[This article first appeared in German on DNIP.ch]

When I was reading the original “Spiegel” article on the German Electronic Vaccination Certificate, I was fascinated (translation and emphasis mine):

Technically, the Ulbirch system works as follows: After having been vaccinated, everyone is issued a QR code – on a plastic card, a piece of paper, via mail or app. The QR code is an anonymous fingerprint, non-reversibly generated from the personally-identifiable information such as name, vaccination date, vaccine, as well as a random number. This is cryptographically signed and – for reasons of redundancy – stored in a total of five blockchains.

Patrick Beuth: “Ubirch und IBM erhalten Zuschlag für deutschen digitalen Impfnachweis”, 2021-03-09, Der Spiegel

Wow! Under both time pressure and a completeley new challenge for digital transformation, a government had struck gold and discovered the egg of Columbus. Great! Inside, I was dancing from joy. The remainder of my daily work had to wait. I wanted to learn more. (That the article was wrong (and has been corrected in the meantime), I did not know then.)

The Quest for the Lost Fingerprint

The Spiegel article included an image of a plastic card with huge QR code. On my computer, I deskewed the image to obtain a square QR code. Despite several trials and tricks, the QR code stubbornly refused to be scanned. Shortly, I considered to redraw the 2401 pixels by hand.

Suddenly, it dawned that that something must be rotten in the state of Denmark! 2401 pixels for a tiny anonymous fingerprint which could easily fit in a tenth of the space‽ I had to consult the original source.

The image on the Ubirch site is both clearer and commented. The QR scanner immediately recognized the following URL a 7225 pixel code (coloring mine):

https://verification.dev.ubirch.com/v/gd-vcc/#f=Musterfrau;g=Erika;i=Alt%C3%B6tting;r=BioNTech%20%2F%20Pfizer%20Corminaty%C2%AE;b=19640812;d=20210114,20210121;t=vaccination;p=T22000129;s=1p7v3g6whqw

No anonymous fingerprint in the QR code. Instead, the complete set of personally identifiable information, in plain sight for anyone who could snap a picture with his mobile. I hit rock bottom! Ubirch also was completely open about it. The anonymous fingerprint is only ever mentioned in relation to the blockchain, not the QR code.

How does the Vaccination Certificate work?

Assume that the Vaccination Certificate were required to obtain a particular clearance. (And let’s not discuss here whether it is a good idea to link rights of the population-at-large to vaccinations.)

1. A duly legitimated person B would like to check my Vaccination Certificate.
2. I show the QR code
3. B draws his mobile phone and scans the code
4. The phone displays name, date of birth, vaccination date and several other items (see image)
5. The phone calculates the anonymous (more accurately: pseudonymous) fingerprint and asks the five blockchains whether this fingerprint is stored there; presumably through an Ubirch server.
6. On success, a green check mark appears. On failure, the entire block is plunged into flashing red lights, sirens are blaring and a parachute SWAT team homes in on me, to take me into custody. Maybe.
7. B asks me for a proof of identity in the form of a photo ID
8. B compares name etc. between his phone and the photo ID
9. B compares the photo on the ID with my face
10. If everything is fine, I may pass

Rather intricate. I always presumed digital transformation would be less invasive or error-prone. I am sobered.

• There is a three-way verification: From me through the vaccination certificate to my name, from my name over my photo ID to my face, from there back to me as a person. Each of these comparisons requires sharing and verifying my personal information. The former should be avoided, the latter is too error-prone.
• Verification can only occur on-line. This results in at least one server obtaining these fingerprints. The server operator could therefore track where and when I have been verified. At some time, it might even de-anonymize the data set.

In short: Way too much data is collected, checked and sent around as part of this verification.

Keep the focus on the goal

The eponymous goal of the Vaccination Certificate is to certify that its holder has been vaccinated. Name, date of birth, passport number, vaccination date and time or vaccine are completely irrelevant in that context. On-line queries are not inherently required and the three-way comparison consists of too many steps.

