Vaccine passports, crucial to managing the pandemic, have led to a rapid advance in digital health technology. The Commissioner for Justice, Didier Reynders said in a statement that they allowed freedom of movement during the pandemic: “Without this extension, we risk having many divergent national systems, and all the confusion and obstacles that this would cause.” 

The EU views the Digital COVID Certificate (EUDCC) as a success, but for software developers, the story is more nuanced according to Matthew Comb, a doctoral student doing research on digital identity at the University of Oxford. The EUDCC, which has been adopted by 27 EU states and 18 other countries, uses barcodes in the certificates which are not encrypted, Comb warns, making them vulnerable to cybercrime and abuse.  

Potential target

For decades, coders have been striving to develop a common approach to digital identity, which would let users verify their identity without providing extraneous personal details or even their name. The need for a COVID certificate arose just a little too early, Comb explains to Healthcare IT News: “If this had happened maybe two or three years later the infrastructure would have been in place.”

The EU’s certificate program deploys cryptographic key pairs – random characters in no particular order – to digitally sign users’ data in order to later prove the data is authentic. The regional certifying authority signs the certificate with a private key. To verify that data, the barcode readers we see in airlines and restaurants use a public key, one that is in the public domain.

Encryption — the process needed to protect people’s information — would use a shared, public key to encrypt and then a private key to decrypt data to make it readable when necessary. But using a private key in the public domain would make no sense because it could be easily acquired or stolen. As a result, the barcodes in the certificates are simply not encrypted.

As things are, someone could steal the information simply by peering over a person’s shoulder and taking a photo of the barcode. If criminals hacked a terminal used to allow people to enter a bar, they could siphon off data from thousands of customers, getting access to names, dates of birth, vaccine status and location.

One solution would be to develop temporary keys that would activate when a person presented their credentials, Comb says. But in the meantime, an infrastructure to manage the necessary key pairs is absent. Comb, who has been chief technologist at a number of multinational companies, continues: “We’ve never done this before on a large scale, we don’t have the infrastructure in place to handle encryption keys, relative to a person's digital identity, in a distributed environment because we have not reached an agreement on the standardised approach to manage the keys involved.”

A neater proof of ID

Certain requirements of the EUDCC made it harder to protect — the fact that it must operate offline ruled out solutions relying on secure servers. Digital identity experts are working on a technology that would use blockchain, but this is still at too early a stage for implementation in the COVID certificates, according to Comb.

Still, he says: “Digital identity advancement has definitely accelerated because of COVID.” The certificates are, “one of the first, certainly the widest implemented credential we’ve seen.”

In the future, we may need to provide less information about ourselves in order to prove who we are, a shift that would facilitate online dealings in citizenship, banking and shopping and healthcare.