HealthCerts — Part 1
If you are evaluating digital solutions for Covid-19 test results, vaccination certificates and passports, here’s what you should know.
Hullabaloo
Much ink has been spilled about vaccination certificates and vaccination passports on the web but details of implementation have often been glossed over.
Let’s dive in to separate the wheat from the chaff, amid all the hullabaloo.
Vaccination Status vs Vaccination Certificate
If I am an officer trying to check your vaccination records, here are two methods for me to verify. You can either show me your vaccination status or send me your vaccination certificate.
Method 1 — Show your status
You log in to your mobile app. With your unique identifier, the app fetches your vaccination status from a trusted database and displays it on your mobile device.
You then show me your screen to visually inspect your vaccination status, but this screen can hardly be differentiated from an edited screenshot or a spoofing app. As a result, there is too much of such (not so new) news.
This method is often marketed as digital passport. But not all that glitters is gold.
Method 2 — Send me your certificate
With this method, your certificate exists in a form of a digital document that you chose to store somewhere — the hard drive of your PC, mobile devices or cloud storage.
You can choose to send this certificate to me via WhatsApp, Telegram, Email, Dropbox or in a thumb drive carried by a pig🐦on, etc…
Upon receiving your certificate, I will then go through the verification process to (a) verify the authenticity of the certificate, (b) ascertain its provenance and (c) trust that the certificate is not revoked — more on this later…
The key difference between the two methods is the location of verification.
- In method 1, I will need to believe whatever you are showing me on your device, which also means you need to be physically present.
- In method 2, the verification process is performed on my trusty device and not a visual inspection of your glittering screen.
Vaccination Passport vs Vaccination Certificate
There are some digital health passports that merely display vaccination status (method 1), some that store and send vaccination certificates (method 2) and few that can do both. Let’s compare them.
Method 1 — Show your status
In this method, the digital passport is a mobile app that seeks to be the certificate or at least pretends to be one. 😏
Even though this “Show your status” method has obvious flaws as mentioned in previous section, this method bestows great power on the solution provider as the key arbiter of trust for safe travel.
With a stronger position to monetise from the network effect between issuers and verifiers, solution providers are commercially incentivised to provide solutions with method 1 than 2.
The history of fake passports is as old as some countries because controlling the movement of people has always been, and will continue to be a lucrative business.
Method 2 — Store, view and share your certificate
In this method, a digital health passport is a mobile app to store, view and share vaccination certificates. It does not seek to supplant the digital certificate but to complement it.
The key purpose of this mobile app is to improve the user experience of handling digital documents, akin to a file explorer/manager.
In both methods, the digital health passport should also provide strong identity assurance to prevent impersonation — that the owner of the certificate is indeed the owner of the app.
In addition, digital health passports can provide convenience to the traveller by providing information of authorised clinics/laboratories, flight info, travel requirements of countries, etc… at the right place and the right time.
Verification Process
Method 1 expects me to trust the screen and needs no explanation. This section is about verifying the vaccination certificate.
Trust but verify. Or faith in disguise?
To trust the certificate, there are three requirements to meet.
- I must be able to verify the authenticity of the certificate. In other words, the verification process must inform if the certificate has been tampered with.
- Its provenance can be ascertained so that I know if the clinic/lab is qualified and not a fly-by-night institution.
- And if the certificate is revoked, the verification process must inform me that it is no longer valid.
Is the format proprietary?
I’m not saying it’s proprietary when otherwise but it’s obviously not proprietary when any QR code reader can read it and render its content to human-readable form like this.
However, if you need a special reader/app to render its content to human-readable form, you should ask if there are alternative readers available.
Qn: Is interoperability an incentive or a tech problem?
If you can use any email clients — gmail, outlook, hotmail — to receive and send emails to your friends, why are messages in modern messaging apps — WhatsApp, Telegram, Slack, etc — stuck in their own apps?
And if alternative commercial readers are available, make sure you are neither using a spoof app nor one that’s designed to steal (your traveller’s) data. 😏
What’s coming…
In Part 2, I’ll cover the key components of HealthCerts and how you can use it to help your country with safe travel.
If you are a medical institution looking for help to issue HealthCerts, here’s the list of HealthCerts providers.
For more information on HealthCerts, check out our developer portal.
Our team is looking for software/quality and devops engineers who are passionate about tech and want to help us build awesome digital services for Singapore! 🇸🇬
Reach me at steven_koh@tech.gov.sg (ゝ‿ ・)
Want to know more? Here’s how we operate and the work we do.
Cheers! 🍻😊
