Digital Health

Covid-19: How does the digital vaccination card work?  

The "digital vaccination card" is coming - but the planned "CovPass" is much more than a digital counterpart to the old yellow booklet. Thanks to the EU, not only the vaccinated but also the tested and recovered will benefit. 

Not much is happening without the letter G (for "genesen" means "recovered" in German) at the moment: a cappuccino served in a café, a film on the big screen, a workout in the gym, a trip to the sun? None of it works without one of the three Gs - tested, recovered or vaccinated ("getested", "genesen" or "geimpft"). As more and more citizens are the latter and can claim Corona looseness, one question comes to the fore: how do they prove the appropriate status (popularly known as "vaccinated through")? The answer: with a forgery-proof, digital vaccination card. The so-called "CovPass" is not only intended to replace or supplement the yellow (sometimes also white or red), often somewhat worn-out paper booklet. With its help, citizens should, for example, also regain the right to move around the EU without border controls, which was restricted in response to the pandemic. 

But first things first: The digital vaccination passport has been discussed for at least as long as the pros and cons of Moderna versus AstraZeneca or the change from lock-down to relaxation. This much is now certain: the CovPass, which was developed under the leadership of IBM for the Robert Koch Institute (RKI), is an app. It is to be published "in the first half of the year" (i.e. by the end of June at the latest); once as a new function in the well-known Corona warning app, but also as a stand-alone smartphone app. 

CovPass: More than just proof of vaccination

The name "CovPass" already gives a hint that the app can do more than just document that and with what people have been vaccinated against Covid-19. In addition, it is also supposed to prove whether someone has recently tested negative for the coronavirus or has already recovered from a covid illness. This extra functionality was not initially foreseen. The Federal Ministry of Health had to extend the original development contract because the EU had in the meantime decided that negative tests and survived infections should also be recorded. However, it is still unclear whether these "add-ons" will be available by the end of June. For the vaccination certificate, however, the creators are confident that this will happen on time. 

But how do the Corona vaccinations end up on the smartphone? The way is via a QR code. The information about the two syringes (or one, in the case of Johnson & Johnson), signed as valid with a crypto key, is stored on the verification sheet in the form of such a code. Vaccinated people can then scan this code using the smartphone camera and save it in the new CovPass app or the old Corona warning app. Keyword "vaccinated through": The QR code can only be displayed when 14 days have passed since the last vaccination. 

Sounds simple, but there's a big catch: what happens to those tens of millions of people who were vaccinated (twice) even before the QR code is/was common practice? Answer: Once their data has been collected, they should receive the code by post. The rest - according to considerations - could present the vaccination card or the vaccination documents, for example, in pharmacies, vaccination centres or surgeries, where the digital document is to be generated or printed out via a secure online connection. However, doctors and pharmacists do not think much of this (so far). 

QR code as door opener

The QR code (whether on paper or in the app) serves as a door opener. If it is scanned in a theatre, restaurant or museum, the name, date of birth and a status are displayed. The latter can be green or red. Green means vaccinated, recovered or tested, red the opposite. To avoid secretly using someone else's CovPass, you will also have to show your ID. The app is supposed to work for several people, so that parents, for example, can also store proof of identity for their children there.

Of course, Corona apps have higher data protection requirements. We are talking about very sensitive data. This also applies to the CovPass app, which, however, cannot function completely anonymously. After all, the aim is to prove the vaccination or health status of a specific person. On this topic, the RKI refers on the one hand to the local data storage of the CovPass app. This means that the complete vaccination data is permanently stored only on one's own smartphone. The QR code, which is protected with a strong signature and cannot be falsified, also only contains the minimum data set according to EU specifications. 

Public key instead of blockchain

Initially, there were plans to use blockchains to ensure that the digital vaccination certificate would be forgery-proof. However, this approach was discarded. One reason: the technology was not provided for in the EU specifications for digital proof of vaccination mentioned above. In addition, the CovPass does not rely on central storage of the vaccination certificates, which is why it is not necessary to anchor them or the information on the certificates in a blockchain. Instead - as with the digital signature - a conventional public key infrastructure procedure is used.

If the CovPass is actually available, the German government will have done its homework as set by the EU. Right from the start, Brussels attached importance to the fact that this certificate should not discriminate - and therefore not come across as a classic vaccination card. Therefore, it should not only facilitate travel for those who have been vaccinated, but also for those who have been tested and have recovered. The 27 EU countries will accept the solutions of the other countries (i.e. the various counterparts to the local CovPass) as proof from 1 July onwards. It remains to be seen whether all this will actually work out or be regulated in the remaining weeks until the deadline. The countries have negotiated a transitional period of six weeks during which they are not yet obliged to issue their respective certificates. By mid-August at the latest, this should be the case everywhere. At least that is the plan. Otherwise, the old booklet will have to be used again. 

Text: Jochen Schuster