Securing COVID-19 vaccine certificates with distributed ledger

Securing COVID-19 vaccine certificates with distributed ledger
© iStock-peshkov

Alex Fryer at Zebra Technologies discusses global vaccine certification systems combined with the use of distributed ledger technology to improve data security and prevent fraud.

As COVID-19 vaccination programmes are now well underway in many countries across the globe, the question of vaccine certification rollouts is being discussed for use in international travel and other areas of transmission risk. However, choosing the right kind of certification system is vital – whether physical or digital – and concerns have been raised regarding the logistics of rolling out these systems, data security, and fraudulent certificates.

Alex Fryer, Intelligent Edge Solutions (IES) Regional Product Manager at Zebra Technologies, discusses the use of physical certifications combined with distributed ledger technology for increasing data security and decreasing the possibility of fraud.

Logistical challenges of global vaccine credentialing systems

The rollout of digital certification systems raises several issues – namely that not everyone has access to a smartphone – not only in mature economies in Western and Northern Europe but also in countries such as Africa and in the Middle East.

“A number of countries and the EU have currently set their own guidelines, stipulating that they are recommending certification of some sort for vaccinations – so, Zebra Technologies’ focus is on what the requirements are around physical certificates. We see a necessity for a physical certificate because, of course, not everyone has a smartphone. We are looking at how to provision the certificate in a scalable and simple way,” says Fryer.

“We have a portfolio of printers that print smart cards and basic cards, and printers that print sticky labels which could have anything such as text or a QR/barcode.”

Hundreds of thousands of these printers are already deployed across the world.

“Governments could be supported by a printer that could print the physical certificate at the time of the second vaccine. The challenges lie around scalability, and we are confident we have this scalability as we have a community of partners that are already working with governments and healthcare authorities, including, in some cases, ones that have distributed ID cards which have to interface into government/software systems. So, we have relationships that will already help us with this interoperability challenge.”

The importance of verification and data security

Verifying any vaccination certificate raises huge challenges, as with any paper tracing system, there is the possibility of fraudulent certificates, which Fryer says comes down to a trade-off in security. Currently, Israel’s system sees individuals printing off their own certificate – or ‘green passport’ – however, there have been several reports of people obtaining fraudulent certificates, and INTERPOL has also warned about the lack of security around a piece of paper printed by an individual.

“If the physical certificate is a card or a label that is attached to a physical ID that needs to be verified there is going to be a huge variety of applications and devices that will need to verify that certificate,” says Fryer.

“The EU has said best way is to use a QR code for interoperability and avoiding fraud – but a QR code can be easily copied, which is why we are working with IOTA technologies which is a vendor of distributed ledger technologies. They have their own distributed ledger, and we work as a strategic partner because we see this as an important aspect of safeguarding the physical certificate, whether it is a label or a card with a QR code.

“We are giving guidance to steering groups to see what the most secure way is to do this, and how physical certificates can be connected to a distributed ledger. The EU, for example, has said that they will launch a gateway for interoperability that they will manage and host but ultimately, it could be a distributed ledger that avoids the risk of fraud. On the physical certificate itself, we have done demonstrations around connecting them to a distributed ledger, but also, physical certificates can have security much like driving licensing or banknotes whereby there are physical watermarks that can avoid the risk of fraud. Further, the labels that we are able to print are tamper-proof.”

Zebra and IOTA have implemented the building blocks of a system and partnered to build a key component which is the software layer that sits above the Zebra hardware and IOTA’s distributed ledger system.

“How it works is that on the certification side it is printed by the printers in a card or label form and has credentials added as well as a unique identifier. This unique identifier can also be added to the EU gateway or whatever is the decided decentralised backbone of the system – the unique identifier is what connects the card with governments’ health systems and with the verifying applications.

“The system uses the distributed ledger to look for the unique identifier, so, that way it is not understanding anything about the person when it presents back the information about the vaccination. It will not know an individual’s name, for example – it can present as a simple tick or cross. So, from a data privacy perspective, limiting the data on a verification app is a good thing. No personal data is stored on the ledger at all, except the unique identifier that no one can tie back to the person unless they have the authority to access the data. That authority would be, and what we recommend, only done by a registered health authority.

“The benefit of a card is that you can store up to eight kilobytes of data, however, with a QR code you can only store about 200 to 400 bytes. When you think about the data you would need to be stored on the card you would need the first vaccine which is about 200 bytes of data, but you might also need other data on there, such as test results, natural immunity, and boosters, for example, so with a smart card you can add as much data as you would need for around five years.”

Fryer highlights that, so far, the EU has set some guidelines regarding its digital green pass and is looking at how they can support and enable interoperability.

“Ultimately, Member States and others not part of the EU will decide on what they want to roll out in their system. A smart card that has an embedded chip is what we feel is the most secure way of storing credentials and verifying them in order to prevent fraud and protect the data security of the individual – the trade-off is that it might be slightly more costly than having a standalone label with a QR code attached to an existing ID or vaccination booklet.”

By Stephanie Price

Subscribe to our newsletter


Please enter your comment!
Please enter your name here