Immunity Passport — Part 2: Specification

In my previous post, I explored the topic of COVID-19 immunity passports. If you haven’t read it, I highly recommend you do. In this post, I will propose a technical specification for building a digital immunity passport.

The anatomy of an ICVP

The International Certificate of Vaccination or Prophylaxis (ICVP) is an official document issued by the World Health Organization that serves as proof of immunization against certain diseases. It’s typically used as proof of immunization against yellow fever, which is mandatory in many countries. Occasionally it’s used for other diseases, such as polio. It’s the ideal starting point for designing a digital immunity passport.

Let’s take a look at the different sections of the ICVP and highlight the different standards that could be used to represent them:

As you can see, the ICVP can be split into 3 parts:

Identity

A digital immunity passport needs a way to identify its subject. Without it, we wouldn’t know which person is certified to be immune to a disease. People would trade them, and they would lose their purpose.

The ICVP identifies a person with their name, birth date, sex, nationality, and national identification document. This is the least common denominator of most identification documents issued in the world. While the vast majority of people use the ICVP for international travel and therefore hold a passport, we can’t assume that everyone being issued an immunity passport will have a passport. In fact, as of 2018, only 42% of Americans had passports. In other countries, the numbers might be even lower. If we can’t use the passport as the universal identity document on which to build this digital standard, what else can we use?

The passport is only one of the 3 travel documents described in ICAO’s Document 9303 specification: TD1, TD2 and TD3 (passport). They all have one thing in common: a Machine-Readable Zone (MRZ). Here’s what it looks like:

If your country issues a national identity card, it’s very likely that it respects the TD1 standard and features an MRZ on its back:

I haven’t done the math yet, but I suspect that over 50% of the world’s population holds at least one of these documents (TD1 or TD3). If that’s the case, it could be the ideal standard on which to build the digital identity standard required for a digital immunity passport.

Here’s how the content of the above MRZs might look like in JSON:

We now have what looks like a standard way to digitally represent a person’s identity that is verifiable against an official identification document.

Medical

A digital immunity passport needs to indicate the details of a person’s immunization status. Since we don’t yet have a vaccine, and we don’t know if and when we’ll have one, it needs to be flexible enough to account for alternative ways to assess immunity, such as positive antibody test results. The details of an intervention or test — such as the method, manufacturer, or lot number — should also be present to increase certainty. As we learn more about the disease, we might adjust what tests, methods, manufacturers, or even lot numbers we recognize as indicative of immunity.

There are a lot of standards in the field of healthcare, but the most popular ones come from the HL7 organization. Their latest recommendation, Fast Healthcare Interoperability Resources (FHIR), is the perfect solution for modeling medical claims.

Here’s how the yellow fever vaccination event represented in the ICVP example might look like using FHIR’s Immunization resource when serialized to JSON:

Because we don’t yet have a vaccine for COVID-19, we need an alternative way to demonstrate indicators of immunity. The most common way is to test for the presence of antibodies. You might have seen these tests before:

Fortunately, the LOINC organization (maintainers of the leading database and universal standard for identifying medical laboratory observations) has been very responsive to recent events and already published their SARS-CoV-2 guidelines and codes. In the case of SARS-CoV-2 IgG and IgM rapid immunoassay antibody test results, we’re interested in codes 94508–9 and 94507–1. In FHIR,

Here’s how these test results might look like using FHIR’s Observation resource when serialized to JSON:

As you can see, we have a standard way to digitally describe vaccination, antibody testing, and pretty much any medical observation you might think of, thanks to FHIR and its ecosystem.

Signature

A digital immunity passport needs credibility. Anyone can copy the JSON above and edit it to make it look like they’re immune to COVID-19. With paper documents, we use signatures and official stamps to make documents more difficult to fake and give them some credibility. What’s the digital equivalent? Digital signatures.

A digital signature uses public-key cryptography to mathematically prove that some piece of data — in our case the above JSON representing a person’s identity and medical claims — hasn’t been tampered with and was verified by the specified entity (e.g., a clinician, a hospital, a government). Here’s what a digital signature might look like:

W3C’s Verifiable Credentials initiative attempts to make credentials, such as identity and medical claims, verifiable. They explain how claims and signature all fit together, and describe the whole process, from issuing to verifying credentials. This is exactly what we need.

Here’s an example of a verifiable credential given the above identity (Anna Maria Eriksson) and medical observation (SARS-CoV-2 IgM/IgG antibody presence):

This is starting to look like a very promising digital alternative to the traditional ICVP, using only widely recognized standards. Could it be the essence of a digital immunity passport?