The life and times of the the Ontario vaccine passport QR code

Disclaimer

I am not an epidemiologist, nor do I work in healthcare or in government. My limited qualifications for writing any of this are that I live in Ontario, dislike pandemics, and know a bit about computers.

What is the point of the vaccine passport QR code, and what information are we giving up when we show it to someone?

I wanted to know more about the tech which underpins the Ontario vaccine passport and the information embedded in the QR code, so I looked into it. Spoiler alert: it’s reassuringly boring.

First things first: the QR code is important! It would be easy to assume that reading a printed vaccine certificate and visually comparing it with a valid government ID is as good as validating the QR code with the app. Why, after all, would you need an app to display words which are already printed on the piece of paper you’ve just been shown?

The problem here is that the QR code is the only thing on that piece of paper which can’t be forged in a few minutes by someone with intermediate Microsoft Office skills.

Unlike the human-readable text, the machine-readable QR code provides strong assurance that the contents are genuine. The information in the QR code is cryptographically signed in a way which anyone with the official app can verify. For that matter, so can anyone with a solid understanding of the underlying mechanism and some free time and a laptop.

The one thing here which really matters is that only the signing authority can sign that way, and no-one else can.

I started to wonder about the technology, frameworks, and organizations which underpin the Ontario enhanced vaccine certificate, and who has the ability to produce the digital signature in the QR code.

Yours To Discover

How is the QR code generated, and what does the Verify Ontario app actually do, anyway?

In Ontario, the QR code on the vaccine passport is a SMART Health Card. The site has a solid FAQ – which does an impressively thorough job of answering the sort of questions real people might have – but it’s not immediately clear who is behind SMART Health.

There’s no obvious “About Us” page that I could see. Worse, the General Inquiries button is a mailto: link, which was always rather a lacklustre way of introducing yourself, and is pure anachronism today. However, the site copyright is claimed by SMART Health IT and Boston Children’s Hospital, so let’s ask them.

Immediately, the SMART Health IT homepage does a much better job of introducing itself.

SMART Health IT was launched with a New England Journal of Medicine article proposing a universal API (application programming interface) to transform EHRs into platforms for substitutable iPhone-like apps.

With [US] federal investment, SMART on FHIR was developed as an open, free and standards-based API. Innovators use it to write an app once and have it run anywhere in the healthcare system.

smarthealthit.org

OK, so we’re looking at an open standard with an API. I will freely admit that this is more promising than what I originally imagined when the Ford government said they’d have this thing ready in 6 weeks.

If you’re anything like me, some of that alphabet soup will be new to you, so now is as good a time as any to learn a couple of new terms of art.

FHIR describes itself as a standard for exchanging healthcare information electronically” which sets out that electronic health records must be available, discoverable, and understandable and the underlying data must also be structured and standardized.

Somewhat disappointingly for a specification which specifically praises itself for being a new design based on years of hard-won lessons, the FHIR website serves unsecured HTTP still, but HTTPS is available, so hey.

Credit where credit is due, though. SMART is a major industry-wide effort, with significant US government backing, and widespread adoption by major players including Apple, Microsoft, and Google.

An Enhanced Health Record (EHR) is a digital version of a patient’s paper chart. EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users. That sounds like a lot more information than I’d want to hand over to a restaurant, but luckily what’s encoded in the QR code is very limited.

key PARTY

Who issues/holds the private keys here? Ontario Health.

Wait, what’s Ontario Health?

Ontario Health is a Crown agency of the Government of Ontario that was established on June 6, 2019. Described as a “super agency”, Ontario Health will oversee much of the administration of the Ontario healthcare system, with the eventual goal of integrating services split between various agencies.

WP:Ontario Health (agency)

How super? Oh, pretty super. Anyway, Ontario Health is the provincial government’s effort, kicked off in 2019, to amalgamate various previous health agencies, and thus unlock vast savings, allegedly.

It’s encouraging that Ontario Health has published a Vulnerability Disclosure Policy for the Verify Ontario app, which actually appears to authorize and encourage sensible, non-destructive testing of the app and related services.

The Vulnerability Disclosure policy mentions something called ODS without explaining what ODS is, but that’s OK, we can google stuff. ODS is the Ontario Digital Service, an agency which in practical terms aims to help all parts of the provincial government deliver digital services.

ODS was brought into being by the Simpler, Faster, Better Services Act, which I haven’t looked into, but is probably something to do open data, digital transformation, and/or Daft Punk.

How do I know it’s Health Ontario who’s signing these QR codes? A link to the public key is included in the signed payload. How do I know that? Read on!

What’s in the box?

Just what is encoded in the QR code on my vaccine passport? Not that much, really. Name, date of birth, and Covid-19 vaccine history.

In another “hey, maybe the government is actually getting this right” moment, it turns out that the Verify Ontario app is open source and on GitHub.

The SDK is available, and several third-party GitHub repos make use of it to provide independent verification. I chose to look at ON-vax-decoder by @aleksessex, associate professor of software engineering at Western University in London, Ontario, who heads up the Whisper Lab cybersecurity research group there.

I cloned the repo, and then had a quick read of the 70 lines of on_vax_decode.py to satisfy myself that it’s doing what it claims, and installed some sensible-looking dependencies.

The script:

  1. takes a PDF – an Ontario vaccine passport – as input
  2. reads the Ontario Health signature verification public key
  3. uses pdf2image to convert the first page of the vaccine passport PDF to an image
  4. uses pyzbar to find and read the QR code in the first page image
  5. performs basic validation that the QR data describes a Smart Health Card
  6. decodes the Smart Health Card data, which is encoded in Base-45; there are Python packages which will do this, but this script rolls its own. Base-45 is similar to Base-64, but offers the exact character set needed by an alphanumeric QR code and provides increased efficiency (can carry more bytes of info for the same number of encoded chars). This step produces a JWT object.
  7. Base-64 decodes the JWT payload.
  8. uses the Ontario Health public key to verify the JWS signature of the JWT object.
  9. zlib-decompresses the payload.
  10. Finally, pretty-prints the JSON content.

JSON Web Signature (JWS) is a compact signature format intended for space constrained environments such as HTTP Authorization headers and URI query parameters. It represents signed content using JSON [RFC4627] data structures. The JWS signature mechanisms are independent of the type of content being signed, allowing arbitrary content to be signed.

OpenID JWS specification

So, after peeling back multiple layers of encoding (but no encryption) and verifying that the QR code was signed by the Ontario Health private key, we can inspect the contents of the QR code, which are:

  • my name.
  • my date of birth.
  • the date, type, and batch number of Covid-19 vaccine I received.
  • the issuing authority (iss field).
  • a Unix epoch-style date-time before which the information is not valid (the nbf field).

That’s it. No deeply personal info, no address, no phone number. I’ve posted the contents of my QR code here, although I did redact the dates and batch numbers.

So I’ve seen the contents of my vaccine passport QR code – and so have you. Seems to me the potential for abuse – someone getting access to information they shouldn’t have – is far less than when you show a stranger your driver’s license to get into a bar.

We hardly knew ye

As quick as it came, the vaccine passport is gone again. The mandatory vaccine passport rules came into effect in Ontario on 2021-10-22. As of 2022-03-01, there’s no longer a requirement for venues to ask for proof of vaccination, although they may still choose to.

No-one enjoys restrictions and extra requirements, but with case numbers now rising again, it’s not clear why the mandate was removed. It’s probably just a coincidence that the Ontario Provincial Conservatives – hardly the natural home of public health advocates – are hoping to get re-elected over the summer…

Leave a Reply