post and to the
| spec linked in the blog post https://github.com/ehn-dcc-
| development/hcert-spec/blob/main/...
| AmericanChopper wrote:
| Oh, it's a COSE message. It all makes sense now.
| unknown_error wrote:
| How does the scanner app verify the signature? Does it
| always have to be online, or does it have a set of trusted
| public keys included?
|
| How are the codes generated to begin with? Is there some
| central database that hands them out, or can any clinic
| generate one (having access to a copy of the private key?)
| pfg wrote:
| The verification app needs to maintain a set of trusted
| certificates. More details on the trust model can be
| found here: https://github.com/ehn-dcc-development/hcert-
| trust/blob/main...
|
| Infrastructure for code generation and signing is
| probably country-specific, though I imagine most
| countries will establish centralized systems dealing with
| this and integrate with other systems that track
| vaccination or test records on various levels (some
| countries delegate vaccination efforts to their states,
| others handle it nationally, etc.)
| [deleted]
| jcq3 wrote:
| Is it possible to spoof the qr code? If so, how?
| stevengraham wrote:
| There is an epidemic of naivety and irrational fear pervasive in
| society right now.
|
| Even "data" and "science" is subject to emotionally or
| ideologically-driven narrative and/or subjective perception.
|
| This, against a backdrop of our current "big tech" which has
| demonstrated wanton disregard for individuality and autonomy in
| favor of centralization and manipulation.
|
| There are a few voices of reason here. Hopefully more will speak
| up.
|
| It is the very creation of SYSTEMS that pose the greatest risk to
| individual liberty and the course of society.
|
| Once the systems are in place, they can evolve. They can be
| leveraged or weaponized.
|
| It is past time for ethics and limits in tech. The creation of
| these "pass" systems is extremely naive, and forms the basic
| enabler of a technocratic tyranny.
|
| Your personal autonomy is being increasingly removed.
|
| You are approaching a reality where some (many in this thread)
| naively want you to accept that you are inherently dangerous,
| untrustworthy, and unprivileged - until some central "system of
| authority" grants you "privilege" to exercise "rights" that are
| being removed.
|
| No thanks.
|
| Reject the overton window shift.
| 1_player wrote:
| Nonsensical appeal to fear. Either express concrete criticism
| or avoid posting rambling FUD and doomsaying that doesn't
| contribute to the topic at hand.
| johnbaker92 wrote:
| Amen to that. Sad that most seem to go along with this
| nonsense. No thanks, I will also pass on this. This is the
| opposite of what true freedom looks like.
| mssundaram wrote:
| So it's "papers please" all over again for Austria?
| vicedvin wrote:
| Using "green" pass does contradict with EU resolution 2361/2021
| which states:
|
| " 7.5.2 use vaccination certificates only for their designated
| purpose of monitoring vaccine efficacy, potential side effects
| and adverse events;"
|
| Allowing people to visit pubs or other social places is the right
| -- whether someone concerned of getting sick it is up to them to
| get a vaccine; those who are not in for the experiment (most of
| covid vaccines are in experimental state up to year 2023) shall
| not suffer the artificial social limitation barriers.
| tyingq wrote:
| The "first positive test result date" in the recovered example
| seems interesting to me. Is there are reason for a pub to know
| you ever tested positive, if you are far enough past the date,
| immunized, etc?
| ajsnigrutin wrote:
| Depends...
|
| In my country, if you get a positive PCT test, you can go
| places 10 days after the result and up to 6months after, then a
| vaccination is required (or a new positive result, or a test).
|
| If another country has different limits (14 days after the
| positive test and up to 5 months after), they need a test date
| to calculate if you're allowed to enter or not.
|
| As someone from a former socialist country, this really reminds
| me of "papers please", especially the border crossings between
| countries with similar numbers of infected not letting people
| cross.
| streamofdigits wrote:
| it feels as if the covid pandemic will do more to sensitise
| people to the critical role of digital technology and data
| privacy in our lives than any amount of activism back in the days
| of "normality", let me check - 478 days ago.
|
| these exercises in scrutiny, the demands on transparency,
| accountability, second order risk analysis etc. all this sets a
| precedent that will not be easy to ignore.
|
| a silver lining if you wish [you can now resume the discussion]
| benjaminwootton wrote:
| I never really engaged with the arguments about Facebook,
| Whatsapp privacy update etc. Mainly because I thought they were
| just trying to sell us ads.
|
| Maybe I made a mistake as I certainly care about data privacy
| now. These passes are an absolute tragedy for society as far as
| I can see.
| da_big_ghey wrote:
| i was the same... i am just avoiding facebook and whatsapp. i
| can not avoid a required scan for to enter my local food
| market. "you will submit to tracked or be ostricized from
| society... you have no rights until central government
| certify you."
| A_No_Name_Mouse wrote:
| Does it reflect a state of prior illness where only 1 jab is
| required instead of 2? Or is the doses element adjusted to
| reflect that?
|
| Edit: could be in the top level "r" for Recovery group element
|
| Edit 2: no, the recovery element does not allow information on
| vaccination, and vaccination/recovery group cannot be combined
| carlmr wrote:
| At least not in Germany, which is a point of contention:
|
| https://www.faz.net/aktuell/wirtschaft/jens-spahns-umgang-mi...
|
| They won't give you a second jab, but they also won't
| officially recognize you as vaccinated right now. And travel is
| also problematic since not all countries, not even the EU
| countries, accept prior illness + vaccine as being fully
| vaccinated.
|
| These laws look like code that could use property based
| testing.
| jeroenhd wrote:
| The benefit of this system is that at least we have a unified
| document right now. From what I've heard, covid recovery is
| indeed part of the QR code so any country accepting half
| vaccinated people that have recovered doesn't need to deal
| with different paperwork from every member state.
|
| The lack of getting people a second shot is disappointing,
| but with the limited availability of vaccines it's
| understandable from a health perspective. The goal of
| vaccination isn't to help people travel, it's to prevent a
| deadly disease, after all.
|
| We'd be better off with a common deciding factor what
| measures are acceptable to cross the borders, but areas with
| tourist-centric economies are incentivised to reduce the
| access requirements, and other countries are paying for those
| economies while they're still failing, so health and safety
| wouldn't be the main concern of such a common approach. The
| national approach doesn't have this problem, at least not for
| the countries supplying the tourists.
| kroeckx wrote:
| My understanding is that vaccination, recovery and a
| negative test are 3 separate QR codes. You normally only
| need 1 of the 3.
| A_No_Name_Mouse wrote:
| As far as I can tell, the schema does not allow combined
| information stating "prior illness" and "1 out of 2 jabs".
| So it does not even provide enough information for
| countries to decide if that level is acceptable, even if we
| had a common deciding policy.
| w-m wrote:
| The J&J/Janssen vaccine requires only one dose as well, and you
| can get the green certificate after the single dose. Since the
| format encodes 'doses received' and 'total number of doses'
| separately, I would guess that people with prior illness can
| similarly get the total dose number set to 1 there.
| samuel wrote:
| It implicitelly does. In that case, the certificate has to show
| 1/1 instead of 1/2 for a two doses vaccine.
|
| Besides, the recommendation for people who had the infection is
| to get the shot 6 months after the diagnosis, so it would make
| no sense to include that information in the recovery one.
|
| Source: I work for one of the regional healthcare providers in
| my country and my team had to develop our EU compatible
| certificates.
