More than just your name on vaccine QR codes

·3 min read

When Digital Government Minister Sarah Stoodley told residents last month to keep their vaccine passports to themselves, she had good reason to.

It turns out there’s a little more information encoded on that magic square than businesses will be able to see when they scan it with the NLVaxVerify app.

“It’s important that when you get this, you guard it as you would your MCP number, for example,” Stoodley told reporters at a news conference in September. “I wouldn’t post a picture of my QR Code on social media or anything.”

A QR (“quick access”) code looks like a box with a bunch of randomly sized smaller boxes inside it. It’s similar to a bar code, but is two-dimensional.

The ones issued by the Newfoundland and Labrador Centre for Health Information (NLCHI) are designed so that when they are scanned by the NLVaxVerify app, they simply divulge the person’s name and a colour-coded message as to whether the vaccination requirement is met or not.

The app is the only one businesses in Newfoundland and Labrador are allowed to use by law.

So, how much more information is actually stored in the code?

Just two other things: your birthday, and the exact details of which vaccine doses you received and when.

If you read the privacy agreement on your NLVaxPass app, it doesn’t actually deny that more vaccination details are contained in the code, only that the person scanning it doesn’t see them.

“The information that is readable when you present your QR code via the application to a representative of a third party, to allow your QR code to be read with the Verify application, is as follows: Full name; Protection status (indicated by a coloured block),” it says.

“The third-party representative will not see any other information other than what is referenced immediately above.”

However, a Twitter user in Newfoundland demonstrated last week that a simple online scanner can bring out the other information on your passport code.

Scott Stamp says he created a website that will do this (, based on a similar project undertaken by an engineering student in Quebec.

The site transforms your smart device into a scanner.

“This information can be read by anyone who has access to your QR code,” he told The Telegram via Direct Message.

In fact, Stamp says he’s checked out codes from eight other provinces using a similar system and his scanner works on all of them.

“Some provinces include gender (I assume matching your declared gender on photo ID; Quebec has this for example).”

While the information does not include other medical data, it could indicate whether a person has been exempted from vaccines for a medical reason — something the Verify app apparently won’t reveal.

Stamp said he hasn’t yet tried a code from someone with a medical exemption.

However, he did say the code system is a good one.

“I think the vaccine passport system is a great idea and personally I don't consider this information private,” he wrote. “If the employee is checking your photo ID anyway, everything but the vaccine information is already there.”

The Telegram asked a department spokesperson whether the potential for the extra information to be exposed should be cause for concern, but received the same advice that Stoodley gave about guarding your code.

On its FAQ site, however, the province does state, “You can request the business or organization to show you their device screen to verify they are using NLVaxVerify prior to presenting your QR code. NLVaxVerify does not save your personal information.”

Peter Jackson, Local Journalism Initiative Reporter, The Telegram

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting