Beware of This Major Risk of the California Vaccine Passport

Thomas Smith
Thomas Smith/Gado Images

Earlier this month, California launched its new Digital Vaccine Verification System. The state says that the system isn't a passport because it's not mandatory, although many citizens are still referring to it as that.

If you choose to use the system, you’ll enter some of your identifying information and then receive a link to a QR code, which you can open on your phone and screenshot. The state says that down the line, you’ll be able to have the QR code scanned at participating venues in order to confirm your vaccine status.

The system has its uses, and many Californians will likely take advantage of it. But it also has a major risk, which you need to be aware of if you download your own code. QR codes look like gibberish--a boxy blob of black and white lines. Unlike a traditional paper vaccine record--which obviously contains medical information--the system’s QR codes feel much more secure and less personal.

But that’s an illusion. The QR code that you download from the system actually contains a great deal of sensitive information, including your birthdate, your full name, the day you got your Covid-19 shot(s), the lot number of the shots, and more. All the data is there, encoded in the code’s lines and dots. All someone needs to do in order to access the data is scan the code using the right software system.

That has several important implications for users of the system. Firstly, if you choose to use the system to obtain your own QR code, never post it online. You might be tempted to share it on social media to show people that you’ve gotten the shot, or to post it to a public Facebook group. But doing that could expose your sensitive medical information. Your name and date of birth is all a hacker needs to steal your identity.

If you screenshot your card, make sure to keep the screenshot safe, too. The state’s website uses encryption, but if you store the code on an unencrypted phone or hard drive, someone could potentially access it, and thus have access to your health information.

Lastly, even if you don’t choose to use the state’s system to obtain your vaccine records, be careful of any text messages you might receive from the system. The system relies on users to enter a phone number in order to confirm their identity and receive their card. If you get a message out of the blue and you didn’t sign up on the site, disregard the message. A hacker could have entered your phone number on the site in the hopes of gaining access to your vaccine record.

Unless you just signed up for the site and are expecting a text message (or email) from it, don’t click on any messages you receive. Likewise, if you get a message saying that you need to pay in order to access your vaccine record, you’re likely dealing with a scammer, too.

California’s new system is a big step forward on digital vaccine verification. But to use it safely, it’s important to know about the risks, and to take steps to keep your personal data safe.

This is original content from NewsBreak’s Creator Program. Join today to publish and share your own content.

Comments / 76

Published by

Award-winning entrepreneur, and the co-founder and CEO of Gado Images. Thomas writes, speaks and consults about artificial intelligence, privacy, food, photography, tech, and the San Francisco Bay Area. As a professional photographer, Thomas' photographic work regularly appears in publications worldwide. Pitches/news tips:

Lafayette, CA

More from Thomas Smith

Comments / 0