| ezoe wrote:
| It looks like technically bogus to me.
|
| A technically sound proof which doesn't require online access is
| like this.
|
| The authority encrypt some private information(name and birth
| date for example) with the private key, and encode it to QR code
| and give it to the customer.
|
| On entering the pub, the customer show the document(passport,
| driver's license etc) which prove his private information. Staff
| then decode the QR code and decrypt it with authority's public
| key. Check the decrypted text.
| iudqnolq wrote:
| That sounds exactly like what they did to me?
| sneak wrote:
| > _Apart from the name /manufacturer of the received vaccine,
| there is no superfluous data inside, so the QR code is not a
| privacy nightmare, as some have feared._
|
| It has someone's name and DOB in it, which, when scanned, creates
| a record of their identity at that location at that time.
|
| Coordination between scanners can create a crude track log.
|
| It's still a privacy nightmare.
| realityking wrote:
| Name and DOB are necessary to cross check the certificates with
| IDs/passport to make sure screenshots aren't passed around
| yokaze wrote:
| It is the same way necessary as having your passwords stored
| in plain-text to verify your password.
|
| Name and DOB could be hashed and compared to the hash inside
| the QR code.
| daveoc64 wrote:
| Such a system would be a nightmare for matching names
| reliably.
|
| There may be variations between different documents (e.g.
| it might exclude middle names, people might use a different
| name on different documents, accented characters, hyphens,
| might be in a different order, might have a title or
| honorific such as "MR").
| yokaze wrote:
| Reflecting on it, it doesn't solve anything, as I still
| have to give my name and date-of-birth to the person
| validating it anyway.
|
| Otherwise, there is a large degree of normalisation in
| the id documents in the EU, and you could simply hash
| each variation.
| uniqueuid wrote:
| Really interesting. I like the choice of leaving the final
| judgment about immunity outside the code - i.e. to have the
| client verify that the doses are sufficient and happened in a
| suitable time window.
|
| That will make things easier when the desired immunity definition
| changes (i.e. require three vaccinations), and also allows
| medical staff to make their own judgments.
| kiallmacinnes wrote:
| Theres a whole extra layer of legal complexity here :)
|
| e.g. some countries will consider you fully vaccinated X weeks
| after your 2nd jab of a specific vaccine. Others will say it's
| X+1 weeks.
|
| The system has been built so that these decisions aren't in the
| cert itself, rather each country can layer on "business rules"
| on top. So - even if the cert expiry date is likely to be set
| far into the future, that has zero bearing on if it will be
| accepted or considered expired.
| nraynaud wrote:
| A lot of people already require 3 shots. All transplanted, in
| dialysis and chemotherapy patients in France are shot 3 times
| as a rule, and a lot of them still get tested afterwards.
| denysvitali wrote:
| > i.e. require three vaccinations
|
| Well, I guess that will invalidate the covid certificate. There
| seems to be the "number of doses" and "doses received".
|
| It will be interesting to see how this will actually be changed
| if we need more than 2 vaccines to be considered immune. Will
| they have to re-issue a certificate and invalidate the previous
| one? Will they let the old certificates expire and issue a new
| one with the updated total count?
| tomp wrote:
| I'm guessing there's a timestamp of the vaccination... many
| EU countries are currently saying that vaccination is only
| valid for 6 months (though I expect this to be a pessimistic
| estimate, likely to increase soon)
| FriendlyNormie wrote:
| You are literally the "govern me harder daddy" NPC meme. Eat
| shit and die you worthless little faggot.
| pmontra wrote:
| No need to invalidate the old certificate. If the new
| requirement is 3 jabs and the certificate reads 2, the
| certificate is useless. The person carrying it will ask for a
| new one reporting all the 3 jabs.
| denysvitali wrote:
| Yes but then the "total doses" field is useless :S
| robthebrew wrote:
| I'm having grief running the code on MacOS. Has anyone tried
| running the UK NHS app QR code through this? I am (200%) certain
| that uk.gov reinvented the wheel just to piss everyone off, but
| it would be interesting to know.
| contracertainty wrote:
| The UK doesn't have an NHS, nor NHS app. The UK has four
| national health services, one for each country. IIRC only
| England has an NHS app. And we have no id cards. It's not
| looking good.
| robthebrew wrote:
| Have you looked at (in my case) the iOS app store? They
| certainly do have just such an app. Sure, I made a mistake
| thinking we were still United, but there is such an app for
| England residents.
| girst wrote:
| well, i've written that code quite hastily, and mostly for my
| own need. i'd guess, the most likely cause would be a missing
| libzbar.
| mattdoughty wrote:
| I have decoded the UK QR code (though not using this code). It
| conforms to the same standard.
| robthebrew wrote:
| That is good to know, as the app seems to claim you can use
| the QR code for foreign travel. Whether it is accepted is
| another thing.
| fy20 wrote:
| I'm somewhat disappointed it contains personal data. I wonder how
| long until third party validation apps come out that exfiltrate
| this to the highest bidder. Yes of course GDPR should protect you
| from the business purposely doing it, but I'm more thinking of
| the app doing it without knowledge.
| user-the-name wrote:
| It contains your name. That seems like the absolute minimum
| personal information you could possibly include.
| nomercy400 wrote:
| It links 'name' to 'vaccination details'. I can imagine you
| would want to prevent that link.
|
| If you cannot hide 'name', because you need that for
| identification, you could hide 'vaccination details', for
| example by linking 'name' to 'is properly vaccinated?'. No
| need to specify what vaccin gotten where and when in how many
| doses. The signed-certificate part could still be present, as
| a tampering protection.
| squarefoot wrote:
| > I can imagine you would want to prevent that link.
|
| This very likely is a subjective matter. I absolutely would
| _want_ my name to be associated to my vaccination details,
| and will certainly do when it will be my turn to get the
| shot (still have high antibodies level after catching
| symptomatic Covid months ago).
| nomercy400 wrote:
| Yes, I can understand for registering who has been
| vaccinated and when, it is necessary to combine these
| pieces of data.
|
| The part I am worried about is, do I want to give anybody
| and everybody access to this information, or only a
| select group which is in my control.
|
| Do I want to share my full Google/Facebook account, with
| password, with everybody that I show a QR-code to (for
| example a 'Login with Facebook' button), or do I want to
| be selective and only allow for 'verify and give
| permission to access part of profile'?
|
| Do I want to share my full contacts list with a random
| app I installed from an app store, just because I started
| it? Or do I want to be selective and deny 'access to
| contacts' for a game which has no business looking
| through my contacts.
| user-the-name wrote:
| The entire purpose of this thing is to link those two
| pieces of data. If you remove that link, there is no point
| to having anything.
| nomercy400 wrote:
| 'Those pieces of data' is very vague. Do you want to know
| if somebody has been properly vaccinated
| (isFullyVaccinated), or against what, with what, when,
| where and how many times?
| user-the-name wrote:
| Why is that vague? The data is perfectly explained in the
| linked article.
| bloak wrote:
| It seems to contain name and date of birth. Would it be
| better if it contained the person's ID card number, assuming
| they have such a thing?
| pmontra wrote:
| Id cards expire and are replaced by new ones with new ids.
|
| In my country they expire after 10 years, on the birthday.
