Create a free account, or log in

Australia’s digital vaccine certificates still full of significant flaws

Despite nearly two years to prepare, Australia’s systems for proving whether people received their jabs are vulnerable to being exploited and are not fit for purpose. 
Fallback Image
Cam Wilson
digital vaccine certificate
Source: AAP/Daniel Pockett.

Despite the first freedoms being granted to vaccinated Australians in just days, Australia’s digital vaccine certificate system has significant flaws.

As of Monday, NSW residents who have received both their COVID-19 vaccine doses will be allowed to gather outdoors for recreation with up to five people. 

Enforcing this requires some ability to verify whether people have in fact received their vaccines. But so far, the federal government’s current system is exposed to simple frauds while also posing problems for those who have received their shots.

As it stands, vaccinated Australians can access a digital vaccination certificate on their phone via the Medicare Express Plus app or myGov. Australians can also get a printed version mailed out to them

Last month, Crikey reported on how a local software developer found a simple way to create a fake COVID-19 digital vaccine certificate for himself using the official Medicare app. The ABC more recently reported that another developer found a way to change the name or vaccination status on the digital certificate. Fake vaccine certificates are reportedly being sold online for a few hundred dollars (although it’s not clear how effective they are).

The crux of the issue is that there’s no independent way to verify the current vaccine certificates. While digital certificates have some security features (such as a shimmering background which means that you can’t just pull up an altered screenshot), any third party hoping to check someone’s vaccination status will just use the eye test — ”Does it look legit?” — to see if the certificate is real. 

This is an incredibly simple oversight. Independently verifying information like this is exceedingly simple. If professional sports matches and concerts can scan tickets to verify that it’s not a fake ticket, there is no good reason why Australia’s major weapon for defeating the pandemic can’t do the same. An international COVID-19 vaccine passport with a QR code that would allow verification is being trialled now — but there’s no plans to roll those out domestically.

Meanwhile, people who have legitimately received their vaccination are having difficulty having trouble obtaining vaccination certificates. One person told the Guardian that when they contacted staff at the Sydney Olympic Park vaccination hub about their own issues, they were told it was widespread: “The woman mentioned they are having thousands of calls a day about errors and they are still catching up from March.”

Governments and institutions have had their hands full creating and adapting systems to respond to challenges of the pandemic. The scale and speed that was necessary to respond to urgent and pressing problems meant that flaws were expected.

But despite nearly two years to prepare, and with states starting to roll out freedoms that depend on proof of vaccination status, Australia’s systems for proving whether people received their jabs are vulnerable to being exploited and are not fit for purpose. 

This article was first published by Crikey