Scotland’s Covid vaccination certificates hit by security glitch

Written by tested.me Founder, Andy Reid

As the world looks for a solution to help manage the health and vaccine status of its population, much debate has occurred regarding the privacy and security of an individual’s health data; who owns it and who should it be shared with?

Many are asking the question as to whether sharing a person’s covid health status digitally is a sustainable option, and whether organisations can indeed ensure that an individual’s vaccine status has not been manipulated?

The Scottish government has recently found itself in hot water regarding a security flaw in its vaccine certificates, which has seen people use popular computer software to change names and dates of existing certificates.

Currently, people in Scotland who are travelling to a foreign country are able to download the vaccination status forms from the NHS Scotland Portal. The Covid status forms allow the Scottish public to show the dates of vaccinations and which jabs they have received.

But the newly discovered security glitch means that vaccination status details can be altered — the BBC shared how it easy this was: BBC Scotland was able to download a certificate and edit it to include a false name and the address of the BBC’s Glasgow headquarters.

Data privacy and security in sharing accurate information is critical to the adoption of digital technology being able to confirm the health status of a population. That’s why tested.me remains focused on providing a safe and secure platform for individuals to store and share their health data if, and when, they choose to do so.

To ensure that no health status can ever be manipulated and to help keep individuals and organisations safe, tested.me is close to implementing a solution that uses a closed loop platform to detect if documents have been modified.

How will the solution work?

· A PDF document is emailed to verify@tested.me and within minutes a certificate of authenticity will be sent if the document has had no manipulation. If one pixel has been changed, then a person will receive a response saying the document has been changed from the original.

· With the printed version there is also protection. An individual will just need to download the existing verification app or use the tested.me “scan” function to scan the QR code. This will then show the details of the owner of the document and current status of their vaccination (or whatever data the certificate holds) to the person scanning the document. Any modification will be easily detected so fraud can be dealt with accordingly, both for digital and paper versions of the health certificate.

At tested.me our goal is to get people back doing what they love. We want individuals to feel safe in sharing their personal health data, and for organisations to feel confident in the information that is shared with them, ensuring the safety of those in their premises.