| So about 7 / (365 * 10) = 0.002 % of id cards expired this
| week here, or 115k cards. I'd store only the name and
| birthday and let officers check the id card with the usual
| procedure.
| bloak wrote:
| It would presumably not be a problem for people to
| regenerate their QR code when they replace their ID card.
| They have to regenerate it every day or so anyway. (The
| QR code in the article expires after 48 hours.)
|
| Linking to an ID card number has the slight advantage
| that the ID card number is unique whereas several people
| can have the same name and date of birth. It doesn't
| really help with keeping the name or date of birth
| private because in practice those things are printed on
| the ID card which has to be shown together with the QR
| code.
|
| The ideal would be to reveal only the information that is
| needed in a particular situation. For example, if you're
| trying to get into an Austrian pub all that's needed is
| the photograph of the face and confirmation that the
| person with that face is over 18 and vaccinated. Though
| in practice people like pub bouncers are not very good at
| checking faces so having a physical ID card that is hard
| to counterfeit is an important part of the security.
|
| That line of reasoning suggests that what's needed is an
| ID card with banknote-style anti-counterfeiting measures
| that shows _only_ a unique number and a photograph while
| all other information is provided through another channel
| such as a QR code.
| pmontra wrote:
| I generally agree with what you wrote. However:
|
| > It would presumably not be a problem for people to
| regenerate their QR code when they replace their ID card.
| They have to regenerate it every day or so anyway. (The
| QR code in the article expires after 48 hours.)
|
| A not small number of those 115k people per week are
| elders without a smartphone or no digital abilities
| except video calling their children and nephews.
|
| Luckily it seems that in my country we'll be able to get
| a permanent QR code (paper or plastic, don't know.) I'm
| thinking about getting that one instead of the digital
| certificate: one less app, no worries about batteries and
| if it worked for my passport, id card and driver license
| it will be OK for my covid pass too.
| fabian2k wrote:
| Without personal data you cannot verify that the code belongs
| to the person showing it.
| krona wrote:
| Unless the code contains biometrics (even just a photo)
| you're not 'verifying' anything without some _other_ way to
| verify it.
| sgtfrankieboy wrote:
| They verify it against the persons ID card which has a
| photo of them by matching up the name.
| fabian2k wrote:
| The code contains your name and date of birth. The photo is
| on your ID card/passport you show along with the QR code.
| So the person checking you can verify that the names and
| date of birth match, and that the photo in your ID could
| reasonably be you.
| jeroenhd wrote:
| The PII is in there so you can verify against some kind of
| ID. The QR is not intended to be valid without also
| checking the accompanying ID.
|
| They could've gone the lazy route and stored your SSN (or
| similar).
| zaarn wrote:
| The German and Swiss/Austrian apps are all open source (and I
| think all three also have reproducible builds, you can verify
| what you installed, I know this is true of the official German
| apps involved). If you use a non-gov third party app that's on
| you I guess, not much from stopping you doing that since the QR
| code can be handled by any app.
|
| Otherwise, some personal data will be required, since the
| person checking your code (like a bouncer) must be able to
| verify that against your ID card.
| dannyw wrote:
| If people are using apps, there are zero knowledge proofs
| that can be used here .
|
| The bouncer at the night club don't need to know how many
| doses you had or where you tested negative, as that has no
| impact by the legislation
| csunbird wrote:
| The bouncer will also not check your ID as long as the
| barcode scanner says it is a valid certificate. He just
| does not care at all.
| gillesjacobs wrote:
| But it's trivially readable and collectable anyway.
| zaarn wrote:
| It does actually, because not all vaccines require the same
| amount of doses and if you were infected, that's a
| completely different story too. Different cities also have
| different timespans after infection or dose after which you
| can start all the fun activities (and sometimes it matters
| per activity). For example, the nightclub might require 7
| days after the last required dose for vaccination or 14
| days after the last negative test after an infection, but
| other venues might only require 7 days after the last
| negative test and 14 days after the last dose.
|
| In addition to that, legislation may change, so your time
| limits and dosage limits now all change and future
| vaccinations might require more doses.
|
| Either way, the bouncer doesn't get to see any of this.
| They only see your name, check your ID if it's the same
| name (which they have to do anyway to check you're 16 for
| alcoholic beverages and curfew) and then wave you through.
| The apps I've seen in use by people who check the
| vaccination QR code only give you an OK or NOT OK signal,
| once you've setup the type of limits you have to obey.
| ChrisMarshallNY wrote:
| In New York, we have the "Excelsior Pass," which is quite
| similar[0].
|
| Here's what it looks like (in a big fat QR): {
| "@context":["https://www.w3.org/2018/credentials/v1"],
| "id":"<INDIVIDUAL ID>",
| "type":["VerifiableCredential"], "issuer":"<ISSUER
| ID>", "issuanceDate":"2021-06-12T01:14:19Z",
| "expirationDate":"2022-05-19T03:59:59Z",
| "credentialSchema":{ "id":"<SCHEMA ID>",
| "type":"JsonSchemaValidator2018" },
| "credentialSubject":{ "display":"#24387E",
| "passType":"COVID-19 Vaccination", "subject":{
| "birthDate":"<DOB>", "name":{
| "family":"<LAST NAME>", "given":"<FIRST
| NAME>" } },
| "type":"COVID-19 Vaccination" },
| "proof":{ "created":"2021-06-12T01:14:19Z",
| "creator":"<CREATOR ID>", "nonce":"<NONCE>",
| "signatureValue":"<SIGNATURE>",
| "type":"EcdsaSecp256r1Signature2019" } }
|
| I'm not sure where to get the schema, but it looks like some
| common format.
|
| There's not really any private medical ID in there. My driver's
| license has more info.
|
| [0] https://epass.ny.gov/home
| shellac wrote:
| It's jsonld, using w3c verifiable credentials.
| (https://www.w3.org/TR/vc-data-model/). Using the context
| (https://www.w3.org/2018/credentials/v1) you can look up
| information about the properties and types, in principle.
|
| (It also also includes a link to a json schema)
| [deleted]
| [deleted]
| allyourhorses wrote:
| The certificate expires after 1 hour, so this is still an online
| process.
| supermatt wrote:
| They dont expire after 1 hour - where did you hear that?
| justinmchase wrote:
| The example in the article seems to show a 1hr expiration but
| its probably just fake data for the sake of the article.
| Spooky23 wrote:
| I think there is a green pass for unvaccinated individuals
| that allows an antigen test to be used. Those tests are only
| valid for a few hours, varying by jurisdiction. (I think most
| US states accept these for 6 hours)
| [deleted]
| Spooky23 wrote:
| Depends on the cert. I know when I got the NY excelsior
| pass, the certificate expired about 6 hours after either
| the test was administered or results determined. (Don't
| remember which)
| supermatt wrote:
| Sorry - i deleted my comment as I thought it was
| superfluous, but to reiterate - "it would be the validity
| for the test, not the cert". It is entirely possible that
| there was an expiry set, but you wouldn't be able to
| "reissue" it with a new expiry date, in contrast to what
| GP was suggesting.
| Spooky23 wrote:
| No worries. This stuff is all as clear as mud, and
| different jurisdictions take differing approaches.
| There's a few competing standards, lots of noisy people,
| etc.
| CaptainZapp wrote:
| At least the Swiss version has no expiration date.
|
| That said, the government communicated that it's currently
| valid for 6 month after the second jab.
