Security considerations emerge as Finland adopts Covid pass

Yle explores the inner workings of Finland's newly-introduced health pass.

People were out and about on Friday night on Helsinki's main Mannerheimintie thoroughfare. Image: Silja Viitala / Yle

Finland introduced a national Covid pass on Friday. The basic purpose of the pass is to allow businesses, such as restaurants or gyms, to circumvent regional coronavirus restrictions by ensuring that customers have been fully vaccinated against the virus, have recently tested negative or have recovered from the virus.

How does it work?

Businesses use THL's reader app to scan Covid passes. Scanners can only see an individual's name, vaccination and test details. The reader app will turn green if a pass holder is fully vaccinated or has a recent negative test result. If these conditions aren't met, the reader app will flash red.

Covid pass QR codes, however, contain more information than THL's reader app displays, according to researcher Mikko Hyppönen at cyber security company F-Secure.

The pass holder's full name, date of birth and whether Covid protection is based on vaccination or a recent negative test result are embedded within the QR code. It also includes information on what type of vaccine a person has received and when.

Hyppönen told Yle it's not too difficult to draw this information from a QR code.

"Just as with other personal identification details, it's not wise to paste one's Covid pass QR code online or on social media," he said, though adding that identity theft would also require access to additional information.

Fake apps, false certificates

Juhani Eronen, a leading expert at the National Cyber Security Centre, noted it was important that businesses download public health institute THL's official reader app (siirryt toiseen palveluun) as counterfeit ones have also emerged.

"Counterfeit apps are circulating. Restaurateurs and event organisers must ensure that they download the official Covid pass reader from a reliable app store. You have to watch out for criminal applications aimed at misusing personal information," Eronen explained.

Black markets for fraudulent health passes have sprung up in many countries, including Finland. But is it actually possible to fake a Finnish QR-based Covid pass?

Cyber security experts told Yle that while it's possible to fake something that looks like a Covid pass, a fraudulent QR code will not contain officials' digital signature, meaning THL's reader app is able to spot fraudsters.

The digital signature makes it nearly impossible to use a valid Covid pass to forge a fake one, according to Hyppönen.

"A Covid pass protected with a digital signature is as secure as Finnish online banking," he said.

This hasn't, however, stopped some 10,000 sellers peddling false Covid certificates on messaging service Telegram, according to a study by IT security company Check Point.

It's unclear how many people have actually purchased these certificates.

"We've seen the adverts, but transactions occur in private chats, not on a public forum," Jarno Ahlström, a cyber security expert at Check Point explained.

Event organisers are supposed to check that a person's identity matches the name on their Covid pass.

"Those doing the checking need to establish that the names match up. This means you also need to carry a personal ID in addition to the Covid pass," Eronen explained.

Criminal law professor Kimmo Nuotio, however, said that someone attempting to borrow a friend's Covid pass will not face official sanctions, as showing a fake ID to a bouncer or store clerk is not criminalised.

However, forging Covid passes or attempting to pass them off to the authorities or police is against the law.

Businesses are unable to use the Covid pass reader to record how often patrons frequent their venues. Health officials meanwhile do collect anonymised data on health pass use, meaning they do not record information on individuals' specific movements.