ongov / OpenVerify

The open source Verify app by the Government of Ontario
Apache License 2.0
121 stars 34 forks source link

Security concern #6

Open waveon1 opened 3 years ago

waveon1 commented 3 years ago

Displaying the verifiee’s name and d.o.b. on the verifier’s device poses a basic privacy breach risk. Name and birth is nontrivial personal data.

Verifier’s device is effectively any reasonably up to date iOS or android device. Screen capture and remote malware loggers can scrape user info.

spncrd commented 3 years ago

Thanks for this. We take the privacy of Ontario Verify users seriously.

Enhanced proof of vaccination certificates in Ontario, both in their PDF/print format and encoded into the open SMART Health Card standard contain not just name and date of birth, but also lot number, vaccine type(s), etc. In Verify Ontario we only display the minimum amount of information required to confirm the verified status of a user via government ID.

The process to confirm vaccination status via a second factor, predates the release of Verify Ontario. For detailed guidance details and related regulation please review: Proof of Vaccination Guidance for Businesses and Organizations under the Reopening Ontario Act

Recording personal health information via screen captures, or in any other way is prohibited as per the Terms of Use: https://covid-19.ontario.ca/verify-terms-of-use

juharris commented 3 years ago

Agreed that ideally name and DOB shouldn't be shown but they're needed for now to check against a physical ID to help verify that the bearer of the QR code is the proper owner of that QR code. Without checking my physical ID, I could just use my friend's QR code and you would not know that I stole the QR code.

Possible solution: The app could also scan the physical ID (when possible and assuming that these IDs are also digitally signed) and verify that the names and DOBs match. The ID owner would only show the part of the code of the ID that needs to be scanned. Then the verifying person would never take possession of the ID and never see the private data.

Update: Looks like this is sort of implied in #5.

spncrd commented 3 years ago

Absolutely. We are in a rapidly evolving space right now with proof of vaccinations coalescing around the SMART Health Card format as well as Digital ID programs currently in development here in Ontario and elsewhere. Further reading you might be interested in: https://www.ontario.ca/page/digital-id-ontario

nerdcorenet commented 2 years ago

Recording personal health information via screen captures, or in any other way is prohibited as per the Terms of Use: https://covid-19.ontario.ca/verify-terms-of-use

If this app is intended to be used on any device owned by someone at an establishment, that is anyone's device who works there, then what will protect this personal information as well as device location from being intercepted, stored and transmitted to a third party such as a foreign agent? It's all well and good to define Terms, but what about malicious players, virus-infected devices, etc?

The process to confirm vaccination status via a second factor, predates the release of Verify Ontario.

When a human being verifies photo ID such as for checking age of majority or vaccination status with their own eyeballs the personal information is not at any risk of interception by a virus (not yet in 2021 as far as I'm aware). The human being promptly forgets each guest's information after verifying validity of the presented documents and there is not opportunity for storage. How is this mitigated by this app, given the challenges of allowing any device to be used for this activity?