|
| This is because the length of effectiveness of the vaccination
| is not reliably known.
|
| I don't know how it works with certificates, which are issued
| based on a negative test.
| bloak wrote:
| The example in the article seems to expire after 48 hours:
|
| 4: 1624458597, # QR code expiry 6: 1624285797} # QR code
| generated
|
| 1624458597 - 1624285797 = 172800 = 48 * 60 * 60
|
| (I would have thought they could afford to be a bit more
| generous than that. If they were valid for a few weeks then it
| would be practicable to print them out.)
| pfg wrote:
| To add a real datapoint: the QR expiry date for the
| certificate of my second shot is set to 360 days after I
| received the shot.
| supermatt wrote:
| The example is fictional.
| motohagiography wrote:
| This tech is troubling, partially because it will work, the
| question is what it will work for. I've worked in privacy for a
| long time, and these passport schemes are just an absolute attack
| on health information privacy legislation and they create the
| precise outcome the regulations were designed to prevent, which
| was a literal tyranical society that used arbitrary medical
| pretexts to privilege and disadvatage people politically and
| economically. This isn't just rhetoric either, we have decades of
| health information privacy legislation built around this
| principle. Every single new government tech in many countries
| needs to go through a privacy impact assessment to ensure it
| isn't a mechanism to do this specific thing, and I guarantee
| these technologies would not have survived one.
|
| Why should you give your vaccination status to anyone within the
| borders of a country, and what meaningful assurance does it
| provide to the pub/venue recieving it?
|
| Here is what it does not do:
|
| a) show you do not have a variant of a disease
|
| b) show you are not carrying a disease
|
| c) show you are or are not vulnerable to a disease or variants of
| it
|
| What does demonstrating this status signify? Perhaps I am missing
| something.
| zoobab wrote:
| All this personal health infos should never ended up being
| encoded in clear in the QR code.
|
| Some french researchers and Laquadrature are going to court to
| remove those infos from there:
|
| "la lecture du code en 2D permet a n'importe qui, toujours
| aussi facilement, d'acceder a des donnees de sante tres
| sensibles mais parfaitement inutiles au fonctionnement du passe
| : date de prise du vaccin, nom du vaccin, contraction passee de
| la maladie"
|
| https://www.laquadrature.net/2021/06/09/passe-sanitaire-atta...
| motohagiography wrote:
| Why should we have a health status QR code at all?
| kokey wrote:
| I guess this only works if it's used alongside proof of name
| and/or date of birth. I guess adding some basic biometric data
| like height and eye colour would have allowed venues to harvest
| even more personal data which is not ideal.
| monkeybutton wrote:
| Looks similar to the one implemented in Quebec:
| https://news.ycombinator.com/item?id=27354815
| mvanaltvorst wrote:
| Who is in control of the actual certificates? Is it a private
| company, or the government of some European country?
| stavros wrote:
| You mean the CA that signs the vaccination certificates?
| billpg wrote:
| Given the structure seems simple, what would prevent someone
| making their own QR with fake data and a randomly selected ID
| number?
|
| If the answer is that a service can validate the data, then why
| not just have the ID value if its all going to be on a server?
| mrweasel wrote:
| Danish teens just took screenshot of their QR code and shared
| it with friend. It only valid for an hour, the your friend
| needs to send you a new one, but it was enough to get in to the
| gym and stuff like that.
|
| Some even sold screenshots on Facebook.
|
| Now the app have all sorts of cool colour effects when you tilt
| your phone.
| [deleted]
| intellirogue wrote:
| Does the Danish one not contain name etc? The idea was that
| you'd be comparing that against photo ID.
| ziihrs wrote:
| The Danish app gives the user two options. You can either
| show one that contains name and DOB or one that doesn't.
|
| It's not clear (to me) when you are supposed to show the
| code with additional information, and I haven't been asked
| to do so.
| Svip wrote:
| > It's not clear (to me) when you are supposed to show
| the code with additional information, and I haven't been
| asked to do so.
|
| The option with more data is only for official
| situations, like border control. That version is also in
| English and French.
| colde wrote:
| No, actually the danish app has 3 versions.
|
| 1. No personal information at all. It only says valid or
| not valid. 2. Name and date of birth 3. Foreign travel,
| with name, date of birth as well as information about
| test type or vaccination type etc.
| mrweasel wrote:
| It does not, well it does, but you have to click to unhide
| it. There isn't a Danish ID withou a SSN on it, and that's
| secret. There where some resistance to allow resturant and
| other venues like that see your name and SSN.
|
| So no, due to privacy, there no nane show by default.
| Yaina wrote:
| I can't find any articles that either talk about "danish
| teens" or "sold screenshots on facebook". Do you have any
| sources you can link?
|
| The QR codes design is pretty sound, so as long as they are
| validated correctly and checked against an ID this should not
| be possible.
| ziihrs wrote:
| This one [1] doesn't specifically mention facebook.
|
| You can run the text through a translator yourself, but the
| main quote: "Henover weekenden har vi allerede set de
| forste eksempler pa danskere, der saelger QR-koder i
| lukkede grupper pa sociale medier" roughly translates to:
| "During the weekend we have experienced the first examples
| of people selling QR codes in closed groups on social
| media".
|
| Edit: This article [2] is about 6 teens being charged with
| forgery of the pass.
|
| [1]: https://www.inputmag.dk/snyd-med-coronapas-er-
| dokumentfalsk/
|
| [2]: https://www.dr.dk/nyheder/regionale/oestjylland/seks-
| gymnasi...
| CaptainZapp wrote:
| What I don't quite get is that the certificate is linked
| to me personally.
|
| Notably, it contains my full name, including middle name,
| and date of birth.
|
| It notably states that it's only valid together with an
| identification document.
|
| It's possible, of course, that gyms and nightclubs don't
| check very thoroughly, but I certainly wouldn't risk
| passing a border with a fake certificate.
| detaro wrote:
| Yes, it's fairly obvious that none of this works if you
| don't verify that the identity matches the ID (the yellow
| paper pass won't either!), but you can nevertheless
| expect that plenty places won't do that. Or even just see
| "app shows the right color and a QR code", there was an
| embarrassing amount of media coverage of the fact that if
| you set the system time in the future the German app will
| show the "right" color even if someone hasn't waited long
| enough after their vaccination... which of course has
| zero effect on if validation succeeds or not.
| the_mitsuhiko wrote:
| There is not even an app here, people just show QR codes
| from wherever they have stored them.
| vbezhenar wrote:
| The only thing you should verify is photo. Because you
| can't really verify an ID either (other than checking a
| photo). So QR code should just encode a photo URL (and
| sign it) and QR scanner should display that photo.
| distances wrote:
| That would mean some centralized data store. I'd be
| against such a measure. Current approach is device only,
| with very limited risk of data breach.
| vbezhenar wrote:
| May be it's possible to encode some kind of low-res
| compressed image in QR-code? I did not run the math. Or
| may be it's even possible to scan photo from smartphone
| display, run some kind of image hash and compare it to
| hash inside QR-code. This way it would be possible to
| work completely offline. I think it's called perceptual
| hashing, though I'm not sure if it's cryptographically
| secure.
| bonzini wrote:
| Currently the image is retrieved via a very powerful
| distributed database with embedded authentication,
| consisting of millions of wallets and handbags. The
| authentication key is the name and date of birth, and is
| printed on both the pass and the medium that stores the
| image.
