Opinion | Where’s The Privacy Protection?

Online fraud, identity theft, and the illegal sharing of personal data are rife these days, as we turn to our smartphones and online applications to help us with every part of our lives.

The NZ Pass Verifier App is now available for businesses to download. When the country enters the Traffic Light system, hospitality businesses will need to verify that customers are vaccinated before they can enter the premises.

The app is easy to download and easy to use, but how safe is it?

When a business Scans a customer’s Vaccine Pass, the app screen displays a green tick to show that the customer is double jabbed. The screen also shows their full name and date of birth.

While provisions under the Terms & Conditions of the app (that you must agree to when downloading) state:

“The app collects no information about the user of the device or the passes it scans.

You must use any personal information accessed with the app in accordance with the Privacy Code 2020 and in accordance with any Order requirements.”

And that:

“Anyone who knowingly accesses or uses or attempts to access or use the app for an unlawful purpose (including but not limited to fraud or attempted fraud or hacking or attempted hacking) may be liable to prosecution under New Zealand Law.”

The app does little to make itself seem secure.

All smartphones can screen-shot and/or screen-record. So, there is the ability for a business to record all verified passes, the customer's full name and date of birth – information that is often used in identity theft or sold for marketing databases. Other apps disable the ability to screen-shot or screen-record, something that could have been built into the NZ Pass Verifier.

NZ Tracer App QR code scanning and/or record-keeping must still continue in the Traffic Light Framework, meaning to enter a restaurant or cafe will take two scans. It's easy to see a business simply recording the vaccine verifications using a screen-recorder, for no other reason than ease.

Why does the verifier app need to give someone’s full name at all?

There are obvious ways that the passes can be duplicated or used by people other than who the pass was generated for, so how do businesses know they’re even verifying the right person anyway?

For an app that the government knew it would need many months ago, it seems a little rushed. Time will only tell how well it will work and how safe our personal data really is.