Tips & Advice

There's a major privacy risk in Apple Wallet vaccine cards

Emma McGowan 28 Jan 2022

This privacy gap highlights how important it is to ensure that privacy with proper disclosure protecting users is included from “go”

If you have an iPhone, you may have added your Covid-19 vaccine card to your Apple Wallet. It’s verified, scannable, and right there behind a quick face scan or PIN. It’s a convenient way to have your vaccination status on hand, whether you’re trying to get into a restaurant or fly or are in any other situation where showing a vaccination proof is required. But what you might not know is that anyone else with an iPhone can scan your Apple Wallet vaccination card when presented, and add it to their own Apple Wallet.

Charles Walton, Senior Vice President and General Manager of Identity at Avast, discovered this fact when out to dinner with a friend recently. They were discussing the Apple Wallet cards and decided to see what would happen if they used their iPhones’ built-in QR code reader to scan the other’s card. Walton opened his camera, read his friend’s card — and it was imported into his Wallet.

Now Walton had not only his own vaccination card — but also his friend’s card — both instantly accessible on his own phone. He also has all his friend’s information: name, date of birth, where he was vaccinated, and what vaccine he has received.

This is not only highly personal information that Walton, nor most people to that matter, does not want nor need access to — but neither did his friend have any idea that he had shared so much personal information.

“Basically everything goes right from the paper record to the digital form and then become sharable as-is upon presentation of the QR code, as opposed to implementing some rules about what is shared and by whom, with proper disclosure to and under the control of the user,” Walton says. “If I’m going to my health care provider, it might be important to know my whole record. If I’m going to the restaurant, they just need to know that I’m vaccinated. But in either case, that sensitive personal information needs to be bound to me, the holder, and not just something anyone can put in their digital wallet and present like if it was from them.”

But just because Apple didn’t quite hit the privacy nail on the head yet, doesn’t mean they can’t. Walton points to the Good Health Pass Blueprint as a guide for how tech companies can create vaccine cards that convey the needed information without putting people’s privacy at risk.

“In the Good Health Pass Blueprint, we described an approach where only the information that was needed to convey to the other party was delivered — and you could prove that it belonged to you,” Walton says. “So for travel, it’s fit to fly. To go into a bar, you don’t need to know as much information — you just need to know that the person has gotten the shots. This is more information sharing than I believe is required.”

But the story gets even better. Walton has accidentally shown his friend’s card instead of his own when attempting to gain entrance to restaurants — and has not been denied entry. That means this security gap in the Apple Wallet vaccination cards could potentially be exploited by people who are not vaccinated, but still want access to spaces that require vaccination. In other words: it’s potentially a public health issue as well as a privacy one.

As the pandemic continues, digital solutions for complex health care-related problems are going to become increasingly important. Admittedly there have not been public issues reported to date, however, this privacy gap highlights just how important it is to make sure that privacy with proper disclosure protecting users is included from “go.” What is called for now is a more concerted effort within the industry to tackle this type of issue not only for vaccination credentials and data, but for other types of data disclosure.