“Each of the states and territories are different with their requirements. They all have different apps and different health regulations, so we’re upgrading and building secure vaccination certificates that could be integrated to the state apps, if the individual wants to share it.”
Problems in expanding the functionality of the QR code check-in apps in use across the country have been raised in the mostly COVID-19-free states of Western Australia, Queensland, Tasmania and the territories, which use an app developed for the ACT government, which has far fewer features than NSW and Victorian apps.
The government claims citizens in those parts of the country will be able to download their certificate from the Medicare Express app or through MyGov and present their vaccination certificates separately.
It says a digital version of the federal immunisation certificate is being upgraded to ensure its security and to limit forgery, with holograms and other markers embedded in the certificates QR code being explored as a means of reliably linking the certificate to state identity and registration systems.
The two biggest states NSW and Victoria are working on a system where users can link their federal vaccination certificate to a “pouch” in their state service app.
However, tech experts spoken to by the Financial Review said this plan did not tally with the capabilities of the technology in use by the government.
‘Pack of insiders have made a decision’
While it may sound simple to add a vaccination certificate to any state-based check-in app via an application programming interface (API), this is not the case due to the Commonwealth Australian Immunisation Register (AIR) being hosted on an old main-frame system, which makes extracting data a big challenge.
Developers are focusing on a verification system, possibly using tokens to verify name and date-of-birth against state-based registration systems.
“The core problem is that valid certificates aren’t verifiably valid and cannot be easily distinguished from fake certificates,” said Vanessa Teague, associate professor of cryptography at the Australian National University.
“I’m concerned that yet again we’re just turning our back on an international privacy preserving standard because a pack of insiders have made a decision without talking to anybody who understands the technology.”
The international privacy standard refers to a digital signature system being used by the European Union for its vaccine passport. It contains a QR code with a digital signature to protect it against forgery, making it a stronger proposition from a privacy perspective and easy to verify when people are entering venues like offices or pubs.
People crossing EU borders offer their QR code for scanning and the signature is verified through a service called the EU Gateway.
The centralised EU Gateway only checks whether the signature is correct and does not store vaccination data, meaning the individual is the owner of their data and can share it at their own discretion.
For this to work in Australia, the federal government would need to put a digital signature with a cryptographic key on to information coming out of the AIR, confirming that somebody had received their vaccinations on certain dates.
Installing these kinds of verifiable credentials increases the chances of verification across jurisdictions, in Australia and abroad, but is far from easy given the ageing technology involved.
Australian technology companies and experts warned the federal agencies, which developed the unsuccessful COVIDSafe contact-tracing app, and disparate state-based departments are not the best option for getting a vaccine passport up and running properly and on time.
“We do not want eight apps plus one international solution,” said Joanne Cooper, chief executive of Australian Data Exchange, and member of the Good Health Pass Collective, a global initiative to create smooth, cross-border vaccination checks.
“This decentralised form of citizen-centric services is new and bleeding edge, but often governments lean on themselves to self-build, whereas there are technology companies that can help them through this maze.”
Despite the vaccine passports being needed in a matter of weeks there is no decision about whether the government will partner with an external organisation to develop a national vaccination credentials system.
Software companies are also calling for access to AIR, so they can develop vaccination status integrations for workplaces. While check-in app integrations are crucial to reopening hospitality and retail venues, industries such as construction, manufacturing, education and aged care will face compliance requirements to manage employees’ vaccination and test status.
“The government already works with employers to share information about an employee’s salary, superannuation and taxation via payroll software solutions,” said Danny Lessem, chief executive of ASX-listed ELMO Software, an HR and payroll provider.
“It’s not too great a stretch of the imagination to think this type of information sharing could take place for an employee’s vaccination and test status, too.”
But as it stands, AIR does not have an individual connector, nor does it allow organisations to pull data from it, though teams within the government are working to enable flexibility with the vaccination data.
Michael Maher, chief executive of OnePassport, a credentialling software business that is also a member of the COVID-19 Credentials Initiative, said countries were struggling with how to make systems work together so that vaccination data would be in a format that all systems could use.
“It doesn’t matter how good your technology is if trying to pull data out of a filing cabinet,” he said.
Another unresolved problem with a vaccine passport is how to capture so-called “irregular” citizens who were vaccinated outside of Australia, and whose vaccination status is not recorded in the AIR.
“The government is currently ignoring the irregulars,” Mr Maher said.
“And they’re not looking at how to electronically connect to employers who need to manage their own workers with data held by the government, not by the company.”
Both Victoria and New South Wales are linking “freedoms” to people being fully vaccinated and claim they are working on a common plan with the federal government to resolve the issues.
“We recognise that technology is going to play a key role in guiding us to a world of fewer restrictions, and a more normal sort of post-COVID world,” Victorian Government Services Minister Danny Pearson told The Australian Financial Review.
“We are continuing to work away, to ensure that the citizen experience is enhanced, and to ensure that we continue to collaborate across the jurisdictions and with the Commonwealth to get the best outcome.
“Citizens want their governments to work together at this critical time and that’s exactly what we’re doing.”
NSW Digital Minister Victor Dominello, meanwhile, claimed that integrating a vaccine certificate with the existing ServiceNSW app will make things easier for customers and easier for businesses.
People without a state service account or the state app will need to access their vaccination certificate through the federal Express Plus Medicare platform.
Mr Dominello said he was keen to ensure travellers between states will be able to use their own state service check-in app and not have to register interstate.