The My Vaccine Pass is being emailed to people as an editable PDF.
I could not believe it when a reader emailed me to point this out.
I thought they must be mistaken. Surely the Ministry of Health would dispatch it as a read-only file?
But when I fired up Adobe Acrobat, I could open my Vaccine Pass and change my name or the expiry date simply by using the text editing tool (your Vaccine Pass is only valid for six months because the definition of "fully vaccinated" will change next year as booster shots become available).
It would not wash with, say, Air New Zealand, if I changed the details on my Vaccine Pass, because my original details would show in the (still-in-the-works) verification app after the airline scanned my QR code.
But I'm guessing a busy waiter or distracted retail worker might be okay if they're just sighting printouts - or the Pass onscreen - rather than scanning each punter's code.
On social media, my followers from the tech industry were initially split between those who were surprised, and those who thought it was no big deal, but the discourse shifted in favour of the latter.
Auckland University statistician Thomas Lumley pointed out that the official verification app will automatically reject an expired Vaccine Pass.
And another follower waded through the documentation for third-party apps, and found a date-check was included in the framework.
The likes of travel agents and gyms will be able to build the Government's official verification spec into their own apps - and one of the criteria they will be required to confirm is that the expiry date is in the future.
Another issue for wannabe fraudsters: you'll need the right fonts on your computer, or your edits will look a bit wonky.
Richard Clark (whose day job is chief technology officer at Sharesies) summed up the consensus that emerged when he said:
Would it have been a good idea to set read-only? Sure. Is it a sign of incompetence or a risk that it wasn't done? Not really."
And Ministry of Health group manager national digital services Michael Dreyer weighed in a day later to clear up the issue.
"The QR code is scanned to verify authenticity and this relies on encryption. Any changes to the QR code will invalidate the key check and therefore can be identified as fraudulent," Dreyer told the Herald.
"Additional features to the PDF like "read-only" or "locked" or "password protected" may have a negative impact on the number of computers/devices that can open the PDF =because of the variety of ways the PDF standard is implemented."
There's also the separate issue that a Vaccine Pass carries your name and date-of-birth, and of course the QR code that carries your vaccination status data, but no photo - so there's nothing to stop you lending it to someone of a similar age.
Covid Response Minister Chris Hipkins noted that venues could request that someone display a photo ID as well, and that many hospo venues already have a bouncer checking IDs. Retail and hospitality industry groups questioned whether that was feasible for venues that don't usually bare the cost of someone on the door. Hipkins said police would help out with enforcement.
AWS in the clear, Microsoft in the frame
The ministry did offer a couple more slivers of information on the overloading and error messages struck the My Covid Record site on its launch day.
Yesterday, Ministry of Health group manager, national digital services Michael Dreyer told the Herald that part of the issue was that a cyber defence system that mistook the surge of genuine visitors for a DDoS attack of automated bots. A blocking mechanism was triggered, preventing some people from accessing My Covid Record.
The MoH said in a separate statement that, "The services uses a mix of Amazon Web Services and Azure capabilities." AWS is Amazon's cloud computing division. Azure is a cloud computing service run by Microsoft.
A ministry spokesperson later added, "We would like to clarify that AWS wasn't involved in the outage earlier this morning and their systems are operating as usual. There was no malfunction of AWS systems."
But while the MoH dashed online rumours about AWS, it only stoked them about its other major technology partner involved in My Covid Record.
Asked who was in the frame, given AWS was in the clear, the MoH's Dreyer this morning sent a fresh comment, saying "Microsoft resolved an issue that may have been a contributing factor and is working with the Ministry of Health to deliver access to the platform as efficiently as possible."
Follow-up questions were not immediately responded to.
AWS referred questions to the Ministry of Health. Microsoft has been asked for comment.
How it works
When the system is ship-shape, you can register at the My Covid Record site for a My Vaccine Pass.
If you qualify, an email is sent to you by the Ministry of Health containing a link to add the Vaccine Pass to your smartphone's Apple or Google Wallet (where it displays under your credit card after you open your wallet app).
You also receive a copy as an attached PDF, which can be stored on your device or printed out.
If you're non-digital, you can phone the MoH on 0800 222 478 and request that a hard copy be snail-mailed to you.
The Government says Vaccine Passes will be required once the country moves to the traffic light system.
A Vaccine Pass will not be required for entry to supermarket, school or pharmacy, or to use public transport but "may" need to be scanned before you can enter a retail or hospitality venue, a concert or sports event, or a faith-based gathering.