| Yaina wrote:
| That's so strange, and almost suggests that the people
| implementing these apps don't understand the security
| model behind these codes.
|
| Any information on the users phone can 100% not be
| trusted. It should just show the QR code. On the other
| hand the scanning App has to validate the signature,
| check if the dates are correct and display a big info
| that the QR is only valid if the name is the same as the
| one on a presented ID.
|
| Maybe this should have been a design requirement from the
| EU spec.
| logifail wrote:
| > the people implementing these apps don't understand the
| security model behind these codes
|
| I'm not entirely sure that the people implementing the
| policies understand the 'herd immunity' model, nor the by
| now fairly comprehensive statistical data on who is and
| isn't at significant risk from Covid19.[0]
|
| Q: If a healthy 18 year-old chooses to attempt to go to a
| nightclub unvaccinated, who exactly is put at risk from
| this?
|
| [0] https://www.ons.gov.uk/aboutus/transparencyandgoverna
| nce/fre...
| aj3 wrote:
| A: non-immune people this 18-year comes in contact with
| later
| logifail wrote:
| Public health bodies will struggle to convince healthy
| young people to take a vaccine that gives them very
| little direct benefit.
|
| "Children's risk of severe disease from Covid is tiny,
| deaths are extremely rare and have only occurred in UK
| children with profound underlying and life-limiting
| conditions. The direct benefits to them of vaccination
| would be low."[0]
|
| [0] https://www.bbc.com/news/health-57496074
| aj3 wrote:
| we live in society
| logifail wrote:
| > we live in society
|
| Insert quote from Margaret Thatcher from 1987?[0]
|
| More seriously, there is no [longer] one approved way to
| live, thank goodness.
|
| We rightly demand that larger / mainstream groups respect
| minorities.
|
| At what point is it OK to stop listening or respecting
| minority views, and who gets to decide that?
|
| [0] "you know, there's no such thing as society. There
| are individual men and women and there are families" http
| s://www.theguardian.com/politics/2013/apr/08/margaret-
| th...
| razius wrote:
| Tbh I don't think the goal is risk prevention, if you
| take that into consideration the app works perfectly.
| MayeulC wrote:
| > _Q: If a healthy 18 year-old chooses to attempt to go
| to a nightclub unvaccinated, who exactly is put at risk
| from this?_
|
| That person, plus every person they come in contact with.
|
| Oh, you can compute the total "risk" of course. Assuming
| the person is contaminated and you put their personal
| "risk" treshold at an arbitrary 2% (which I just pulled
| out of thin air: chance of getting unacceptable side-
| effects: p(side_effect|contaminated)). You then have to
| sum that up for every person they come in contact with.
|
| sum((1-vacc_effectiveness)*personal_risk*transmissiveness
| ).
|
| The real contribution might be even greater than that, as
| the contaminated will go on carry the virus to other
| people.
|
| In theory if the number of people is large enough, you
| should be able to replace the values with average ones,
| but it's likely that 18 yo will spend more time with 18
| yo than 70 yo.
|
| To sum it up, herd immunity only works if enough people
| are immune (vaccinated). Everyone should feel responsible
| for it, even 18 years-olds (unless you take a very
| individualist view of life, which seems like a dominant
| feeling in the US: it works a lot like the prisoner's
| dilemna). Anyway, I'm just proud of performing my civic
| duty, I won't be a carrier for that virus.
| ec109685 wrote:
| That's not how vaccine effectiveness works. There's
| already a probability less than one of getting Covid if
| unvaccinated, and the effectiveness of the vaccine is the
| reduction from that.
|
| So if over the course of their study period, 100
| unvaccinated people got covid out of a thousand tracked,
| with a 98% effectiveness, only 2 people in the 1000
| people vaccinated group would have gotten it.
|
| So vaccines are really effective. Even more so for
| preventing serious complications.
| logifail wrote:
| > chance of getting unacceptable side-effects
|
| There are a considerable number of people out there -
| some of whom are young and healthy and at vanishingly
| small personal risk from Covid19 - who if you mention the
| phrase "unacceptable side-effects" their first thought
| would be of side effects from vaccination, not the virus.
|
| The boss at my daughter's kindergarten had Covid19 last
| summer. She had to quarantine for two weeks, then came
| back to work. She told me (unprompted) that sitting out
| the quarantine was way worse than the virus.
|
| Telling these people they are stupid or anti-social - or
| simply downvoting them :) - may not be the most effective
| strategy to make them change their mind.
|
| How should society approach this?
|
| How should governments approach this?
| ryanlol wrote:
| > I certainly wouldn't risk passing a border with a fake
| certificate.
|
| Border guards are even less interested in the validity of
| your covid certificates than nightclub bouncers. They
| have very limited amounts of time they can spend on
| processing people without the whole system collapsing
| CaptainZapp wrote:
| Welcome to the Schengen area.
|
| You will not enter any Schengen country without the
| border guard checking if you have an entry in the
| Schengen Information System.[1]
|
| A reply is available within seconds after the border
| agent scans your ID document (passport or identification
| card).
|
| Travelling between Schengen countries doesn't require an
| id or a passport, but currently countries have
| restrictions on entry most of them either insisting on
| you being vaccinated or to present a current Covid test.
|
| I'm travelling to Paris by train on Friday. which has the
| following requirements for entry: From 9
| June, fully vaccinated people from EU or Schengen
| Associated Countries will not be subject to
| testing or isolation requirements. Accepted
| vaccines: Pfizer/BioNTech Moderna
| AstraZeneca Johnson & Johnson (Janssen)
|
| further All travellers (from 9 June: all
| non-vaccinated travellers) are subject to the
| requirement for a pre- departure negative COVID-19
| test taken within 72 hours prior to arrival.
|
| Now sure, chances are small that I'm even checked in the
| train. But if I am then it would be pretty dumb to
| present fake documentation. Don't you think so?
|
| [1] https://ec.europa.eu/home-affairs/what-we-
| do/policies/border...
| ajsnigrutin wrote:
| What I don't understand is, why do countries require all
| that for people from countries which have pretty much the
| same number of infected as they do (per capita)? If
| chances of a local spreading the disease is the same as
| for the tourist, because both countries have eg.
| 95positive/100k people, why bother?
| skocznymroczny wrote:
| Because it's a political crisis rather than epidemic
| crisis. The virus will disappear once it's not needed
| anymore, but the digital infrastructure for tracking
| people and restricting access will remain "for our
| safety".
| kzrdude wrote:
| Recently, the argument has been that they don't want
| variants to cross borders. They eventually will, but it's
| one more reason to say that "covid outside" != "the covid
| we have at home".
| ajsnigrutin wrote:
| But neither of the conditions in the EU pass says you
| don't have covid now. Vaccinations are not 100% (numbers
| go down to 70%, and a lot of infections for vaccinated
| people are asymptomatic, so even worse, because you don't
| stay at home, and noone tests you), PCR tests don't
| guarantee you didnt catch it between the test and "now",
| and having covid 5.5 months ago, does not guarantee you
| don't have it now.
| danhor wrote:
| But they increase the likelihood by a lot. There can't be
| a perfect system (apart from no one crosses the border,
| which is not feasible for other reasons), so this is a
| pretty good compromise.
