The World Health Organisation (WHO) has released the first of a series of design documents concerning digital proof of COVID-19 vaccination, as the start of a process to standardize digital versions of existing paper “home-based” records and the international “certificate of vaccination or prophylaxis” aka the Yellow Card: “Interim guidance for developing a Smart Vaccination Certificate” (SVC). 

The WHO position so far can be summed up as “Not Too Much Technology; Not Too Much Identity”.

Digitizing proof of vaccination

WHO sets out a worthwhile set of reasons for wanting digital proof of vaccination.  This is a contested policy arena; there are plenty of concerns that vaccine passports would lead to discrimination in employments and travel.  The WHO emphasizes that the making of rules for the use of any SVCs remains a matter for other policy makers. 

So, bearing in mind that proof of vaccination has policy problems, this is how WHO describes the motivation for digital proof:

SVCs can enhance existing paper home-based records and the [Yellow Card] by combining the functionality of both. Additionally, SVCs can provide a way to mitigate fraud and falsification of “paper only” vaccination certificates by having a “digital twin” that can be verified and validated in a reliable and trusted manner, for health, occupational, educational, and travel purposes (as per national and international policies); without depending on an individual verifier’s subjective interpretation. Once an individual’s vaccination record is available in a digital format, additional functionality can be built to support things like automated reminders for the next dose or linkages to other immunization information systems (though these are outside the scope of this document). An SVC is intended to allow for multiple types of use without requiring an individual to hold multiple vaccination records.

Verifiability of vaccination credentials

Until WHO released its guidance, the endeavour to digitize proof of vaccination had been dominated ― almost captured ― by two movements: Self Sovereign Identity and blockchain. Dozens of press reports through 2020 positioned “Verifiable Credentials” as the key to managing vaccine rollouts and “reopening economies”. Some pundits seem to think the long-awaited killer app for digital identity has finally arrived; see e.g. “Coronavirus jumpstarts race for digital ID”.

Several digital proofs of vaccination are being piloted, most of which boast blockchain, including the Evernym IATA TravelPass and IBM’s project in New York City. One of the leading programs in this space is the COVID Credentials Initiative (CCI) formed a year ago by 60 or so companies almost all focused on blockchain. CCI’s messaging today centers on verifiable credentials and minimizes blockchain references.  Yet nevertheless, verifiable credentials are seen by most commentators and technologists as synonymous with ‘identity on blockchain’.

In my view, the technological task of digitizing proof of vaccination is straightforward. Blockchain is neither necessary not sufficient, and no new order is needed for “user-centric” identity management in healthcare (especially in the midst of a pandemic where the priority must be to deliver health services without complicating the way healthcare is managed). 

Verifiable credentials on the other hand are a very good idea indeed, in digital proof of vaccination.  Let’s unpack what is really needed here. 

In essence, any verifiable credential is an assertion about a data subject ―such as “This person had a COVID Type ABC vaccination on April 1, 2021” ― which is digitally signed by or on behalf of the party making the assertion ― such as “Nurse 12345678, ACME Central Vaccination Clinic”.  Ideally the verifiable credential contains a key pair bound to a data carrier controlled by the subject (typically a cryptographic wallet) so that each time the credential is presented, it is signed afresh by the subject’s private key, giving the receiver confidence that the presentation was made with consent of the individual. The fresh dynamic signature also conveys information about the type of wallet the credential was presented from.

Despite the excitement around the new W3C verifiable credential standard and the popular association of verifiable credentials with blockchain, we have had cryptographically verifiable credentials for many years.  The original verifiable credentials were in fact smartcards and SIM cards.

Whenever you use a Chip and PIN smartcard, the merchant terminal cryptographically verifies the digital signatures of the card-issuing bank (proving the account details are genuine) and of the cardholder (proving the transaction was created afresh on the spot, under the cardholder’s control). The same sort of thing happens when you place a mobile phone call: the SIM card digitally signs a packet of account details, proving to the network that you are a legitimate subscriber.  These attributes about end users in different systems are cryptographically verified at the edge of the networks, without ‘calling home to base’.

What has WHO decided?

WHO convened a Smart Vaccination Certificate Working Group  to publish standards for SVC security, authentication, privacy and data exchange.  The interim guidance is the first in a series of three drafts and public consultations leading to a final specification in mid 2021. The Working Group has deliberated already and closed off a number of design decisions, around medical terminology, clinical coding standards, the format of the patient vaccination record, and the technology of the SVC global trust network which will make the certificates widely available and recognizable.

In my view the WHO work has two serious and most welcome implications.  

Firstly the Working Group has expressly endorsed PKI as the technology for a new WHO trust framework for global interoperability of digitized proof of vaccination.  They drew on decades of ICAO e-passport experience and consider the issue of trust framework technology to be "closed " [Ref: line 218 of the consultation paper]. Nevertheless they appreciate that implementing PKI is a significant undertaking, reporting that several countries have called for “assistance related to the establishment of their [public health authority's] national public key infrastructure” [Ref: lines 208-214].  The role of the WHO to facilitate PKI availability and deployment is a work in progress.

Secondly, WHO has stressed that digitized vaccination proofs will not supersede the time-honoured Yellow Card: “vaccination status should still be recorded through the paper-based International Certificate for Vaccination, and Prophylaxis”.  Furthermore, identification of vaccination recipients will be undertaken under existing practices.  That is, WHO sees no need to intervene in identification practices and is not entertaining any idea of a new digital identity framework. The interim guidance spells out that it is expected that a “health worker is able to ascertain the identity of a subject of care, as per the norms and policies of the public health authority” [lines 381-382] and “the identity of the subject of care SHALL be established as per Member State processes and norms” [line 501]. Furthermore, “the SVC is not an identity” [line 382].

In a nutshell, WHO has decided that digitization of the Yellow Card will not entail too much technology (such as the new and unproven blockchain methods or exotic verifiable credentials) and neither will it entail new identity philosophies (such as Self Sovereign Identity, which has untold impact on the way patients and healthcare systems interact).

My analysis and proposal for a Digital Yellow Book

These positions set out by WHO are most welcome, given the tendency for new digital identity movements and technologies to complicate public policy.  I recently wrote a short paper on just these issues and presented it to an IEEE symposium on public interest technologies: “A digital Yellow Card for securely recording vaccinations using Community PKI certificates” (IEEE International Symposium on Technology and Society, 12-15th November 2020, Tempe Arizona).

We should digitize nothing more and nothing less than the fact that someone received their vaccine.  A verifiable credential carrying this information would include the place, date and time, the type of vaccine, and the medico who administered or witnessed the shot.  The underlying technology should be robust, mature and proven at scale ― as is PKI and public key certificates ― and available in a choice of form factors ranging from passive universally accessible 2D barcodes through to contactless electronic certificates in smart phones and medical devices.

Above all, digitizing the fact of a vaccination must be done within the existing contexts of public health administration around the world. No new patient identification protocols should be imposed on health workers.  Let us assume that they know what they are doing today when assessing patients, administering vaccines and keeping records.  There is no call for a new digital identity framework, even if “user centric” seems appealing.  The digitization effort should focus on taking vaccination events and representing them digitally faithfully, accessibly and in-context.