As over 3.5 billion doses of Covid vaccines have been administered so far globally (according to a WHO estimate dated 05 September), and many countries require citizens to show proof of the inoculation received to enter their territory or, in controversial cases simply to get a morning coffee in a public place, how do governments implement the storage and authentication of such sensitive data?
The main issues at stake here are twofold: on one hand, regulators want to ensure that the proof given is authentic, and still valid in time. With more and more talks about booster shots being necessary to ensure proper vaccine-induced immunity, this aspect might prove vital in the near future, as vital as it already is for PCR tests. Users, on the other hand, may be concerned about disclosing confidential health information to third parties to travel, dine or attend games, and how secure this information might be against manipulation, deletion, and/or unauthorized access. It is worthy to note that the Department of Health and Human Services of the USA estimated that over 230 million digital health records were compromised in some way between 2009 and 2019. 230 million that they know of, we feel compelled to add…
But how the blockchain technology fits into the picture, you might ask? Well, as an immutable and encryption-based data system it seems to totally answer the question at hand and as a matter of fact, blockchain-based vaccine passes are already in place in quite a few countries. We’ve chosen to divide them into 3 categories: those which use a native blockchain or testnet, those that use one of the premade, enterprise-grade blockchain ecosystems, and China, the elephant in the ledger and current blockchain patent holder world champion.
The Node That Came From The Cold
Open your favorite map app and search for Estonia, a small Baltic state of 1.3 million inhabitants. The Estonian government started to investigate blockchain technology back in 2008, following a massive 2007 cyber attack on banking, news networks, and government servers. At the time, the digitalization of the country’s health care system was already underway, under the supervision of the Estonian E-Health Foundation and network security obviously became paramount. The first e-government service that actually used blockchain in production stage was the Succession Registry, as early as 2013. The health care system followed in 2016, based on local company Guardtime’s zero-trust principle KSI (Keyless Signature Infrastructure) blockchain technology stack. This is an off-chain system, as the ledger doesn’t hold the actual records but their metadata and all data events (including access) are recorded by the KSI blockchain. Guardtime claims that its infrastructure offers a real-time picture of the record’s integrity, as well as intrinsic scalability, speed, and quantum computing proofing. VaccineGuard, the platform that produces the Covid vaccine certificates, went live on April 30, 2021.
Let’s move on further East. Singapore was the first SE Asia country to roll out its vaccination campaign, on December 30, 2020. The inoculation is digitally certified by HealthCerts, an open standard powered by governmental agency GovTech and based on the Ethereum blockchain through the OpenAttestation framework. GovTech started engineering the SingPass Mobile app back in 2017, arguably the world’s most advanced attempt at a centralized, blockchain-based digital identity with which users can retrieve a whole score of official documents stored on the chain, such as land certificates, educational diplomas, and degrees, and now PCR test results and/or proof of vaccination.
Still further East, and still in SE Asia let’s move to South Korea, whose COvid OVercome (COOV) app, launched last January, is powered by InfraBlockchain, created by Seoul company Blockchain Labs. The blockchain white paper states that it “introduces a new method of enterprise-oriented public/permissioned blockchain system design without issuing a native cryptocurrency minted by the blockchain itself.” One of the features of the chain is its patented Proof of Transaction consensus to select block producers and fiat-based transaction fee tokens.
Now on to the second category, and the Americas: Former governor Cuomo announced the launch of the Excelsior Pass last March for New York State residents, an app that enables users to share their vaccination status or last PCR test results. It uses IBM’s Health Digital Pass, powered by the tech giant’s blockchain, built on top of Hyperledger Fabric, an open-source, permissioned, distributed ledger framework under the Hyperledger Project umbrella, started at the end of 2015 by the Linux Foundation. IBM’s system shares the same off-chain concept used by Guardtime, in that the data itself stays with the vaccine certificate issuer. The system architecture doesn’t store any PIIs (Personally Identifiable Information) on the chain, only the vaccine issuer’s DID (Decentralized Identifier) and public key that is checked against the user’s credentials in the app. IBM highlights the transparency of the open-source chain, and claims that its system is compliant with both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the EU’s GDPR (Compliant General Data Protection Regulations). In Colombia, the Vital Pass has just been adopted by the government and is recognized by IATA, as part of the Commontrust Network. It has been created by Argentinian software company Koibanx and Peruvian health care provider foundation Auna Ideas. It is powered by Algorand, the permissionless brainchild of MIT professor Silvio Micali, that uses a combination of PoS (Proof of Stake) for block proposal, and Byzantine Agreement (for block finalization) as consensus algorithms. South American news outlets generally predict that the pass will be soon adopted by other countries in the region.
