Decoding California's New Digital Vaccine Records and Potential Dangers

The State of California recently released what it calls a “Digital COVID-19 Vaccine Record.” It is part of that state’s recent easing of public health rules on masking within businesses. California’s new Record is a QR code that contains the same information as is on our paper vaccine cards, including name and birth date. We all want to return to normal freedom of movement while keeping our communities safe. But we have two concerns with this plan:

First, with minimal effort, businesses could use the information in the vaccination record to track the time and place of our comings and goings, pool that information with other businesses, and sell these dossiers of our movements to the government. We shouldn’t have to submit to a new surveillance technology that threatens pervasive tracking of our movements in public places to return to normal life.

Second, we’re concerned that the Digital Vaccine Record might become something that enables a system of Digital Vaccine Bouncers that limit access to life’s necessities and amplify inequities for people who legitimately cannot get a vaccine. It’s good that California has not, at least so far, created any infrastructure to make it easy to turn vaccination status into a surveillance system that magnifies inequities.

We do not object per se to another feature of California’s new Digital Vaccine Record: the display on one’s phone screen, in human-readable form, of the information on one’s paper vaccine card. Some people may find this to be a helpful way to store their vaccine card and present it to businesses. Unlike a QR code, such a digital record system does not readily lend itself to the automated collection, retention, use, and sharing of our personal information. In terms of fraud, there are laws in place where it is a crime to present a false vaccination record already, but there is little accountability for our data.

To better understand what California has done, and why we have objections to including a digital personal health record used for screening at all manner of places, we’ll need to go over a brief summary of the state’s new public health rules, and then take a deep dive into the technology.

What Did California Do?

In mid-June, California announced a change to the state’s rules on masking in public places: businesses may now allow fully vaccinated people to forego masks. But, businesses must continue to require unvaccinated people to wear masks. To comply with these rules there are three options: require all customers to wear a mask; rely on an honor system; or implement a vaccine verification system.

Soon after, California rolled out its Digital Vaccine Record. This is intended to be a vaccine verification system that businesses may use to distinguish vaccinated from unvaccinated customers for purposes of masking. The Record builds on SMART Health Cards. California enables vaccinated people to obtain their digital Record through a web portal.

The new Record displays two sets of information. First, it shows the same information as a paper vaccine card: name, date of birth, date of vaccinations, and vaccine manufacturer. Second, it has a QR code that makes the same facts readable by a QR scanner. According to Reuters, an unnamed nonprofit group will soon launch an app that businesses can use to scan these QR codes.

So, What Does the Digital Vaccine Record QR Code Entail?

EFF looked under the hood. We generated a QR code based on this walkthrough for SMART Health Cards. Others might also use the project’s developer portal to generate a QR code. When we used a QR scanner on the QR code we generated, we revealed this blob of text:

shc:/56762909524320603460292437404460312229595326546034602925407728043360287028647167452228092863336138625905562441275342672632614007524325773663400334404163424036744177447455265942526337643363675944416729410324605736010641293361123274243503696800275229652…[shortened for brevity]

Okay, What Does That Mean?

Starting with the shc:/, that is the scheme for the SMART Health Cards framework based on W3C Verifiable Credentials. That framework is an open standard to share claims over health information about an individual as issued by an institution, such as a doctor’s office or state immunization registry.

What Are the Rest of Those Numbers?

They are a JSON Web Signature (JWS or AKA a signed JSON Web Token). This is a form of transmittable content secured with digital signatures. A JWS has three parts: header, payload, and signature.

Notably, this is encoded and not encrypted data. Encoding data formats it in a way that is easily transmitted using a common format. For example, the symbol “?” in ASCII encoding would be the “63” decimal value. By itself, 63 just looks like a number. But if you knew this was an ASCII code, you would be able to easily decode it back to a question mark. In this case, the JWS encoded payload (via base64URL encoding) is minified (white space removed), compressed, and signed according to specifications by a health authority. Encrypted data, on the other hand, is unreadable except to a person who knows how to decrypt it back into a readable form. Since this record is created to be read by anyone, it can’t be encrypted.

After decoding, you will get something that looks like this:

[Split up with headers for readability]

Signature

eyJ6aXAiOiJERUYiLCJhbGciOiJFUzI1NiIsImtpZCI6IlNjSkh2eEVHbWpGMjU4aXFzQlU0OUVlWUQwVzYwdGhWalRmNlphYVpJV0EifQ.3VJNj9MwEP0rq-HaJnEKt…[shortened for brevity]

