Patrick Mathieu says creating an app that can read the contents of Quebec's digital vaccine passports isn't that hard to do.
The co-founder of Hackfest, an annual hacker event in Quebec City, says two of its members built an app that could access a person's name, date of birth and vaccination status by scanning the QR code provided to Quebecers by the Health Ministry.
"Two [people] that are not experts in this at all … built an application where you scan [the QR code]," said Mathieu. They built the app in about 20 hours.
Starting Sept. 1, Quebecers will have to show proof of vaccination to access certain non-essential activities. Businesses will have access to a free app from the government that simply tells the user whether or not a customer is adequately vaccinated.
But Mathieu says a less scrupulous business owner or employee could build or purchase a third-party app that instead saves their data, which also includes where a customer received their vaccinations and if they have contracted COVID-19.
No location data is accessible from the QR code.
"Obviously the risk is low," said Mathieu. "But it exists because the government chose technology that is not secure for privacy."
Mathieu says it's not just the QR code that could be exploited — Hackfest also found a bug in the app when it was being developed that led to over 300,000 QR codes being exposed online. He says they notified the developer, Akinox, and the issue was resolved in 24 hours. But he doesn't have a lot of confidence in the company.
"Their development environment is exposed on the web. We can see their source code, they have bugs," he said.
Developer, Health Ministry insist system is safe
In a written statement to CBC News, Akinox CEO Alexander Dahl says the company has been working closely with government experts in cyber security, privacy and protection of personal information throughout the development process.
He says the vaccine passport and everything in the app was thoroughly audited and approved.
Much like people are responsible for protecting the information on their medicare cards and driver's licenses, Quebec's Health Ministry says it's important to not publicly post your QR code, and only share it with businesses that require proof of vaccination.
Risk of 'malicious intent'
Mathieu says someone with "malicious intent" who owns several restaurants and bars could track the movement of a specific client as their QR code is scanned by third-party apps at their establishments.
But he says a more likely scenario is an individual employee looking someone up online.
"You go to a restaurant, the person at the door who scans your QR code thinks you're super cute, gets your name …stalks you on Facebook, gets into your DMs and harasses you," he said.
He says it's frustrating seeing the government using a system that has the potential to be exploited, when Quebecers already have paper proof of vaccination that they could show at the door instead.