What would a workflow look like which focused on privacy by design?

• Minimal information
• Off-line, if possible (less data, lower risk for outages)
• As few steps as possible, each in turn as simple as possible

Option 1: Offline

1. The QR code only consists of minimal information, such as the number of your ID card
2. This information will be digitally signed by your vaccination center or doctor and given to you as a QR code.
3. Thirdly? There is no need for a third item, that’s already it.

By the way: The resulting QR code is smaller, as fewer data have to be stored. This also makes it better readable, especially under bad lighting conditions. Trust me.

For verification:

1. B scans the QR code with their mobile phone
2. The phone verifies the digital signature locally, no need to be on-line, and shows the ID number
3. B compares ID number and picture.

(Behind the scenes, one can of course also add certificate chains, salt, and revocation lists. But please keep in mind that this is not the access control to the nuclear launch silos. Even adding those will not deter from the simplicity of the workflow and the small amount of collected/transmitted data.)

Option 2: Online (or almost)

1. No need for the photo ID. We are not interested in who the person is.
2. Instead, we need a picture. At the time of vaccination, a photo is taken. Before it is transmitted anywhere, it is secured by a strong cryptographic key. A key only stored in the QR code.
3. These individually encrypted photos can be stored centrally or distributed as part of the verification application. (A modern mobile phone can hold millions of photos suitable for face verification.)

For verification: 1. B scans the QR code 2. The phone verifies the signature and loads, decrypts, and shows the photo 3. All there remains is to compare the two faces; no name or ID required

Where in your solution is the blockchain‽

There are few problems which can be solved easier or better using a blockchain. Vaccination Certificates are not one of them.

What does a Blockchain actually do? I’ll provide much more information another time, but here’s the gist:

• Prevents multiple submission of the same piece of data (e.g., double-spending of funds). This is the most complicated aspect. If you do not need it (as in this use case), the problem will be orders of magnitude simpler.
• Enforces consensus between mutually distrusting parties. This again is hard and again we do not need it here, greatly reducing problem complexity again.
• Protects against later alterations. This is the easiest property to provide; libraries have been providing such services for ages. If this is all you need, you probably do not need a blockchain. Unless you do not trust your service provider. However, in the Ubrich case, the verification always goes through exactly this service provider. Chicken and egg.

Steering clear of blockchains, however, creates a lot of advantages: It avoids complexity, sources of errors, latency, and unnecessary data collections. Additionally, if data should turn out to be obviously wrong, blockchains adamantly prohibit correcting or even deleting these mistakes. And don’t get me started about the complexity involved in maintaining any coherent properties across five different blockchains.

Getting rid of blockchain complexity and restrictions thus allows us to create a system which is easier to understand and follow, therefore improving transparency and simplicity, probably the most desirable aspects of such a system. Decision makers are rarely interested in such properties, as they are not part of the buzzword bingo cards, unlike “blockchain”.

In the real world, the amount of hype in a product description often is inversely proportional to the product’s real-life properties.

What now?

If the Vaccination Certificate had been designed for data minimization and simplicity, the results would have looked much better. After decades of data protection laws and years of GDPR, it remains a mystery why new designs still do not follow through.

I still do not understand why Vaccination Certificates should be used to split humanity in two groups. Either vaccination is declared compulsory (potentially with clearly defined exceptions) or the focus is on convincing people about the usefulness, so they get vaccinated voluntarily. The creation of such system at such cost and short service life seems to be too large a price to pay for the lack of courage of our politicians.

Please, dear politicians and civil servants in charge, help to prevent this from turning into a multi-billion flash in the pan. Either avoid it entirely or use it as a building block of a system which clearly benefits the individuals. If deliberations similar to the ones above are applied to important documents and sovereignty of the individual over its data are given top priority, together, we can manage digital transformation.

Maybe it is not the digital transformation asked for by the corporations. For a change, one might even consider listening to the desires of the population at large. What a dream come true!