Vax.Codes

[diafygi]

What problem are you trying to solve?

Lots of meetups, orgs, and businesses don't know when they should restart in-person events and gatherings. When they do re-open, many would like to restrict attendance to those who have their Covid-19 vaccine. Unfortunately, there doesn't seem to be an easy way of confirming if someone has received their vaccine shots.

This project is to create a free, easy-to-use tool that organizations can use to check to see if someone has received the Covid-19 vaccine.

Who will benefit (directly and indirectly) from your project?

Meetups like Open Austin, small events like concerts, and personal gatherings like weddings.

What other resources/tools are currently serving the same need? How does your project set itself apart?

Other Resources:

• CDC's COVID-19 Vaccination Record Card

  • This is the official vaccination record card you get when you get your first shot and bring back for each subsequent shot.
  • It is intended as a reminder and reference card for health officials administer the vaccine.
  • It is NOT intended as proof of vaccination for travel or admittance to events requiring a vaccine.

• CDC's V-Safe

  • Vaccine scheduler app.
  • Survey for post-vaccine symptoms.
  • NOT a vaccine verification tool.

• Vaccination Credential Initiative (VCI)

  • This is a currently under-development standard for being able share your vaccination history securely and privately.
  • It is built around the SMART Health Cards Framework, which requires a smart card or smart phone.
  • It is a large initiative that is likely to require significant financial investment to create credentials and verify vaccinations.
  • This is likely to be longer term, more robust standard on which things like vaccination passports are based.

• VaxAtlas, MyVaxPass, and others

  • Digital vaccine verification platforms for employers.
  • Proprietary SaaS products that cost money.

This Project:

The current default seems to be that people will need to carry around their vaccine record card and show it to attend an event that requires vaccinations. However, this card is easily counterfeited, so anti-vaxxers who want to go to a concert can easily make a fake one and show it at the door. So while the CDC card is simple and great for the healthcare system, it's not great for use in vaccine-restricted events.

It seems that the VCI could solve the easy-to-fake problem (since it's based on smart-card cryptography), but it seems like the initiative is focused on highly regulated situations where very strong verification is needed (international travel, customs, visas, etc.). It's likely that VCI will require significant resources from individuals (buying a card and going through a lengthy verification process) and organizations (purchasing a card reader and signing up as a registered business).

So there doesn't seem to be an initiative focused on making vaccine-restricted events possible for small businesses and groups.

Where can we find any research/data available/articles?

• Cnet - COVID-19 vaccine card is not an immunity passport. Here's the difference
• CNN - Vaccination cards will be issued to everyone getting Covid-19 vaccine, health officials say
• Healthline - You’ll Get a Vaccination Card with Your COVID-19 Vaccine: Why It’s Important
• CDC - V-safe After Vaccination Health Checker
• BusinessWire - Broad Coalition of Health and Technology Industry Leaders Announce Vaccination Credential Initiative to Accelerate Digital Access to COVID-19 Vaccination Records
• Engadget - Microsoft and Oracle are working on digital COVID-19 vaccine cards
• Yahoo Finance - VaxAtlas Launches COVID-19 Platform To Help Navigate Vaccination Process
• Kickstarter - MyVaxPass

What help do you need now?

Brainstorming how the system will work and figuring out the scope of work for an MVP.

Initial Brainstorm:

• For event organizers:
  • Can go to homepage, scan a QR code, and see who verified the vaccination (e.g. the "issuer").
  • No registration needed, no setup needed, no app needed
  • Can use any QR scanner app or their smart phone browser + camera permission
  • Has an API for issuer public keys so apps can build verification into their apps instead of using the website.
  • Data in the verification is easy to check against an attendee's ID
• For vaccinated attendees:
  • Get emailed/printed QR code from issuer to show event organizers.
  • No registration needed, no app/smartphone needed
  • Only needs printout or image of QR code to get verified
• For QR code issuers:
  • Can generate a keypair for signing QR codes
  • Can submit public keys to be listed in the public issuer API (used by the scanner tool)
  • Can sign QR codes and generate printouts for vaccine recipients
  • Provide instructions for keypair and QR code generation on local systems (if don't trust the in-browser tool)

Constraints:

• This project MUST NEVER retain any record of generated QR codes or issuer private keys. All private actions MUST be done in javascript client-side (i.e. verifying and scanning QR codes). We want to stay as far away from HIPAA-protected information as possible, while still allowing for easy, free, accessible vaccine verification.
• This project MUST be hosted statically to minimize attack surface. Any issuer API changes MUST be done manually via commits and pull requests from project admins. That way it's much less likely that the issuer API can be maliciously manipulated.

Website Overview:

