New security measures on way after Macron’s health pass leaked online
Changes for QR codes being worked on after the president and French prime minister had to replace their codes. What should you do if your pass is stolen?
When scanned using the TousAntiCovid app, a health pass does not reveal to the public whether someone has been vaccinated. Pic: sylv1rob1 / Shutterstock
The leak of President Macron’s health pass on social media has prompted the French government to make changes to the system so holders can create new QR codes if needed.
Yesterday (September 21), Emmanuel Macron’s health pass was shared on social media, including on Snapchat and Twitter. As well as his date of birth, it specified the date of his Pfizer/BioNTech vaccine.
Shortly after the QR code of Prime Minister Jean Castex was also circulated. His code was captured in a photograph that was published of him holding it up on his mobile phone.
Both QR codes have now been invalidated and anyone who attempts to use them risks a fine of €45,000 and three years in prison.
In the case of President Macron, it is believed the data leaked must have come from a health professional. This has been considered more worrying, especially for someone whose security is supposed to be the highest in the country.
Whether the leak was accidental or deliberate has yet to be determined, but the Caisse Nationale de l'Assurance Maladie (CNAM) has now referred the matter to the French Medical Authority, the Conseil de l'Ordre des Médecins.
In response to the leaks, MP Éric Bothorel yesterday sought to play down the risk of possible stolen QR codes.
He told FranceInfo: “There is no foolproof system as such. But the harm to someone who has their QR code used without their permission is relatively small.”
Yet, he said that “checks must be intensified in order to identify those who trade” the codes illegally.
The issue of replacement QR codes
Currently, the process of replacing your QR code does not allow the holder to invalidate their old QR code. This means that technically, both the old one and the new one can still be used.
However, work is now underway to remedy this, with a new tool being rolled out to prevent fraudulent use of old QR codes (where people use others’ codes to get access to venues in which they would not otherwise be allowed).
Some people, including journalists, have already had access to this new tool, because (for example) they used their original code to illustrate articles about how the codes work.
But the tool will now be rolled out more widely, a ministerial source told BFMTV.
How will the tool work?
This has not yet been confirmed, but it is likely that it will include an online form or app on which users can invalidate their old pass.
It may also be a simple link on the website attestation-vaccin.ameli.fr, through which users could generate a new QR code, which would automatically invalidate and cancel the old one.
How secure is my health pass data?
When a health pass is scanned using the TousAntiCovid verification app, the only information that comes up is your full name, date of birth and whether the health pass is valid or not.
It does not reveal to the general public whether someone has been vaccinated, tested negative or has immunity after contracting Covid-19.
In addition, to maintain users' privacy, there are strict rules in place governing any third party apps that could be used to scan the information contained in a QR code.
This means that a QR code alone does not present too much of a data breach.
It is also impossible to "track" someone using their QR code.
The data is not stored by the establishments that verify them, however they must keep records of those responsible for checking passes each day.
It comes after some areas of France could be set to lift health pass rules after November 15, depending on the Covid situation in the region.
The Covid health pass is currently required for access to most public sites in France, including restaurants, bars, cinemas and theatres.
It shows proof of vaccination, proof of a negative test within the past 48 hours, or proof of recovering from Covid at least six weeks and not more than six months ago.