e-Vaccination Certificates: Could Blockchain be the cure?

All around the world, massive vaccination campaigns have started and are being rolled out. As more and more people are getting vaccinated, a wide spectrum of options are being explored to return to “normality”. One of many scenarios is to distinguish between vaccinated and non-vaccinated persons in the services offered by private companies.

The means to distinguish between the vaccinated and non-vaccinated are, by most accounts, going to be E-vaccination certificates. However, an intense public debate about the pros and cons of these certificates has begun. Proponents underline the efficient and transparent use of such certificates, while opponents point out the significant risk of data breaches and its potential consequences.

This article will examine how the Blockchain could serve as the desperately sought-after solution to secure e-Vaccination certificates and bring a conciliatory relief to the heated public debate.

E-Vaccination certificates: A great idea, a complicated realization

In theory, E-Vaccination Certificates are a great idea. It would be delightful, if we all received our personal e-vaccination certificates and digital vaccination passports soon! After all, it is 2021. In our digital age one wonders why we are still using paper-based vaccination passports. Doctors would profit from the ability to see a patient’s vaccination history at a single glance; all of us would benefit when travelling and crossing borders or in case of emergencies.

Yet, when it comes to the topic of digital data, and health data in particular, the aspects of security and privacy are of utmost importance and reign supreme.

In recent years and months, we have witnessed a staggering growth in cybersecurity attacks and cybercrime. No organisation or corporation is fully safe from such attacks, it seems. A study by the University of Maryland concludes, that there is a cyber attack every 39 seconds [1]. Considering the field of healthcare, the HIPAA Journal [2] shows that just in September 2020 alone, 9.7 million data records were compromised in the course of cyberattacks.

The Fireeye M-Trends Report 2021 [3] lists more than 1900 hacker groups with 41 APT — Advanced Persisted Thread — groups. APT groups are highly professional and usually sponsored by nations. One of those groups is probably responsible for the SolarWinds hack early this year which affected hundreds of companies, including the US Treasury, Commerce, State Energy and Homeland Security departments [4].

These numbers alone should raise legitimate doubts as to whether governments or anyone else can really protect our data. However, let’s consider another hack that happened earlier this year, the famous Microsoft Exchange hack. Brian Krebs, an esteemed American cybersecurity expert and author, titled his blog: “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software” [5]. Yet, it was not just American organizations, also e.g., the European Banking Authority [6] and thousands of other organizations and firms around the globe were affected by this vulnerability.

These were merely the two biggest security breaches in Q1 2021. With a little research, you could find dozens of additional examples of data breaches that have already occurred this year. Would you like to check, if your data might have been affected? — Check the website haveibeenpwned <https://haveibeenpwned.com/>. The website lists data breaches and allows you to check if your phone number or email was affected by a breach.

But why does it even matter? After all, many people say, they have got “nothing to hide”.

This argument is easily refuted if we take a look at the serious consequences data breaches can have. The question of matter shouldn’t be what someone wants to hide, but what he wants to protect!

Breaches can result in identity theft, hacked accounts, financial damage, personal damage, reputational damage, and the list goes on. It is also important to note, that usually, a social security number, a birthdate and a name are already enough to get much more information about a person. It could serve as the starting point for all the aforementioned types of damage. If you are interested to read a few such “horror stories” of data breaches and the horrendous consequences they had for individuals, you can check the website “IdentityForce”, a website that features actual stories from real cases of identity theft [7].

What is all that to mean? In short, health data and other sensitive data is extremely precious, no matter the individual. Yet it is also extremely hard to protect and keep safe.

If E-vaccination certificates are to be rolled out on a national, regional, or even global scale, then we are also faced with a sheer insurmountable obstacle of securing and protecting every person’s health data from security breaches and the potential for theft and abuse. Yet, is there a way in which we could solve these security issues?

The good news is: Yes, indeed! The solution are E-Vaccination certificates issued on the Blockchain!

More specifically, E-Vaccination certificates on the Blockchain can be issued using so-called “self-sovereign identity” solutions. A self-sovereign identity (SSI) is an identity you own and which allows you to control who is allowed to see what part of your data. So, you can show your name and your vaccination status to an officer, or you show only the vaccination status to an event you want to attend without exposing other data such as your address or your name. SSIs are private, under your control, secured by cryptography and tamper-proof. The data you use is secured by cryptography for each identity, which means, that a potential attacker has to hack each individual identity on the blockchain instead of just one server which probably exposes millions of data records.

SSIs increase the user’s privacy significantly as it allows the following two, crucial and important options, illustrated in the case of a bar visit or showing an E-vaccination certificate:

  • Selective Disclosure: A person can show what kind of vaccination they received, without exposing other data such as their social security number. Or, if they go to a bar, they can show their picture and their birthdate to the bartender without revealing their name.
  • Zero Knowledge Proof: A user can proof that he/she has been vaccinated against COVID, without showing the vaccination certificate. Or, if they go to a bar, they can proof that they are older than 18 without revealing their birthdate.

SSIs have enormous potential, but they also have some downsides. The first downside is at the same time the biggest upside:

  • Responsibility: Users are responsible for their data! If they do not secure their private key or are not careful and share the data with anyone, then the best solution won’t be of help. Unfortunately, it seems most people still don’t bother creating backups or worry about losing their password. In all honesty, who of us has never used the “forgot password” function?
  • Multiple Identities: As it is a digital identity, it would make sense that they were implemented by the EU member states together. After all, nobody wants to have 20 identities issued by 20 different organizations. Which is in fact another advantage of an open system like blockchain, as it allows others to implement solutions and extend it, which would not be possible in a centralized, controlled environment.

In conclusion, privacy is a human right, and it is important that each person’s privacy is guaranteed. Implementing a solution like a self-sovereign identity approach removes the single point of failure (the central server), creates an open, extensible environment, gives people back control of their data and helps to protect our data. While the implementation of such a solution is certainly not an easy undertaking, we are utterly convinced, that E-Vaccination Certificates are an excellent use case for this approach and are worth the effort.

This is particularly true, if countries consider the restrictions non-vaccinated people would face. The current situation could serve as a big motivator for people to start using such a solution. Indeed, this would also create an incentive for people to become familiar with blockchain technology, the use of private keys and wallets. In fact, right in front of us, we have a tremendous opportunity to bring our digital world to the next level and it is great to see that countries like Germany are already considering such a solution [8].

Author: Armin Reiter

[1]: Study — Hackers Attack Every 39 Seconds (University of Maryland): https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds

[2]: Healthcare Data Breaches 2020: https://www.hipaajournal.com/september-2020-healthcare-data-breach-report-9-7-million-records-compromised/

[3]: Fireeye M-Trends 2021 Report: https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html

[4]: The Verge — White House now says 100 companies hit by SolarWinds hack, but more may be impacted: https://www.theverge.com/2021/2/18/22288961/solarwinds-hack-100-companies-9-federal-agencies

[5]: Krebs on Security — At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software: https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/

[6]: European Banking Authority hit by Microsoft Exchange hack: https://www.bbc.com/news/technology-56321567

[7]: Real Identity Theft Stories: https://www.identityforce.com/blog/real-identity-theft-stories

[8]: IBM led consortium wins $3.2 million German Digital Health Passport contract: https://www.ledgerinsights.com/ibm-consortium-wins-german-digital-health-passport-contract-ubirch/