• Working title: Vax.codes
• / (homepage)
  • The main project landing page
  • Links to: "Scan" (/scan), "Request a QR code" (/issuers), and other links
  • Provides information about the project
• /issuers and /groups
  • Browse list of issuers and groups that are public (loaded from the API)
  • Modal to compose an email to an issuer or group for an individual requesting a vaccine verification
• /scan
  • In-browser QR code scanner for verifying vaccine QR codes
  • Uses qr-scanner.js and openpgp.js to read and verify a QR code.
  • Also allows uploading an image or pdf containing a QR code.
  • Verifies the signature in the QR code against an API of issuer public keys (via issuer API).
  • Allows verification parameter to be set to specific trusted groups (e.g. /scan?groups=demo or /scan?api=https...)
  • Can right-click and "Save As" to save the qr scanner to their local system and use it locally if not internet connection (unhosted)
  • Can be embedded in iframe and responds to postMessage requests from parent frame (so can be embedded in other apps)
• /admin/issuers
  • For issuers and group owners verifying vaccines
  • In-browser generation Ed25519 keypair to use to sign QR codes
  • Alternative instructions on how to generate keypairs on local system
  • Can compose email asking to be included in the signer API
  • Links to: "Create QR code" (/admin/create-qr-code)
• /admin/issuers/create-qr-code
  • In-browser tool for generating signed QR codes
  • Also generates pdf version for easy saving/printing
  • Also allow
  • Has instructions on how to generate signed QR codes on local system
  • Can right-click and "Save As" to save the qr generator to their local system and use it locally (unhosted)
• /admin/groups
  • Email template for requesting to become a group (listed or unlisted)
  • Email template for modifying which issuers are in their group
• /api/v1/issuers/{issuer_id}.json
  • JSON object a specific issuer with a list of their public keys
  • Used by the /scan page to verify a signature from a scanned code
• /api/v1/issuers.json
  • JSON list of all the approved issuers
• /api/v1/groups/{group_id}.json
  • JSON object a specific group/locality that can approve signers
  • Used by the /scan page to show who as approved the signer
• /api/v1/groups.json
  • JSON list of all the groups that can approve signers

QR Code Format:

Format: https://vax.codes/scan#{version}/{signer_id}/{urlsafe_base64_encoded_signature}/{data}

Example: https://vax.codes/scan#v1/test_arc/GC4aq0LmhEs_mcSrzRvB2bQoYYjbm2IxmojG0ryZdLTiF-0VVzjv7imWVvvvzxQ2zWhvku0sztFAF-SUv1d1Cw/birthday=2020-01-01&name=Some%20Name%20Here

End Goals:

The ultimate goal for this project is to get taken over by a larger, more legitimate health/governmental organization. This project is just trying to get something simple working that can be used ad-hoc by local communities looking to do improvised vaccine verifications.

What are the next steps (validation, research, coding, design)?

See project repo for github issues and project status: https://github.com/open-austin/vax-codes

How can we contact you outside of Github(list social media or places you're present)?

@danielroesler on the OA slack

Slack channel: https://app.slack.com/client/T036FLMDN/C01KX6LRWBF

Project repo: https://github.com/open-austin/vax-codes

---

Project management

Checklist for NEW ideas 👶

Hey, you're official! You're now part of the growing civic hacking community in Austin. Here's a few things to get started (a couple you've probably already done).

• Create this idea issue
• Flesh out the who, where, and what questions above
• Start the conversation about this idea on Slack Replace this link to the #general channel with your project's preferred channel.

Checklist for ACTIVE projects 🔥

Let's get this project started! When this idea starts taking off, the Projects Core Team will start helping this project's lead(s) out with project management and connecting you to resources you may need. To get there, please complete and check off the following:

• Post an update at least once a month to this issue. Use BASEDEF for ideas, but it's ok even if your update is just "nothing new happened this month" or "we saw a small increase in traffic to our app this month". If there's no activity for two months, that's no problem, life happens. We'll just label this as backlog so others know you'll get back to it when you have the time. If nobody hears from you at all in more than two months, we may mark it as abandoned so that others can pick up this idea and run with it.
• Take 30 minutes to complete Open Leadership 101
• Create a GitHub repository. Ask for help setting up permissions if you want your repository to be within the Open Austin Github organization.
• Create a README file in your project repository. This file should help newcomers understand what your project is, why it's important, and kinds of help you're looking for.
• Create issues to describe each task that you plan to do or need help with and how a contributor can get started on that task. You might start and stop a lot, so consider issues as your to-do list.
• Create a team for your core contributors
  • This will make it easier for you to manage your github repo access. People on a team have the same level of access. Admin access will allow your trusted contributors to make changes as needed.
  • You can remove and add people to your team as needed.
  • View some of our teams: https://github.com/orgs/open-austin/teams
  • Note: You can also allow collaborators outside of your team and give them more limited access.
• Create a user group in Slack so you can "@" your core contributors all at once, without bothering other people who use the Slack channel. You'll need permission from a Slack admin, so just mention @Leadership on Slack to get this set up.
• Create a Google Drive, Dropbox, or other cloud storage to share larger files. Github and Data.World are good for code and data, respectively, especially when you need version control. But they're not good for very large files, documentation, articles, etc. A cloud storage option will allow you to easily share, create, and collaborate on documents with your team and help organize ideas and thoughts.
  • Doing this early on can help your team stay organized and to onboard new contributors who wouldn't have access to files you all have shared over email.

Checklist for FEATURED Projects 🎉

To have your project FEATURED on Open-Austin.org, complete the following documentation. In past projects, well-documented featured projects have more contributions than other projects.

• In your README, link to the Open Austin Code of Conduct or write your own code of conduct.
• Create file: LICENSE to give your project an open license, allowing for sharing and remixing.
• Create file: CONTRIBUTING.md so others know how they can contribute.
• Create an easily shareable project management artifact, like a Civic Tech Canvas or Open Canvas
• Create an issue on the open-austin.github.io repo with the title Add [my project] to projects page. An Open Austin leader will review this issue and post your project 🎈
• Tell the City of Austin. If your idea is in a shareable format and can benefit people around the city, go to that site and follow the instructions on the bottom of the page to showcase your work there.

If you get stuck at any point, feel free to reach out to the leadership team on Slack by adding @Leadership to your message. We're here to help you make real changes to our city.