Open Austin is a volunteer citizen brigade affiliated with Code for America advocating for open government, open data, and civic application development. They previously held monthly meetups to work on community projects until COVID-19 forced them to suspend these events in March 2020.
Eager to safely bring back the in-person collaboration and brainstorming that were fundamental to the team’s work, they began developing a new open source project, VAX.Codes to provide a free and easy way for local event organizers and businesses to verify that someone received a COVID-19 vaccine.
VAX.Codes project lead, Daniel Roesler, joined our April 2021 Privacy_Infra() event to talk about how they built a privacy-first verification website that uses QR codes issued by an approved health organization. Scroll down to watch a recording of Daniel’s talk below, starting at 32:55.
If their meetups could resume once everyone is vaccinated, the team wanted to build a way for them to verify it without collecting sensitive health information.
Daniel started his talk by explaining that the goal of VAX.Codes is not to be used as a global or large scale solution like vaccine passports, but to give small local groups a free and easy resource. Additionally, organizers can use their own group of trusted verifiers from their community.
Before any engineering work began, Daniel explained, Open Austin set a number of core requirements for VAX.Codes including:
No touching Personally Identifiable Information (PII) so organizers don’t have to worry about health data regulations,
No maintenance requirements for organizations so they don’t have to manage scaling or security updates,
No dependence on government help to shield the project from federal or state level disruptions,
Minimal tech requirements to make the tool as equitable as possible, and
Relying on existing trust networks for code issuing so local communities can easily setup and use it.
Only the issuers of those QR codes know what’s in them and who they were issued to. As a result, VAX.codes never receives or stores any personal or health information about the individuals who’ve been issued QR codes.
According to Daniel, the project’s technical dependencies are standard for the types of projects involving QR codes and crypto-related systems.
“OpenPGP.js is what we use for the crypto on the client side and then a few QR code scanner libraries and generation libraries for the QR code functionality,” he said. “So it’s a very very simple project.”
Watch Daniel’s full talk from Privacy_Infra() to learn more about how VAX.Codes works and how local organizers can use it for small events. His presentation starts at 32:55.
Note: This post reflects information and opinions shared by speakers at Transcend’s ongoing privacy_infra() event series, which feature industry-wide tech talks highlighting new thinking in data privacy engineering every other month. If you’re working on solving universal privacy challenges and interested in speaking about it, submit a proposal here.