| logifail wrote:
| > currently countries have restrictions on entry most of
| them either insisting on you being vaccinated or to
| present a current Covid test
|
| Anecotal data point #1:
|
| I've entered Italy three times [by road] in the last six
| months, each time with a sheaf of paperwork to hand
| demonstrating my need to travel, negative test, EU27
| residency, the full nine yards.
|
| During none of the three visits did I even _see_ a border
| guard / police / Carabinieri / $whoever at or close to
| the border, never mind get stopped, never mind have my
| documents checked.
|
| There is policy, and there is reality. Maybe the gap
| between them in Italy is marginally larger than in some
| other places?
| ryanlol wrote:
| I've been regularly crossing schengen borders using fake
| documents since this whole nonsense started. Most of
| these papers are impossible to authenticate. Sure, these
| QR-codes will have cryptographic signatures, so we'll
| just switch to foreign certificates instead.
|
| Why would it be dumb to use fake documents when it's
| literally impossible to get caught?
|
| I can safely discuss this on the internet too, it's not
| like anyone took photocopies of the documents I showed
| them.
|
| FWIW I'm not some antivaxxer nutjob, I'm happy to wear
| masks and self isolate when I'm sick. I'm just going to
| fight the surveillance state in any way I can.
|
| > You will not enter any Schengen country without the
| border guard checking if you have an entry in the
| Schengen Information System.[1]
|
| This is actually not correct. Many EU citizens do not
| have SIS entries but are still able to travel. This is
| likely to change in the future though.
| logifail wrote:
| > I certainly wouldn't risk passing a border with a fake
| certificate
|
| [..] especially given that you can also cross a border
| with a negative antigen test, which is pretty easy to
| come by. I must have done getting on for 50 of them so
| far this year.
| neither_color wrote:
| I don't give my name and date of birth to walk into a
| store or restaurant so why should this QR code force you
| to? Presumably all you want to know about this person is
| whether or not they are a toxic, contagious, diseased
| biohazard to you; everything else is none of your
| business.
| mindslight wrote:
| In the US context I would say this is a privacy
| violation. It's another avenue of obtaining identifying
| information about you, to abuse with no restrictions.
|
| But one of the main benefits of the GDPR is making it
| illegal for businesses to keep surveillance records on
| you. This way you don't have to worry about keeping basic
| information like _your name_ secret in the first place.
|
| The US really needs something like the GDPR to restore
| some societal trust. As it stands, I'm planning on
| wearing a mask into stores etc for as long as I can get
| away with it.
| _Microft wrote:
| If someone is showing someone else's proof of vaccination
| while they are not vaccinated, they actually might be a
| threat.
|
| The QR code by itself is not proof of anything until you
| have verified that it actually belongs to the person
| showing it. That's where the ID comes in.
| neither_color wrote:
| Just out of curiosity, what is the minimum net
| improvement in public safety you think justifies asking
| every person to show their identity information every
| time they walk into a shop or restaurant? After all the
| progress made so far with traditional disease mitigation,
| what would happen if you simply don't choose to force
| everyone to show their IDs everywhere they go? If you're
| saying vaccines and lockdowns weren't enough, what is the
| target you're chasing exactly? Is it really worth it?
| ajsnigrutin wrote:
| This is what I don't understand either... vaccines work,
| health systems in most eu countries are pretty empty of
| covid patients now, anyone who wants a vaccine can get
| one... but we're still requiring people from countries
| with 99positive/100k to show vaccination proof to enter a
| country with 98positive/100k.
|
| We have the vacciness, anyone can get one for free, just
| open up, and let the antivaxxers risk it if they want.
| _Microft wrote:
| I am not sure what you want to get at but if someone
| wants to be treated like being vaccinated, they should
| have to proof that they actually are. Anything else
| incentivizes behaviour that undermines the efforts to get
| a grip on the pandemic (i.e. it would let the
| unvaccinated flaunt the rules by just claiming that they
| no longer pose a threat to others and the pandemic would
| happily rage on).
|
| We do not implement these measures here (Germany) at the
| moment. Anyone can visit stores or e.g. retirement homes
| without having to show a negative test result or proof of
| vaccination. Before easing the measures, people with
| proof of vaccination were treated like having a negative
| result in general, i.e. they could do all the things that
| others also could but without the hassle of having to be
| tested.
| kasperni wrote:
| I don't of internation sources. But you can google
| translate this one
| https://nyheder.tv2.dk/samfund/2021-06-01-snyd-med-nyt-
| coron...
| jeffrallen wrote:
| The Swiss verifier app reminds you in big letters that it's
| only valid with photo ID.
| est wrote:
| > Now the app have all sorts of cool colour effects when you
| tilt your phone.
|
| Any video for that?
| kag0 wrote:
| A two way handshake/challenge would be the ideal way to solve
| that.
|
| ie. the patient would scan a qr code (containing a nonce) on
| the checkpoint, and include that number in the token which
| was then shown to the checkpoint.
| intellirogue wrote:
| It is cryptographically signed, so creating your own QR code
| that would be accepted by the apps would be difficult without
| the signing key.
|
| Even ignoring that though: including both the ID and detail
| allows it to work both ways. In official situations (e.g. at a
| country border) you might be able to validate against a server,
| but the local nightclub probably doesn't have access to a
| validation server.
| IshKebab wrote:
| You could just copy someone else's code though, unless they
| also check photo ID or something (seems unlikely for a pub).
| [deleted]
| samuel wrote:
| You are right with regards to the technical side, but there
| is an important detail to note. Those certificates only can
| be used for travelling between eu states. Any other use is
| currently banned and would need to ammend the EU regulation.
|
| So the local nightclub cann't(legally) check these
| certificates.
| fabian2k wrote:
| I don't think that is true, at least not universally in all
| EU countries. And here in Germany they're allowed to check
| the old paper vaccination pass, so there is no reason to
| think they're not allowed to check the digital version.
| samuel wrote:
| As far I have been told by the national authorities of my
| country, that's the case. I haven't read the whole
| regulation but this paragraph I think it addresses it:
|
| _This Regulation establishes the legal ground for the
| processing of personal data within the meaning of point
| (c) of Article 6(1) and point (g) of Article 9(2) of
| Regulation (EU) 2016 /679, necessary for the issuance and
| verification of the interoperable certificates provided
| for in this Regulation. It does not regulate the
| processing of personal data related to the documentation
| of a vaccination, a test or a recovery event for other
| purposes, such as for the purposes of pharmacovigilance
| or for the maintenance of individual personal health
| records_
|
| _Member States may process personal data for other
| purposes, if the legal basis for the processing of such
| data for other purposes, including the related retention
| periods, is provided for in national law, which must
| comply with Union data protection law and the principles
| of effectiveness, necessity and proportionality, and
| should contain provisions clearly identifying the scope
| and extent of the processing, the specific purpose
| involved, the categories of entity that can verify the
| certificate as well as the relevant safeguards to prevent
| discrimination and abuse, taking into account the risks
| to the rights and freedoms of data subjects_
|
| So, if my interpretation is right, a national law backing
| those "secondary" uses must be in place.
| the_mitsuhiko wrote:
| And it is in a few countries. Austria and Germany
| included.
| _ZeD_ wrote:
| Each state can create (and have created) additional
| restriction.
