Could Quebec's vaccine passports expose your personal info?

Patrick Mathieu says creating an app that can read the contents of Quebec'sdigital vaccine passports isn't that hard to do.

The co-founder of Hackfest, an annual hacker event in Quebec City, says two of its members built an app that could access a person's name, date of birth and vaccination statusby scanning the QR code provided to Quebecers by the Health Ministry.

"Two [people] that are not experts in this at all built an application where you scan [the QR code]," said Mathieu. They built the app in about 20 hours.

StartingSept. 1, Quebecers will have to show proof of vaccination to access certain non-essential activities. Businesses will have access to a free app from the governmentthat simply tells the user whether or not a customer is adequately vaccinated.

But Mathieu says a less scrupulous business owner or employee could build or purchase a third-party app that instead saves their data, which also includes where a customer received their vaccinations and if they have contracted COVID-19.

No location data is accessible from the QR code.

"Obviously the risk is low," said Mathieu. "But it exists because the government chose technology that is not secure for privacy."

Mathieu says it's not just the QR code that could be exploited Hackfest also found a bug in the app when it was being developed that led to over 300,000 QR codes being exposed online. He says they notified the developer,Akinox, and the issue was resolved in 24 hours. But he doesn't have a lot of confidence in the company.

"Their development environment is exposed on the web. We can see their source code, they have bugs," he said.

Developer, Health Ministry insist system is safe

In a written statement to CBCNews, Akinox CEO Alexander Dahl says the company has been working closely with government experts in cyber security, privacy and protection of personal information throughout the development process.

He says the vaccine passport and everything in the app was thoroughly audited and approved.

Much like people are responsible for protecting the information on their medicare cards and driver's licenses, Quebec's Health Ministry says it's important to not publicly post your QR code, and only share it with businesses that require proof of vaccination.

Risk of 'malicious intent'

Mathieu sayssomeonewith "malicious intent" who owns several restaurants and bars could trackthe movementof a specific client as their QR code is scanned by third-party apps at their establishments.

But he says a more likely scenario is an individual employee looking someone up online.

"You go to a restaurant, the person at the door who scans your QR code thinks you're super cute, gets your name stalksyou on Facebook, gets into your DMs and harasses you," he said.

He says it's frustratingthe government went witha system that has the potential to be exploited, when Quebecersalreadyhave physicalproof of vaccination.

"They put...20 plus million dollars into something that is not privacy enabled, [has] tons of security issues and in the end you can still go with a piece of paper."