The world is buzzing about the need to create a COVID-19 “vaccine passport” or certification to verify that people are cleared to travel within and across borders. Some of us may even have one already.
People want to be able visit family, return to work or simply go to the store without wondering if they’ll be turned away. Businesses are eager to get back up and running at full speed. And many economies need tourism to recover. So, international bodies, governments, schools, the healthcare community and businesses across every sector are putting their heads together to come up with a way to “reopen” safely. By all accounts, this is going to be conditional. We must either employ an aggressive testing strategy or require proof of vaccination – and possibly both – to help people feel confident that we can resume some level of normalcy without risking public health.
However, not all governments are setting their vaccine verification frameworks at the same speed, and there are inconsistencies in the requirements defining when, where and how vaccination must be verified. This fragmentation is leading to frustration and delays. It’s also creating gaps in a process that must be globally applied to be most effective.
On top of that, much of the world’s population still does not have access to a smartphone, which means that we can’t exclusively rely on a mobile app-based verification system. And the paper-based “proof of vaccination” documents most commonly issued today can be lost, stolen or fraudulently replicated, leaving few to trust the accuracy and/or ownership of hard-copy certificates. Therefore, we must formulate a framework that can be leveraged by all verifying entities no matter when, where and how they want to apply it – and it must be tamper proof! As people travel, very sensitive personal data is going to be seen by a lot of individuals and organisations who may not be technically required to comply with the strict data and privacy protection mandates in place in the European Union, for example. And there are always bad actors looking to breach large databases to steal identities and, in this case, valuable vaccine “passports.”
As a result, many are starting to wonder if it’s even possible to create a verification system that is accessible to – and trusted by – all stakeholders around the world.
I know I’m just one person, but I have confidence that we’ll find an answer. In fact, I think we already have!
It is hard to fathom just how many “impossible” tasks were completed in the last year thanks to technology. Not everything was perfectly executed, and things most certainly weren’t easy. But my colleague Dieter Avella put things perfectly into perspective in his blog post when he said: “…it is difficult to imagine how we would be coping if this pandemic had hit us ten years ago, in 2010, when most of the technologies that are helping us did not exist or were in the early stages of development…”
Businesses, communities and individuals have all persevered thanks to continuous innovation and a little ingenuity.
In fact, there are actually several “modern” technologies that were first invented decades ago to solve a very different problem than they do today. That’s why we are constantly looking at our solutions portfolio here at Zebra to see if there are hardware or software components that can be applied in new ways to address evolving challenges, such as the need for a COVID-19 vaccine verification system that can cater to everyone.
Together with the IOTA Foundation, we’ve uncovered a way to leverage distributed ledger technolog (DLT) – which often used to facilitate trusted data exchanges in trade – to create a global vaccine verification system that can be accessed and trusted by all.
Governments have already been actively exploring blockchain and distributed ledger technologies for vaccination certification, because they both allow for a single source of truth to be created and shared across multiple parties. Access can be universal, if desired, and the data records tightly secured. In fact, one of the reasons why DLT and blockchain are so widely used in supply chains and shipping channels is because they create immutable digital ledgers. But, unlike blockchain, DLT-based technology solutions are more scalable, efficient, and tamper proof. Specifically, DLT is built around open-source technology to allow for feeless transactions. This makes DLT a better candidate for applications such as a vaccine verification system in which data security, privacy and accessibility are top concerns.
As I mentioned in my last blog post, DLT has quickly become a catalyst for fast border crossings of freight and packages in many parts of the world. Many supply chains are also using them to track and trace goods as they move from one point to the next to increase accountability and help mitigate losses. Now, there is an opportunity to use DLT as the foundational element of a digital credentialing system that can allow people to freely move about in public and give countries the confidence that virus transmission can be slowed as travelers increasingly cross their borders.
In essence, IOTA has developed a decentralised and totally secure electronic record system called Selv that uses a combination of to create a feeless framework for generating and validating digital credentials. A new digital identity can be freely created by any individual or organisation via the Selv app and credentials can then be used by verifiers to link a person’s identity with health records, including COVID-19 test results or – in this case – vaccination.
Credentials are digitally signed by trustworthy authorities such as doctors, healthcare providers or COVID-19 testing authorities. And the public keys needed to verify the testing authority are published to a distributed ledger – in this case, the IOTA Tangle.
Individuals can use Selv to acquire their health certificates, share their health status with employers and even apply for a visa to prove they are fit for travel. And anyone verifying a credential can reliably confirm:
✔ which authority issued the credential;
✔ that the credential is being presented by the person it was issued to;
✔ that the credential is genuine;
✔ that the credential has not been revoked.
It’s a win-win!
What’s more, individuals don’t have a device in hand – or at all – in order to prove COVID-19 vaccination history. They can sync and “store” their electronic record in any type of document that has a barcode or QR code, including a label or card.
Here’s how such a system could work (in five simple, effective steps):
1. Report vaccination and issues credentials – A healthcare provider (“the issuer”) will create an electronic record of an individual’s vaccination using a mobile device such as a clinical smartphone or tablet.