Header

{"zip":"DEF","alg":"ES256","kid":"ScJHvxEGmjF258iqsBU49EeYD0W60thVjTf6ZaaZIWA"}

Payload

{"iss":"https://smarthealth.cards/examples/issuer","nbf":1620992383.218,"vc":{"@context":["https://www.w3.org/2018/credentials/v1"],"type":["VerifiableCredential","https://smarthealth.cards#health-card","https://smarthealth.cards#immunization","https://smarthealth.cards#covid19"],"credentialSubject":{"fhirVersion":"4.0.1","fhirBundle":{"resourceType":"Bundle","type":"collection","entry":[{"fullUrl":"resource:0","resource":{"resourceType":"Patient","name":[{"family":"Anyperson","given":["John","B."]}],"birthDate":"1951-01-20"}},{"fullUrl":"resource:1","resource":{"resourceType":"Immunization","status":"completed","vaccineCode":{"coding":[{"system":"http://hl7.org/fhir/sid/cvx","code":"207"}]},"patient":{"reference":"resource:0"},"occurrenceDateTime":"2021-01-01","performer":[{"actor":{"display":"ABC General Hospital"}}],"lotNumber":"0000001"}},{"fullUrl":"resource:2","resource":{"resourceType":"Immunization","status":"completed","vaccineCode":{"coding":[{"system":"http://hl7.org/fhir/sid/cvx","code":"207"}]},"patient":{"reference":"resource:0"},"occurrenceDateTime":"2021-01-29","performer":[{"actor":{"display":"ABC General Hospital"}}],"lotNumber":"0000007"}}]}}}}

In the payload displayed immediately above, you now can see the plaintext of the blob we originally saw upon the scan of the QR code we generated. It includes immunization status, where the vaccination occurred, date of birth, when the vaccination occurred, and the lot number for the vaccine batch. Basically, this is all the information that would be on your paper CDC card.

Can Someone Forge a QR-based Digital Vaccine Record?

Anyone can “issue” a digital health card. You can create one with a little programming knowledge, as just explained. Like the one immediately below, which is associated with blobs of data above.

Suppose you lost your QR Code and had the decoded information saved somewhere. For example, if you had scanned the QR code to an SHC validator app, you could recreate another QR code from the decoded information. There are walk-throughs available that explain how to create and validate QR codes.

California places some limits on access and generation of QR codes in its new Digital Vaccine Record. For example, these QR codes must be tied to either the email address or phone number of the individual who received the vaccine. Also, when a person requests a Record with a QR code, the California system generates a URL through which that person can access their Record, then that URL expires after 24 hours.

California has not identified other security and anti-forgery features. The only encryption or secure transfer is the public health authority signing the record with their private key. The QR code itself is not encrypted; someone who plans to use it should be aware of that. As to forgery risk, since anyone can make a QR code like the one discussed above, it is up to the operator of the QR scanner to check the public key of the signed data to make sure it is from a valid public health authority.

How Can This Hurt Us?

Context Switching for Data

Even though the Digital Vaccine Record’s QR code is a digital mirror to your CDC card (plus the authority’s signature), the companies that process your Record can change the context of protection and use. For example, CLEAR Health Pass allows you to record your health QR code into their app. With companies like CLEAR that plan to become our digital wallets, we have to consider the risks that come with storing your health credentials with others.

You also run the risk that the scanned set of data will get stored, shared, and used in an unexpected or even nefarious way. For example, some bars scan IDs at the door to ensure patrons are 21–and also collect the information on the ID and share it with other bars. If a scanner can quickly check a simple fact on a barcode or QR code (like years since birth or vaccination status), it can also store that fact,as well as all other information embedded in the code (like name and date of birth), and surrounding data (like time and location). In this case, just as a doorkeeper generally will not copy the information on your paper vaccination card, a doorkeeper should not copy the information on your digital vaccination card. Yet no laws in California currently dictate that point to those who are scanning these health QR Codes. It is also unclear what the “official” verifying app will do and what privacy safeguards it will have.

Likewise, while California apparently intends to allow businesses to use these Records to require unvaccinated patrons to wear a mask, nothing stops businesses from also using these Records to deny admission to unvaccinated patrons. At that point, these Records would become digital vaccine bouncers, which EFF opposes.

National Identification Footholds

With no federal data privacy law, we must assume that when companies process our data, no matter how benign the information or purpose may seem, they will take it down the most exploitative road possible.

The QR code in California’s Digital Vaccine Record is a digital identity platform with more data, which can become part of the groundwork for National ID systems. EFF has long opposed such systems, which in one central government repository would store all manner of information about our activities. EFF raised this concern last year when opposing “vaccine passports.” We are now seeing these discussions occur in NY State with the Excelsior Pass and in the U.K., where the company the government hired to help create a vaccine passport has suggested redeploying such infrastructure into a national identification system. With no federal data privacy law, we must assume that when companies process our data, no matter how benign the information or purpose may seem, they will take it down the most exploitative road possible.

Bottom Line for Digital Vaccine Records

California’s approach is more welcome than state-sponsored vaccine passports. Users don’t need to download an app, as in New York State. It’s comfortable knowing that if something happened to your paper card, you can access a digital copy. The open standard allows independent study to understand what is in that QR Code, which helps to ensure that users know the potential risks and scenarios that can happen with their health data.

Still, we wish California had skipped the QR code. Also, we want more safeguards set, similar to those in the current bill in the NY State Senate that protects COVID-19 related health data, along with any sort of data processing expansion that is occuring due to this pandemic. Establishing data protections now, when we are in crisis, would help ensure privacy in future use of such technologies, during healthier times and in any future health crisis.