Swiss platform for digital vaccination card must close
In Switzerland, a solution for a digital vaccination card has been launched with the website "meineimpfungen.ch". This was promoted by the Federal Office of Public Health. After all, especially in the current situation, it should make the Covid-19 vaccination easily verifiable. For example, it should make it possible for Swiss people to go on vacation where proof of vaccination makes this possible.
However, it was precisely in the module manufactured for this purpose that things went so wrong.
It became known back in March that the platform had significant security vulnerabilities.
The basic idea was that citizens can enter here as simply as possible when they were vaccinated and check for themselves which vaccinations they may be missing. This is personal data of a special category according to Art. 9 I DSGVO. Users were assured that access to this data by third parties (such as medical staff) would only be possible with their consent.
Unfortunately, the reality was quite different: Anyone who cared to could register as a doctor on the platform without being checked further and could then view all user data. The user ID had been a simple timestamp of the registration time, so that one could easily get a vaccination card of a user by trial and error. The ID numbers that were necessary to register as a doctor were in a publicly available directory in Switzerland, so they could easily be misused for one's own purposes.
With a bit more technical know-how, it should also have been possible to access the platform via the password reset function.
In addition to the possibility of registering as a fake doctor and viewing data, it is also said to have been possible to change the data. It is said to have been possible to move people into risk groups or to manipulate vaccination records.
This not only undermines the whole purpose of the portal, but also represents a significant violation of user privacy.
Confronted with these accusations, the operator initially took the platform offline to correct the errors. However, many users had already lost confidence and wanted their data deleted. In return, however, the operator requested a certified copy of the user's ID, which would cost the user the equivalent of around 13 euros, as well as further personal data and, in the case of minors, confirmation of custody. The operator refused to pay these costs. As soon as the platform is online again, the deletion can be carried out by each user himself, according to the operator.
However, this never happened. The operator is unable to resume operation of the website. There is still no solution as to how users can get their data back.
Here, very basic data subject rights under the GDPR are made more difficult and in the end practically denied.
Supervisory proceedings have already been initiated against the operators.
The Swiss parliament does not see the platform as meeting the standards set for a digital vaccination passport solution by the recently passed Swiss Covid-19 law, which is hardly surprising.
How further action will be taken (against the operator) remains to be seen.