A verifiable proof-of-vaccine system for Alberta
A lot has happened since my last blog post about “Alberta’s concerning approach to COVID-19 and its potential impact”. The government has backtracked on its plan to reduce testing, and it recently introduced new public health restrictions. 61.0% of Alberta’s population is now fully vaccinated compared to 57.7% on 17 August 2021 when I published my previous post. Over the past five weeks, hospitalizations increased from 161 to 954, daily cases are up from 582 to 2,020, and active case count went up from 5,354 to 20,614. The numbers show that the situation in Alberta has worsened — and it is going to get worse before it gets better. Alberta’s government recently “reluctantly” agreed to introduce a proof-of-vaccine system (the government is not calling it a vaccine passport). The government introduced an easily forgeable vaccine card, and it plans to introduce a QR code shortly. Today, nothing is stopping a dishonest person from forging the vaccine card. Organizations have no way of verifying a person’s information from the vaccine card.
Here’s a possible technology-based solution to make the proof-of-vaccine (or whatever Alberta calls it) more tamper-proof. Alberta Health should use asymmetric cryptography to digitally sign Albertans’ COVID-19 vaccination information and make the signed information available in the proof-of-vaccine. It could be made available via a QR code on the vaccine card (paper or digital). At a high level, Alberta Health will sign COVID-19 vaccine information for Albertans using its private key. Alberta Health will need to take great care to protect the private key and keep it safe. Alberta Health will then make its public key publicly available to the world so organizations can verify an individual’s vaccine information. This approach works for both paper-based and digital proofs-of-vaccine. Organizations will need to download and use an app that can perform the verification. This app can contain the public key to avoid querying a central system and introducing potential privacy concerns about tracking Albertans. To mitigate against possible implementation security issues, make the source code open-source. It allows security experts to review the code and identify privacy and security issues. It also makes the system transparent to Albertans.
The VCI SMART Health Card framework provides the technical specifications to implement the system that I described above. VCI is a voluntary coalition of public and private organizations committed to making verifiable clinical information accessible to individuals. Alberta can leverage the SMART Health Card framework to avoid re-inventing the wheel and making mistakes. VCI members include Apple, Mayo Clinic, MITRE Corp, Microsoft, health authorities, and universities. Quebec implemented its VaxiCode and VaxiCode Verif vaccine passports using the SMART Health Card framework.
It is also worth mentioning that being fully vaccinated does not mean that one cannot get COVID-19 or infect others with COVID-19. A benefit of a proof-of-vaccine system is that it helps to reduce the risk — not eliminate risk. The latest stats from Alberta Health data shows that 1 out of 5 hospitalizations involve fully vaccinated people. We still need to maintain some public health measures even when we are fully vaccinated. Vaccination alone will not see us through COVID at this time. Remember that none of the vaccine manufacturers provided us with 100% assurances. Alberta should not treat proof-of-vaccine as a way for businesses to be exempt from all public health restrictions.
Let’s do the right thing, Alberta. An easily forgeable vaccine card is no good to anyone. We need a secure and verifiable proof-of-vaccine system in Alberta. Also, let’s avoid creating the false narrative that vaccination alone is the magic solution. At least for now, vaccination needs to be augmented with some public health measures for COVID-19.
Opinions are my own.