|
| For example here in Italy I need the green pass to go to a
| wedding next week
| mstolpm wrote:
| Are you sure? Isn't https://greencheck.gv.at/ a tool for
| private nightclubs, event managers, hospitality and so on
| to check the "gruner Pass" QR-Code certificate of their
| guests in Austria for accordance with their 3G rules
| (Genesen (recovered), Geimpft (vacinated), Getested
| (tested))? Am I missing something there?
| ajsnigrutin wrote:
| In slovenia, clubs/restaurants/etc. are not allowed to
| check any vaccination/test/recovered data (you still need
| to be one of those, they can ask if you are, but are not
| allowed to verify).
|
| Only health inspectors can do so, and they do random
| checks. Honestly, I don't know how this will end, because
| people are really fed up with this situation and all the
| lies from the government, and a club full of drunk people
| vs a few inspectors won't end well.
| franga2000 wrote:
| I'm from Slovenia as well and get asked to show my ID and
| vaccination slip regularly.
|
| If I understand correctly, one of the pandemic laws
| requires them to verify, but the Information
| Commissioner's Office has countered that with one of
| their classic "well yes, but actually no" opinions saying
| that they're not actually allowed to demand that kind of
| information. What "demand" means here, of course, doesn't
| seem to be defined well, so I'm guessing they're still
| allowed to refuse service if you don't show them some
| proof.
|
| Or maybe all of that has changed in the 20h since I was
| last at a bar - the speed at which the current government
| is making seemingly entirely random changes to the covid
| rules is genuinely impressive.
| samuel wrote:
| That's interesting, but I guess it needs some legal
| support at the Austrian level, because the regulation
| doesn't prescribe those uses for the certificate.
| the_mitsuhiko wrote:
| There is a law in Austria for this.
| DangerousPie wrote:
| It's signed.
| [deleted]
| nousermane wrote:
| Digital signature would prevent that (assuming scanner does a
| good job at verifying one). "Looking at the hexdump" section of
| TFA, last 64 bytes (cyan-coloured).
|
| On top of that, online verification (e.g. by certificate ID)
| might be possible, too.
| thierryzoller wrote:
| Yeah, didn't fine the hash in that JSON
| asutekku wrote:
| Most likely because it's not 100% guaranteed the server will be
| accessible, as then having that data will be a good backup
| system.
| kawsper wrote:
| I guess the certificate id is the id value you speak of.
|
| It would be cool if the whole thing was signed by a government
| public key, then you could verify it offline.
| fabian2k wrote:
| It is. This is signed by the relevant health authority in
| each country as far as I understand. And the official apps
| for reading them can verify the signature offline.
| eivarv wrote:
| I think at least partial offline-support was a requirement.
| williesleg wrote:
| I love me some government control
| ibejoeb wrote:
| Soon enough, the cool kids will be the ones who don't carry
| phones.
| londons_explore wrote:
| The design of this code seems bad...
|
| It should encode:
|
| https://covidcheck.gov.eu/87HS84JU8179
|
| The URL, when visited by browser should display a big green tick
| or cross. The page should contain all the machine parsable
| metadata. The URL itself should have a check digit to allow low-
| security offline checking, although for cases where falsification
| is an issue, online checks should be required, since there is no
| good way to revoke offline codes.
|
| The substantially shorter code will read much more easily and be
| smaller to print. It can be verified or generated without any
| special software.
| pawal wrote:
| The downside of this is that the lookup is done online, and
| every use of an individual is tracked per service. This is not
| something that I am comfortable with.
| tuxone wrote:
| For offline checking you will eventually need some data (first
| name, last name, birthdate) to validate against eg. an ID card.
| iudqnolq wrote:
| As they do.
| [deleted]
| [deleted]
| PaulHoule wrote:
| That is a big QR code, bigger than the Red Cross Rapidpass.
|
| If it was 'carefully optimized for size and reliability' they
| would use all caps letters and reduce the area by 40%.
|
| Saying that is carefully optimized is like saying GDPR pop ups
| carefully optimize user interfaces.
| seszett wrote:
| You cannot ask everyone to use only the unaccented latin
| alphabet for names when there are EU countries that use other
| alphabets, and accents. And on the other hand, you cannot ask
| people in the rest of the EU to learn cyrillic for when a
| Bulgarian citizen shows their pass.
|
| There is no easy solution for this, and including the native
| name + a normalised (ICAO 9303) version is probably the best
| one
| da_big_ghey wrote:
| maybe standard trans-literate method? the eu need to pick one
| since languages are each having many.
| johncolanduoni wrote:
| They actually do use all caps letters, hence why it's base45
| encoded instead of base64
| pyentropy wrote:
| Regarding binary and QR: seems like the state of QR scanners is a
| cruel joke. There are multiple specs, of which only ISO
| 18004:2006 survived.
|
| It says:
|
| A QR code contains a mode indicator, character count and the
| bitstream encoding the characters. Modes are:
|
| - numeric: 10 bits are used for [0-9]{3}
|
| - alphanumeric: 11 bits are used for [0-9A-Z$%+-./:]{2}
|
| - 8 bit Kana/JIS X 0201: (8 bits are used for every Japanese
| character)
|
| - Kanji
|
| - mixed mode (switching between multiple character sets in one
| stream)
|
| - extended channel mode (ECI) - latin1, cyrillic, etc
|
| https://www.swisseduc.ch/informatik/theoretische_informatik/...
|
| Note that the document mentions that stuff like 'font size' is
| not specified in QR (?), while saying nothing about basic
| questions like 'what about non-printable characters'.
|
| Then it got it got superseeded by 18004:2015. When a person asked
| on StackOverflow what's going on, the answer by the author of the
| most popular QR library (zxing) says "There is one (not obsolete)
| ISO spec for QR codes, ISO 18004:2006. Most of what you observe
| is just lack of compliance." -
| https://stackoverflow.com/questions/18699739/tools-for-qr-co...
|
| Looking at other questions ("how do I store utf8"), it seems like
| scanners do some heuristics (scanning for BOM, valid unicode
| codepoints, etc), not even slightly conforming to the modes:
| https://stackoverflow.com/questions/51516612/choosing-a-char...
|
| ---
|
| So, you can do base64 with ECI latin1, and risk the scanner
| performing some heuristic... or you can just take the
| alphanumeric route with 45 options (26 letters: [A-Z], 10 digits:
| [0-9] + 9 special characters), which is compact in terms of QR
| representation (not in terms of modern 8-64 bit words in memory!)
| and call it a day: https://tools.ietf.org/pdf/draft-faltstrom-
| base45-06.pdf
| dirkx wrote:
| And it is not that bad - base45 packages nicely in 11 bits; so
| compared to exactly the same payload in binary - there is just
| a few percent difference in the end in pixels/cells on screen.
| pyentropy wrote:
| 4 bytes get converted to 6 alnums and those gets packed into
| 3 * 11 = 33 "qr-bits" <=> [33/32 - 1] ~ 3% loss.
| [deleted]
| hammon wrote:
| It's not a privacy problem, it's a human rights one. Sadly, no
| one seems to care. Requiring a genetic treatment, to work, travel
| or live is a dystopic future. Madness.
| quenix wrote:
| "Genetic treatment"? Please.
| hammon wrote:
| if you modify rna to produce a protein of your choice what it
| is? btw, even for the law Vaccine is something that give you
| immunity, and we have already plenty people with 2 shot
| getting covid again... Next winter we will be in the same
| situation as 2 year ago, and alot of people will realize.
