6 Oct 2021

Covid-19 vaccine certificates: How they might work and what questions remain

7:00 pm on 6 October 2021

The government will need to give more detail on how vaccine certificates will work for those who can't be vaccinated for medical reasons, a computer systems engineer says.

Qr code payment , online shopping , cashless technology concept

The QR code showing vaccination status will be able to be carried in paper form or on an app. Photo: 123RF

Yesterday, Prime Minister Jacinda Ardern announced Cabinet had agreed to the use of vaccine certificates in Aotearoa, and they were likely to be a digital Covid-19 vaccination certificate containing a QR code.

The codes can be printed out on paper, and there will be an app available for venues to use to verify the QR code is genuine.

The government aims to have the vaccine certificates in use by next month.

Technologist Andrew Chen, a computer systems engineer and research fellow at the University of Auckland, was waiting for further detail on the policy for people who cannot be vaccinated due to a medical condition, and on ensuring QR codes were not misused.

"From a technology perspective, the main benefit that we have had is that we've been able to see how this technology has been rolled out overseas," Chen said.

"We'll be able to learn from their experiences, and I would say at this point the European Union [standard] has been pretty robustly tested."

He said New Zealand's planned system is similar to the European Union standard, the EUDCC, with a QR code that a verifier app will be able to scan.

"In that QR code is encrypted information about the individual and their vaccination and/or test status.

"The way that this has been done is that they'll make sure that only legitimate people can generate the QR codes, and then only legitimate people will be able to decrypt the QR codes which will help keep that private information a bit safer.

Non-vaccinated people

Chen said staff checking QR codes at venues should not have to deal with any information about health conditions underlying a vaccination exemption.

"What we heard yesterday was that if you have a verifier app for a venue operator, then they'll only see a vaccination status and a name, and that status might just be a green check or a red cross.

"One of the open questions at the moment is whether somebody who is unvaccinated for legitimate health reasons ... if you scan their vaccination certificate maybe it'll just come up with a green tick to say that this person is allowed in.

"I think that's a question that the government's going to have to grapple with from a policy perspective and from a public health risk perspective.

"I don't want your average retail worker to have to figure out whether or not this particular disease is a legitimate exemption for not being vaccinated.

"The more that we can abstract that away by just showing a green tick or a red cross the better that will also protect the privacy of those individuals."

There could be different level of access in the a verifier app for staff checking people into a festival compared to those checking people at the border, Chen said.

"That's a little bit of the tricky stuff that might throw a spanner in the works, but we'll have to see what the policy looks like in the coming weeks."

Hacking risk 'low'

While no technology system was 100 percent immune from cyber attack, Chen said the systems were designed "as well as they can be".

The information contained in the certificates was backed by the Covid Immunisation Register, "which is the central source of truth around people's vaccination statuses".

If New Zealand's vaccine certificate was in a similar format to that used in Europe, Chen said he would be "reasonably comfortable" the risk of our information getting hacked was relatively low.

"Most of the attacks that we can see probably require in-person interventions rather than relying on cyber hacking."

Covid-19 Response Minister Chris Hipkins said the government was working to make sure a verification system meant certificates could not be forged.

"There will be a system where those who are scanning people in will be able to verify that the name on the QR code matches the name that's registered against the vaccine. "The certificate was "aimed at places of particular risk", Hipkins said.

Misuse of QR codes

Other countries have experienced the problem of people using a QR code that was not their own, Chen said.

"The QR code will reveal your status and your name. In theory what was supposed to happen overseas is that you're supposed to then also get another form of ID.

"So in New Zealand that might be your drivers licence or passport that has your photo on it and then you would check that the person's face matches the name on the ID which measures the name on the vaccination certificate.

"What we've seen overseas is that a lot of places have just not bothered because it's a bit too much of a hassle, and so that hasn't been enforced as much.

"But they're living in a different context where having a small number of unvaccinated people attend a baseball game, is perhaps okay given that they've got more cases in the community, whereas here you know even one unvaccinated person attending a large summer festival might present a significant risk.

"So I think we might be a bit more strict about that."

Chen said clarity was also need on when the use of certificates might be phased out, such as a sufficiently high vaccination rate or a specific alert level.

"It is only under extraordinary circumstances, with the current public health crisis, that we can justify the use of certificates in this way."

Get the RNZ app

for ad-free news and current affairs