How the NHS Covid Pass scheme actually works

Out of London for the first time in a year or so, on a short trip to France.

I was able to scan my Covid-19 vaccine record from the NHS App into the French “TousAntiCovid” app.

Much like the UK, there are two modes: one for domestic use, and one for travel.

In general, the QR codes in vaccine passports generated in Europe contain name, DOB, date of jab, kind of vaccine etc. This is an EU-wide standard also used within the NHS app.

When I scan the NHS code into the French TousAntiCovid (“everyone against Covid”) app, it has two modes: one for domestic use in France that visually displays only the QR code and name. This is for showing in restaurants, bars, etc.

And a separate “border mode” which contains the same details, but visually shows additional bits such as DOB (to match against a passport) and date of jab (to check whether enough time has passed to be considered fully vaccinated)

Note that in both the cases, the underlying QR code has ALL of the data from the text/PDF version, so anyone could theoretically make a different QR code scanner up to read and reveal all of the data.

By default though, the QR codes visually reveal less private info than PDF

Within the UK for domestic use for instance, the NHS has a separate app called the Covid-19 Verifier app (iOS version here in the App Store:

A really forward-looking decision taken by the NHS Covid Verifier app is that it does NOT show the underlying personal data; it just returns a yes/no result.

This is by far more privacy-preserving than asking someone to show their details on a PDF or paper or card.

The *domestic* NHS Covid QR codes uses the following criteria when showing yes/no:

1. Positive PCR test in last 6 months
2. Fully vaccinated
3. Negative lateral flow test in last 48 hours

When it returns a yes/no it doesn’t give which of the above 3 reasons it was based on

One thing to note about the domestic passes is that criteria 1 and 2 are usually more likely to be true.

Criteria 3 (negative rapid test) is easily faked, because it’s based on a self-reported result.

Then there’s the behavioural challenge. The DHSC wants venues to use the NHS Covid Verifier app to check these status. Scanning each code, which takes say 10-30 seconds.

If you imagine a crowd of 1000s at a venue, the more likely behaviour (and as reported at Wimbledon and Wembley), is to just ask people to show the actual text on PDF or app 🤷🏽‍♂️

Which ultimately defeats the purposes of the privacy-preserving Verifier app.

And if there’s an easy loophole through the negative rapid test, it undermines the faith in whether the Verifier app can be trusted.

There are two options here:
1. Continue on the honour system, and hope people don’t lie when reporting rapid test results (what we do right now)

2. Carry out an ID check as well as some form of verified check on rapid test result, e.g., the result must be logged with a photo of the test kit to prove what the result was. Although I imagine this intrudes on privacy and could reduce the number of people taking rapid tests.

Having worked in digital identity and biometrics for a while, my immediate reaction to any new initiative is to think of “how will people try to game the system?”

Because what years of behavioural research on this has shown is that there are some people who ALWAYS try to fake.

So the question always changes to one of behavioural psychology and systemic risk: in a given system (say this domestic passport), how many users do you think will try to game the system?

And how much %age of these people who are trying to game the results can the system absorb?

Originally tweeted by Ankur Banerjee (@ankurb) on 1 August 2021.