Privacy Infra for Vax Codes: Safeguarding COVID Vaccine Verification

Open Austin is a volunteer citizen brigade affiliated with Code for America advocating for open government, open data, and civic application development. They previously held monthly meetups to work on community projects until COVID-19 forced them to suspend these events in March 2020.

Eager to safely bring back the in-person collaboration and brainstorming that were fundamental to the team’s work, they began developing a new open source project, VAX.Codes to provide a free and easy way for local event organizers and businesses to verify that someone received a COVID-19 vaccine.

VAX.Codes project lead, Daniel Roesler, joined our April 2021 Privacy_Infra() event to talk about how they built a privacy-first verification website that uses QR codes issued by an approved health organization. Scroll down to watch a recording of Daniel’s talk below, starting at 32:55.

If their meetups could resume once everyone is vaccinated, the team wanted to build a way for them to verify it without collecting sensitive health information.

Daniel started his talk by explaining that the goal of VAX.Codes is not to be used as a global or large scale solution like vaccine passports, but to give small local groups a free and easy resource. Additionally, organizers can use their own group of trusted verifiers from their community.

Before any engineering work began, Daniel explained, Open Austin set a number of core requirements for VAX.Codes including:

1. No touching Personally Identifiable Information (PII) so organizers don’t have to worry about health data regulations,

2. No maintenance requirements for organizations so they don’t have to manage scaling or security updates,

3. No dependence on government help to shield the project from federal or state level disruptions,

4. Minimal tech requirements to make the tool as equitable as possible, and

5. Relying on existing trust networks for code issuing so local communities can easily setup and use it.

Being privacy-first drove many of the project’s design decisions and all the project code is available on the project repository hosted on GitHub. Vax.Codes is a simple public key infrastructure system using a static website with a list of registered issuers and groups hardcoded into the static issuers API. All keyfile generation, QR code issuing, and QR code scanning are done entirely client-side in javascript, so no private key or QR code contents are ever passed to Open Austin servers. VAX.Codes doesn’t need a database or any record of who has been issued a QR code.

“All of the scanned codes and QR code content is actually contained within a URL fragment,” Daniel said. “So it never sends that information to the server, it just gets read locally by the javascript itself. Our servers never actually see any QR code content, we never see how many QR codes have even been generated by an issuer.”

Only the issuers of those QR codes know what’s in them and who they were issued to. As a result, VAX.codes never receives or stores any personal or health information about the individuals who’ve been issued QR codes.

According to Daniel, the project’s technical dependencies are standard for the types of projects involving QR codes and crypto-related systems.

“OpenPGP.js is what we use for the crypto on the client side and then a few QR code scanner libraries and generation libraries for the QR code functionality,” he said. “So it’s a very very simple project.”

Note: This post reflects information and opinions shared by speakers at Transcend’s ongoing privacy_infra() event series, which feature industry-wide tech talks highlighting new thinking in data privacy engineering every other month. If you’re working on solving universal privacy challenges and interested in speaking about it, submit a proposal here.