It has been over a year since the hard-hit travel industry started using COVID certificate systems to resume limited business activity. More industries are voluntarily or involuntarily joining along as the global population gets vaccinated and governments impose certificate-based entry rules. This series is designed to help public health authorities and technology implementers navigate the myriad applications, standards and initiatives emerging today.
Governments lead the way in standards adoption
The COVID Credentials Initiative (CCI) joined Linux Foundation Public Health (LFPH) in December 2020 with a clear goal in mind – working with key stakeholders in fighting against public health issues to make the right decision on technology. At LFPH, we have been supporting public health authorities and their government and industry stakeholders with technical expertise, market insights, and implementation guidance. In the meantime, we are working with our community of technologists to develop standards and software that can help both the public and private sectors address today’s public health issues with tomorrow in mind.
While many technical groups and industry solutions emerged early on in the pandemic to address immediate market needs, we saw a shift over the past few months – governments, with the European Union leading the way, were stepping up to drive technical development and put necessary policies in place to guide implementations. As more jurisdictions launch their systems, it has become clearer that the world is converging on several key standards and technology options. We are glad to see this trend and are actively working with jurisdictions and technical communities to facilitate cross-border collaboration and further convergence of standards for international travel.
An overview of the four main standards and technology options for COVID Certificates
Over the next few days we will walk you through the four major standards and technology options that are widely used or being considered by governments around the world: EU DCC, DIVOC, SMART Health Cards, and ICAO VDS. While we recognize the importance of WHO’s Digital documentation of COVID-19 certificates: vaccination status, we chose not to include it in the article because it is more of a high level guidance document, which is used as a reference by the major standards and existing implementations, but does not provide an implementable framework in and of itself.
Commonalities and Differences
What the four all have in common is that they have the same core basic mechanism – PKI technology – to create digitally signed certificates in either paper or digital form. The core basic mechanism ensures that when a verifier looks at the information presented they can know if it has been altered and if it has come from a trusted issuer. They are all static QR code based systems even though they use different data structures and encryption protocols. While static QR codes are expedient for the pandemic use case, their use carries a number of risks, including:
- Each of these credentials-in-a-QR code is a unique identifier for its subject that is easily correlated across presentations;
- The QR codes contain PHI/PII that can be seen by anyone gaining access to the QR code;
- Lost QR codes expose individuals PHI/PII to anyone that finds and scans the QR code.
There are data formats and sharing and exchange protocols that significantly reduce these risks and should be considered in future iterations of health credential deployments. However, we also need to take into consideration the low-tech situations (e.g. paper credentials, low-end devices) where dynamic QR codes and more advanced protocols are not applicable.
The main differences between these four are their intended purposes. DIVOC and SMART Health Cards are designed for digital credentialing, focusing on giving individuals their medical data/records in the form of verifiable credentials. The DCC and ICAO VDS are solving the problem of enabling international travel. Even though all of them may eventually be used for travel purposes, one needs to consider the potential modifications or additional work needed if one is adopting DIVOC and SHC for cross-border travel. The DCC is currently the most widely used standard for international travel, making it important for all others to consider interoperability with the DCC.
At LFPH, besides interoperability, we also care deeply and discuss extensively about privacy and protection of personal data. One capability key to privacy protection that all of the four has not included yet is selective disclosure, the functionality that allows individuals to only disclose the minimum amount of data needed for a particular verification. All of the four defined the datasets with the goal of limiting exposure of personal data, but since it is not entirely clear how individuals will need to use the certificates for different use cases, we may see times that they have to reveal a lot more information than they need and want to. We will dive more into this topic in one of our future articles.
If you are a government institution or an industry organization navigating your way through the complicated COVID certificates landscape and needing more insights and advice, please reach out to us at email@example.com. Existing COVID certificate solution providers can get ongoing support and insights by joining our COVID Credentials Initiative.
Authors: Lucy Yang, Community Director at the COVID Credentials Initiative (CCI), LFPH; Kaliya Young, Ecosystems Director at the COVID Credentials Initiative (CCI), LFPH