WHO digital proof of COVID-19 Vaccination - Draft 1

By Steve Wilson
April 07, 2021

The World Health Organisation (WHO) has released the first of a series of design documents concerning digital proof of COVID-19 vaccination, as the start of a process to standardize digital versions of existing paper “home-based” records and the international “certificate of vaccination or prophylaxis” aka the Yellow Card: “Interim guidance for developing a Smart Vaccination Certificate” (SVC).

Digitizing proof of vaccination

WHO sets out a pretty widely understood and worthwhile set of reasons for digital proof of vaccination (and emphasizes that making rules for use of SVCs remains a matter for other policy makers):

SVCs can enhance existing paper home-based records and the [Yellow Card] by combining the functionality of both. Additionally, SVCs can provide a way to mitigate fraud and falsification of “paper only” vaccination certificates by having a “digital twin” that can be verified and validated in a reliable and trusted manner, for health, occupational, educational, and travel purposes (as per national and international policies); without depending on an individual verifier’s subjective interpretation. Once an individual’s vaccination record is available in a digital format, additional functionality can be built to support things like automated reminders for the next dose or linkages to other immunization information systems (though these are outside the scope of this document). An SVC is intended to allow for multiple types of use without requiring an individual to hold multiple vaccination records.

Verifiability of vaccination credentials

The technological task of digitizing proof of vaccination should be quite straightforward but until WHO released its guidance, the endeavour has been dominated ― almost captured ― by two movements: Self Sovereign Identity and blockchain. Dozens of press reports through 2020 positioned “Verifiable Credentials” as the key to managing vaccine rollouts and “reopening economies”. Some pundits seem to think the long-awaited killer app for digital identity has finally arrived; see e.g. Coronavirus jumpstarts race for digital ID.

Several digital proofs of vaccination are being piloted, most of which boast blockchain, including the Evernym IATA TravelPass and IBM’s project in New York City. One of the leading programs in this space is the COVID Credentials Initiative (CCI) formed a year ago by 60 or so companies almost all focused on blockchain. CCI’s messaging today centers on Verifiable Credentials and minimizes blockchain references, but nevertheless Verifiable Credentials are seen by most commentators and technologists as synonymous with ‘identity on blockchain’.

What’s really needed here? In essence, any Verifiable Credential is an assertion about a data subject ― such as “This person had a COVID Type ABC vaccination on April 1, 2021” ― digitally signed by or on behalf of the party making the assertion, such as “Nurse 12345678, ACME Central Vaccination Clinic”. Ideally the Verifiable Credential contains a key pair bound to a data carrier (typically a cryptographic wallet) so that when the credential is presented it comes with a fresh secondary signature created by the private key, allowing the receiver to tell what sort of data carrier it came from and, depending on the type of carrier, be sure the presentation was made with consent of the individual controlling the data carrier.

Despite the public interest in the new W3C standards and the association of Verifiable Credentials with blockchain, we have had cryptographically verifiable credentials for many years, in the form of smart credit cards. When you use a Chip and PIN smartcard, the merchant terminal cryptographically verifies the digital signatures of the card issuing bank (proving the account details are genuine) and of the cardholder (proving the transaction was created afresh on the spot, under the cardholder’s control). These facts are verifiable in a decentralised way; that is, without calling home to base.

What has WHO decided?

WHO convened a Smart Vaccination Certificate Working Group to publish standards for SVC security, authentication, privacy and data exchange. The interim guidance is the first in a series of three drafts and public consultations leading to a final specification in June 2021. The Working Group has deliberated already and closed off a number of design decisions, around medical terminology, clinical coding standards, the format of the patient vaccination record, and the technology of the SVC global trust network which will make the certificates widely available and recognizable.

In my view the WHO work has two serious and most welcome implications.

Firstly the Working Group has expressly endorsed PKI as the technology for a new WHO trust framework for global interoperability of digitized proof of vaccination. They drew on decades of ICAO e-passport experience and consider the issue of trust framework technology to be "closed " [Ref: line 218 of the consultation paper]. Nevertheless they appreciate that implementing PKI is a significant undertaking, reporting that several countries have called for “assistance related to the establishment of their [public health authority's] national public key infrastructure” [Ref: lines 208-214]. The role of the WHO here is a work in progress.

Secondly, WHO has stressed that digitized vaccination proofs will not supersede the time-honoured Yellow Book: “vaccination status should still be recorded through the paper-based International Certificate for Vaccination, and Prophylaxis”. Furthermore, identification of vaccination recipients will be undertaken under existing practices. That is, WHO sees no need to intervene in identification practices and is not entertaining any idea of a new digital identity framework. The interim guidance spells out that it is expected that a “health worker is able to ascertain the identity of a subject of care, as per the norms and policies of the public health authority” [lines 381-382] and “the identity of the subject of care SHALL be established as per Member State processes and norms” [line 501].

Furthermore, “the SVC is not an identity” [line 382].

My analysis and proposal for a Digital Yellow Book

These positions set out by WHO are most welcome, given the tendency for new digital identity movements and technologies to complicate public policy. I recently wrote a short paper on just these issues and presented it to an IEEE symposium on public interest technologies. See “A digital Yellow Card for securely recording vaccinations using Community PKI certificates”, IEEE International Symposium on Technology and Society, 12-15th November 2020, Tempe Arizona.

Based on our experience building a mobile credentials wallet for the Department of Homeland Security and bringing that to market as ValidIDy, I argue we need an elegant system to digitize nothing more and nothing less than the fact that someone received their shot. Such a Verifiable Credential would include the place, date and time, the type of vaccine, and the medico who administered or witnessed the shot. The underlying technology should be robust, mature and proven at scale ― as is PKI ― and available in a choice of form factors from passive universally accessible 2D barcode through to contactless electronic certificates in smart phones and medical devices.

Above all, digitizing the fact of a vaccination must be done within the existing contexts of public health administration around the world. No new patient identification protocols should be imposed on health workers. Let us assume that they know what they are doing today when assessing patients to receive vaccines. There is no call for a new identity framework. Rather let us focus on taking the results of vaccination administration and representing them faithfully, reliably and in context in digital form.