Back to Europe again with a giant and the smallest landlocked republic in the world. The German Covid pass contract has been awarded to an IBM-led consortium that includes local IT company Bechtle and IoT/blockchain firm Ubirch. The Digitaler Impfnachweis (Digital proof of vaccination) doesn’t seem to be a direct implementation of the tech giant’s key in hand Health Digital Pass, although the FAQ in the German federal agency Robert Koch Institute points to many similarities in both concepts. San Marino is the smallest landlocked republic in the world, enclaved in Northeastern Italy, 160km (100mi) south of Venice. The state-owned Institute of Innovation partnered with Vechain and DNV to roll out a covid pass that holds 2 QR codes, one that aligns with the EU’s GDPR, and a second one that is verifiable anywhere via an NFT registered on VeChainThor. Vechain was created in late 2016 as a subsidiary of Shanghai-based BitSE, then moved to Singapore and partnered with giant accounting firm PwC and Norwegian naval vessel register DNV. Mainly focused on supply chain management solutions, it started operating on the Ethereum blockchain, before moving to its own mainnet, VeChainThor, in 2018. The chain runs on a Proof of Authority consensus and a dual token scheme that aims to keep transactions cost stable. Vechain was chosen as well by 2 Cyprus hospitals to manage vaccine and PCR results certificates on its blockchain.
The Elephant In A China Shop: A Zero Trust Consensus?
Abstract: In 2019, Xi Jinping insisted on the importance for China to situate itself at the forefront of the blockchain industry. The next year, 2020, saw the launch of the Blockchain Service Network, “a cross-cloud, cross-portal, and cross-framework global public infrastructure network used to deploy and operate all types of blockchain distributed applications (DApps)”, as described on the BSN website. 3 years before that, FISCO (or Financial Services Blockchain Consortium), launched the FISCO BCOS (Be Credible, Open & Secure) open-source blockchain platform. Among its founders, we find Tencent, which was charged by the Shenzhen authorities with implementing the famous three colors health code scheme at the beginning of the Covid pandemic in early 2020 by way of its uber-popular app Wechat. Meanwhile, arch-rival Alibaba received the same assignment from the Hangzhou administration, and integrated it in its affiliate Ant Group app Alipay. Ant Group launched Ant Blockchain – rechristened since Antchain – back in 2015, and the fintech currently offers 2 Blockchains as a Service, myChain and Hyperledger Fabric, along with Artificial Intelligence of Things (AIoT) services.
Does this mean that both companies have used blockchain tech in their health codes? We don’t know. What we do know is that the 2 competing regional codes were applied very quickly in all mainland China and that Tencent/Wechat got the upper hand. The recently created Chinese international Covid pass is on Wechat. We do know as well that the Macau Special Administrative Region’s health code, created in May 2020, runs on top of the FISCO BCOS platform. The territory – reputedly the most densely populated place on earth – closed its borders in January 2020, cutting off its main revenue stream: tourists from the mainland. Months later, and with a null Covid death count, it was time to reopen for business. As Macau is a special administrative region, its health code is not integrated with the mainland’s; furthermore, local regulations forbid sharing the data contained in the code across jurisdictions, which augured nightmarish queues at customs to check the visitor’s health status and keep the pandemic in check. To get over the hurdle, Macau signed a health code mutual recognition agreement with the neighboring Guangdong province, which is integrated into the mainland system, and started using WeIdentity’s (owned by Tencent affiliate Webank) consortium blockchain, to validate the tourist’s health status without actually accessing it. 17 million tourists were able to visit the gambling mecca during the first reopening month, at the end of September 2020.
This agnostic data authentication design, used as well by Guardtime or IBM, clearly seems the path to follow to establish a better connection between distrustful parties, whether they be citizens and their government, or the Chinese mammoth and its rivals. We could argue that it is the whole point of using blockchain technologies for health certificates in the first place, and that without this particular design, what would be left is an overhyped, possibly inefficient, and costly database. The caveat? All the blockchain architectures discussed in this article are permissioned, except for the Infrablockchain behind the Korean COOV, according to its website; hence some kind of trust in the governance model is required. Back to where we started? PoP, my friends. Because ultimately, the Proof is not in the Work, the Stake, or the Authority. The Proof is in the Pudding.
External Links & Resources