| aww_dang wrote:
| https://languagelog.ldc.upenn.edu/nll/?p=50886
|
| Merriam Webster has changed the definition of "Vaccine" to
| avoid the distinction you have raised.
| koalaman wrote:
| At every level of education I was required to show evidence of
| vaccination to attend. This has been normal for many decades,
| and as far as I'm concerned makes complete sense. It's unclear
| to me what's dystopic about public health requirements. Society
| imposes on individuals many constraints, and gives us back many
| benefits in return.
|
| Perhaps people care, but simply disagree with your threshold
| for what's an appropriate societal imposition. I certainly do.
| yarcob wrote:
| You can get tested instead of getting a vaccine.
|
| (Also, a vaccine is not a "genetic treatment". Not even an RNA
| vaccine.)
| aww_dang wrote:
| I care.
|
| Many are skeptical of a vaccine passport combined with a
| digital wallet for CBDC. The historical background of those
| promoting this program is concerning. Even without that, the
| historical parallels to other atrocities is concerning.
| Together it seems obvious to those who are willing to examine
| it.
|
| Unfortunately, there's a distinct lack of "intellectual
| curiosity" surrounding these issues. People are scared. Once
| again, they are looking for authorities to help them. Dissent
| is demonized as always.
|
| In this case, concerns are framed as dangerous propaganda
| preventing us from reacquiring our pre-pandemic freedoms. For
| those true believers, I ask: When has government willingly
| returned freedoms ceded under the pretense of emergency?
|
| The banality of evil marches on.
| samuel wrote:
| This is the official github of the project.
|
| https://github.com/eu-digital-green-certificates/
|
| There are Android and iOS apps for QR reading, although they
| don't point to the production certificate chains so can't be used
| to verify "real" EU certs.
| radicalbyte wrote:
| That is the SAP/T-Systems repository. It contains the
| implementation.
|
| The main EU project is part of the eHealth Network and can be
| found here:
|
| https://github.com/ehn-dcc-development/
|
| Disclaimer: I'm working on it as part of the Dutch team, mainly
| contributing to the schema but have also helped get the gateway
| up and running.
| pzo wrote:
| Wondering why they haven't licensed it under GPL3.0 so at least
| other countries would have to also open source their apps if
| they reused the code. Also if some company reused the code to
| implement some malicious verifier that do tracking it would be
| easier to find out.
| cbhl wrote:
| You want to err on the side of letting proprietary closed-
| source code bases (think "electronic health record" systems)
| adopt the reference implementation, even if they don't give
| back.
|
| Otherwise the proprietary folks will come up with a competing
| implementation that meets their non-technical (licensing)
| requirements.
| lorlou wrote:
| Practically all committers are German... How surprising ;)
| camillomiller wrote:
| As an Italian, this is reassuring :D
| ar0 wrote:
| I don't seem to get the point of this comment, but the reason
| for this is that the EU Commission has assigned this project
| to Deutsche Telekom and SAP, two German companies (as is
| explained in the README).
| Dma54rhs wrote:
| The point is Germany having too much power over such
| matters obviously.
| sharken wrote:
| From July 1st 2022 that influence will be reset, as that
| is the sunset date.
|
| But i find this wording very ominous, as i sincerely hope
| it will be sunset way earlier than 2022.
|
| > If needed, the scheme may run for a longer period than
| one year.
|
| Source:
|
| https://www.schengenvisainfo.com/news/all-details-on-eu-
| covi...
| camillomiller wrote:
| Corona Warn App is the most successful implementation of
| a Covid tracing app in Europe. Italy's Immuni was good as
| well, but unfortunately politics and demented policies
| basically mangled one of the best pieces of Public
| Administration software my country had ever produced. In
| this regard, I can't be anything but satisfied that the
| Germans are taking the lead on a EU-wide policy. Also, I
| got vaccinated here in Berlin and since a week I already
| have a perfectly usable digital pass that I validated at
| the chemist's counter. For one, to be honest, let's give
| all the kudos to those who deserve them.
|
| Side note: we're so generous that I hear of Americans
| here in Berlin who are getting the pass too by showing
| their American vaccination documents and a proof of
| residence in Germany. Meaning: the system is solid, but
| surprisingly flexible.
| sharken wrote:
| The danish version is called "Smittestop", which roughly
| translates to "Stop the infection".
|
| It has cost 4.3M euros and have detected 76.115 people,
| which amounts to 420 DKK or 56 euros per person.
|
| To me that sounds quite expensive and not like a success.
|
| Link in Danish:
|
| https://jyllands-
| posten.dk/indland/ECE13057409/sundhedsminis...
| rgj wrote:
| So you want to translate this into how much infections it
| _prevented_ and then compare it against the cost of a
| COVID-19 infection for society.
|
| I don't have the numbers but my gut feeling says that
| 56EUR is a bargain.
| sharken wrote:
| Perhaps it is, but keep in mind that the official count
| of infected is around 300.000, so 25% of that was
| detected by the app.
|
| If the number of infections that were not detected are
| double the 300.000, then we are fast approaching 10% of
| all infections detected.
|
| But anyway Denmark spend 60 times the budget for the app
| on testing each month in 2021, so it's pennies the app
| has cost.
|
| But i still think it worthwhile to know what the
| taxpayers get for their money.
| rsj_hn wrote:
| > So you want to translate this into how much infections
| it _prevented_ and then compare it against the cost of a
| COVID-19 infection for society.
|
| By that logic, we should start selling hand sanitizer for
| 100 euros, and soap for 50 euros, right?
|
| Obviously the idea that something should not be evaluated
| by how efficiently was produced but solely by how much it
| was needed is a recipe for absolute disaster and cost
| bloat. Seat belts will go for 10,000 euros in that world.
| dzhiurgis wrote:
| How do decide what is cheap bs expensive for early
| detection? Sure it "sounds" expensive but it would be
| cheaper if there were more detections, which you don't
| really want.
| fnord77 wrote:
| the images checked in seem a bit bizarre
|
| https://github.com/eu-digital-green-certificates/dgc-partici...
| mhils wrote:
| This is included in https://github.com/eu-digital-green-
| certificates/dgc-partici..., in that context as an example it
| does make some sense.
| girst wrote:
| the juicy bits seem to be here: https://github.com/ehn-dcc-
| development
| Avalaxy wrote:
| Why would "target" disease be "840539006"? Have there been
| 840539005 other diseases before? Would "1" not suffice? Or just
| "covid19"?
| robjan wrote:
| It's the SNOMED code for Covid-19
| altacc wrote:
| It comes from SNOMED, which is a system for electronic health
| records and is very comprehensive, multi-lingual & multi-
| national. Every disease, symptom, medical term, etc... has a
| code which allows matching across languages.
|
| I doubt the IDs start at 1, it's likely the fist few digits
| (perhaps 8405) are a type classification for the ID. It's been
| going for a few decades and thousands of new IDs are added each
| year.
| DerWOK wrote:
| 840539006 is the ID by SNOMED https://www.snomed.org/news-and-
| events/articles/march-2020-i...
| tummybug wrote:
| The complete list of codes can be found in the github repo
| containing the schema for the qrcode data
| https://github.com/ehn-dcc-development/ehn-dcc-schema/tree/r...
___________________________________________________________________
(page generated 2021-06-22 23:01 UTC)