2. Create a personal identifier – The issuer prints a secure smartcard or label and give it to the vaccinated individual (“the user”). It will have either a barcode or QR code encoded with vaccination data that can be later verified with a simple scan. The health status is stored ‘within’ the card or label, with an optional backup on the IOTA Tangle.
If the user has a smartphone, the credentials can also be issued digitally. The user can open the Selv app and scan a QR code to log into the web portal using the digital identity. The vaccination credential can then be downloaded to the Selv app to present to verifiers in lieu of a printed card or label. This is a convenient option for those who have digitalised their wallets and don’t want to risk losing the paper-based credential. Their health status is now stored locally on the device, with an optional backup.
No matter which option is selected, the user now owns the data and is the only person who can claim ownership.
3. Patient vaccination data is sent through the IOTA Tangle – This helps to protect against fraud and also allows a printed label or card credential to be easily replaced if necessary.
4. Validate data – The verifier, using a handheld mobile computer or other data capture device, scans the barcode or QR code on the user’s card, label or personal smartphone. Depending on the organisation’s permission settings, the verifier will then see either the full set of encoded data (name, vaccine, data etc.) or simply a ‘tick’ (confirming vaccination) or a ‘cross’ (indicating that vaccination requirements have not been met).
5. Access granted – The user will immediately be able to go about his or her life, as the verifier will have no reason to question the accuracy of the vaccination credential.
Beyond restoring people’s freedoms to move about as they please, the beauty of this DLT-powered framework is that it fixes all the issues uncovered thus far with other vaccine verification methods. Credentials are:
- Accessible: Although many are eager to digitalise every aspect of this process, it’s simply not going to be feasible on a universal scale. The only way to standardise on a single globally accessible system is to support both digital and physical verification mechanisms. With this solution, everyone has a way to prove they meet vaccination requirements no matter where they are in the world, smartphone or not.
- Replaceable: The user can request reissue of the printed card or label at any time if lost, stolen or damaged, and they don’t have a way to digitally produce the verification documentation via Selv on a mobile device. This should help many breathe a sigh of relief as the piece of paper currently being issued to millions around the world as the official – and only – vaccination record is not replaceable. If they lose it, they’re out of luck.
- Private: The vaccination card must no longer list sensitive details such as the vaccine manufacturer/product name, lot number or vaccination date and location. That data can be stored in the barcode or QR code.
- Secure: The IOTA Tangle uses DLT to provide a decentralised, cryptographically secure trust protocol between authorities, organisations and individuals and prevent unauthorised access to user data stored either in electronic health . And the framework relies on the use of a barcode or QR code, which enables credentialing organisations to securely encode user data contained within both digital and physical identifiers.
From a sheer logistics perspective, I wouldn’t be too surprised if most governments and healthcare providers ultimately opt to continue with hard-copy vaccine credentials. It’s something that can easily be issued to every citizen in every country without restriction.
However, it’s not efficient to manually fill out a vaccination card for each individual and doing so wouldn’t align with the digital verification strategy that supports a highly secure and globally trusted “passport” model – which is the ultimate goal here.
Therefore, it’s important that credentialing organisations invest in enterprise-grade handheld computers and scanners that allow issuers to quickly and accurately capture user data. Industrial-grade printers will also be needed to reliably print high volumes of smartcards and labels with the proper data encoding capabilities. Just know that without the right supplies, these other things won’t matter.
For example, the physical identifier must be tamper-proof as I mentioned before. There is already a large black market for fraudulent test certificates, and the same is expected to happen with vaccine cards if they are not properly secured. So, if you opt to issue smartcards, confirm that they have integrated near-field communication (NFC) chips and highly secure watermarking technology to aid with data security and reduce the potential for fraud. Ideally, the card media should also have security features such as nano text, 2D/3D holography and a hidden or laser-retrievable image. And countries that want to attach a vaccine verification label to a passport or national ID should only use labels that automatically void upon removal. This will deter theft and mitigate fraud.
If you’re a verifying entity, you’ll need handheld mobile computers, scanners or tablets with a reliable 1D/2D barcode reader or the ability to scan QR codes. Ideally, the devices you use should be able to read dirty, damaged, scratched and faded barcodes, even from a good distance away. (Social distancing is still going to be necessary for a while.)
The vaccination verification system framework I just described can easily be implemented on a broad scale. However, DLT, mobile computing, scanning, printing and labeling technologies aren’t the only components of this solution – they are just foundational building blocks.
We’ll need the support of capable partners to develop the front-end software for data aggregation and access among credentialing, issuing and verification entities. So, if you want to collaborate with us, let us know! (If you’re not yet a Zebra partner, you can learn more about our program here.) Developers who want to start building can find guidance on this framework on either the Zebra or IOTA github pages.
If your entity will either be responsible for credentialing, issuing or verifying vaccine certificates and you want to discuss the potential framework applications for your organisation, you can contact me or my team and we’d be happy to set up a call.
Alex Fryer is currently the Intelligent Edge Solutions (IES) Regional Product Manager and responsible for driving the go-to-market in EMEA for Zebra’s IES portfolio. Alex has more than eight years of experience within the technology industry and has driven the go-to-market strategies in a number of sectors. Alex holds a BA in Marketing & Language Studies from the University of Liverpool.