An online store is very popular on social networks: it sells personalized cards containing a health pass. Although the French company does not appear to be ill-intentioned, the practice is very risky for users.

The generalization of the QR code, in the use of the sanitary pass, implies some good practices. One of the most basic rules is not to post your pass on social media. But the rule is even more universal: your health pass must remain private.

In recent days, a company called Alomora has been talked about on social networks and in several media. Her proposal: she prints personalized cards, similar to Pokémon cards, with the QR code of the health pass. The price is 15 euros. On Twitter, a publication Speaking of which, this store has nearly 50,000 likes and over 5,000 retweets. The site recently told BFM to face constant demand.

But isn’t all this risky?

Contacted by Numerama on this subject, the CNIL (National Commission for Informatics and Freedoms) wished to draw attention to the sensitivity of the data stored in QR codes and therefore ” the need to take care to only expose them to people specially authorized to control them “. Passing on your health pass to an online store is therefore a practice to be avoided, even if the site in question is not necessarily ill-intentioned.

“The implementation of such a file (…) implies a high level of security”

In Alomora’s legal notices, we can see that the company is in the field of legality since it complies with the GDPR – the European regulation on the protection of personal data – by mentioning in particular what becomes of the data used.

Despite the legality of the process, and whether it is for this particular site or another that emerges, the process remains problematic in practice. The CNIL explained to us that two problems, in particular, arise: the duration of the storage and the security of the information.

” The data retention period must be strictly limited to the purposes / objectives pursued by the processing / file. In this case, as soon as the personalized card is issued, the QR code no longer appears useful. », Tells us Mathias Moulin, deputy secretary general of the CNIL. This means that a service like this must absolutely commit to the removal of the QR code as soon as the card is made.

However, in an old version of Alomora’s legal notices that we were able to consult on October 21, 2021, the site mentioned: ” Alomora undertakes to delete or archive Customer data at the end of a period of 3 years following the last purchase, and the Prospect data after a period of 3 years following the last interaction. ”

Such a storage period is excessively long and there was then no mention of an immediate deletion of the file containing the QR Code.





Numerama tried to join the site on this subject, but, a few hours later, on October 22, it had changed, specifying henceforth: ” The file that you saved before ordering, to allow us to make your personalized card, will be deleted immediately after your order has been shipped. We do not keep your file longer than the time needed to design, print and send your card. Once the card is printed and shipped, the file is destroyed. “

That the site has changed its mentions (and possibly its practices) is not a bad thing – on the contrary, it is not impossible that Alomora has become aware of the sensitivity of the data it handles. But it is a reminder, however, that this is not a sale like any other.

The Deputy Secretary General of the CNIL specifies on this point to Numerama that another major issue arises for such a service: ” Furthermore the implementation of such a file, containing sensitive information, implies a high level of security, in addition to compliance with other obligations related to information and the collection of specific consent from individuals. »The data in your health pass QR Code is indeed not trivial. It contains your complete identity, in addition to your vaccination status. We couldn’t find out how secure Alomora is in the process.

” In any case, the CNIL insists on the fact that people are recommended not to transmit their QR code. », Concludes Mathias Moulin. In summary: transmitting the QR code of your health pass to any private company is strongly discouraged.

Alomora has not yet followed up on our contacts.

