Due to significant data security deficiencies, Switzerland must finally close its only platform for digital vaccination certificates. “The meinimpfungen foundation has made enormous efforts in the last few weeks to fix the critical weaknesses previously identified,” reads the meinumpfungen.ch website. “A new overall assessment has shown that the platform can no longer be operated safely . ”
The foundation was commissioned by the Federal Office of Public Health (BAG) to operate an “electronic vaccination log” and was financially supported for this. 450,000 Swiss people have voluntarily registered their vaccinations electronically in the vaccination database, including 240,000 people vaccinated with COVID19. Unfortunately the module MyCovidVac has significant security vulnerabilities.
Farce: Everyone can play doctor
But even worse than the error in the code was an absurd design flaw: Anyone could register as a doctor because the foundation hardly checked the necessary information, like the Swiss Online-Shop republic uncovered in March has: “Anyone who was once registered as a doctor had access to the vaccination and health data of all 450,000 recorded persons”, including personal vaccination and health data of two government members, namely Foreign Minister Ignazio Cassis and Defense Minister Viola Amherd.
With a little technical knowledge, potential intruders or the registered “doctors” could even “manipulate the vaccination data and other health data”, Republic found out. The users of the vaccination portal were explicitly assured that only they themselves could grant access to medical professionals they trusted. No wonder then that the users were not informed about changes to their data.
The online magazine filed a complaint with the Federal Data Protection and Information Commissioner (FDPIC), who thereupon opened a formal procedure and led the foundation to take its website meinumpfungen.ch offline. The foundation wanted to make improvements and come back online in May.
To make matters worse, the operators set up hurdles for requests for information and any requests for deletion of personal vaccination data: In the case of deletion requests, the foundation asked for certified copies of IDs. That costs around 25 francs (just under 23 euros). The foundation also requested further information such as personal data to identify the person making the request. Affected persons under the age of 16 should also bring a certificate of custody, as the Swiss Foundation for Consumer Protection has found out.
The FDPIC supported this “interim solution” in terms of data protection, but demanded that my vaccinations cover the costs for the certified copies of ID cards. The foundation loudly refused SRF However: The website would be online again soon, so everyone could delete their data themselves.
Nothing will come of that for the time being. The foundation is unable to resume operations on the website. she works according to their own information now “on a solution to make their vaccination data accessible again to users and asks for patience.” The necessary change is still being sought.