What is in your BC Vaccine Passport?

Cariad Keigher
5 min readSep 8, 2021

As you may be aware, those in British Columbia are joining other jurisdictions in issuing “vaccine passports”, which is basically a verification system to show your vaccination status. This is to combat the spread of COVID-19, and is intended to ensure that those who are unvaccinated do not pose a threat to those who are.

BC Government Health Gateway showing my “BC Vaccine Card”

If you’re reading this and are about to go tweet at me or write some diatribe to my e-mail address about vaccines being tyranny, I have a simple response: fuck off.

I have professional concerns about the passport myself, but they’re based on equity for those who are unable procure a personal health card for whatever reason. If your concerns align with the thousands who opted to hinder access to local hospitals, you’re a fucking dickhead and I do not care about your baseless and factless opinions.

Anyway, historically, these are not new at all as during my own parents’ lifetimes before my being born, they existed for Canadians who needed to travel abroad. However, we’re now in the age where our mobile phones are capable of providing an aspect of verification of vaccination status.

Website for SMART Health Cards

It was feared initially that every jurisdiction would adopt a system of their own to work with the data, but fortunately it seems that British Columbia has adopted the same system as Québec, which is to use the SMART Health Card system, a standard developed by the W3C Consortium, who are behind the standards for the world wide web.

Much like how the world wide web work with establishing encrypted connections for online banking, the SMART Health Card (“SHC”) uses the same methodology to verify the contents of the presented QR code. The QR code can be shown to anyone with an mobile phone running an application capable of reading it, and then the details on the application can be compared with some photo identification to confirm that the QR code belongs to the person they’re interacting with.

The QR code can be on your phone, a piece of paper, or in one case with someone in Québec, printed on a t-shirt so it could be read metres away.

Anyone can read this QR code and with that it may raise some eyebrows.

So now you’re wondering: what makes it safe? How does someone not get my personal details? These are legitimate and important questions and it can be answered quite easily: the issuing health authority is only supposed to put as much information as needed on the card.

The SMART Health System is clear about what can be on a person’s card.

As it stands, the standard should contain your legal name, date of birth, tests if relevant, vaccinations, and contraindications should you have any. It is spelt out as per the image about that it should not contain your phone number, your address, an identifier such as a personal health or drivers licence number, and other health information. The SHC standard straight up outlines keeping data at a minimum and has a whole section on privacy.

Output from a SHC QR code reader. The “issuer not recognized” remark at the bottom should be of no concern until the programme goes live in a week. I would expect that to go away by then.

So does British Columbia adhere to the recommendations?

I have gone ahead and decoded my passport (using this methodology as a guide) and was able to glean from the data that it has the following:

  • The issuer (ISS), which is remarked as the Provincial Health Services Authority (PHSA)
  • The creation date (NBF), which is an epoch time stamp of seconds since January 1, 1970 00:00:00 UTC (standard for most computer data)
  • The type of card it is, with the data outlining it is for COVID-19, immunization, and is a health card
  • The family name of the passport holder
  • The first or given name of the passport holder
  • Their birth date
  • Their immunization records and date of occurrence for each plus the vaccine type, lot number (which box or order the vaccine came in), and where it was given

That is it. There are no health numbers, no address, and surprisingly, no mention of the person’s gender. I have concerns about the name aspect for those who are transgender as it could out them, but that is it.

You can safely show this QR code to someone else if someone requests you of that information. If you’re running a wedding, you can have your guests confirmed that they have been vaccinated. All you need is to have photo identification to verify the contents of the QR code and through the power of mathematics, it is incredibly difficult and likely impossible to forge a QR code that can thwart this system.

Go ahead and print this out, make an iOS shortcut that is super useful, or put it on a t-shirt. It’ll be a piece of identification until we get through this mess we’re still in.

All we are waiting on is for the PHSA to become an recognized issuer and anyone can trust this vaccine passport. A vaccine passport issued in British Columbia will also work in Québec and vice-versa and while it may have issues internationally as I am certain that someone in Florida or Belgium may not know what the PHSA is, they’d still be able to read the data anyway.

Go get your passport if you have gotten your vaccine and if you haven’t gotten your vaccine yet, go get it. If you don’t want to get your vaccine, leave everyone alone and wait out the pandemic so you don’t spread it or worse get sick.

My remaining concern right now is: what do we do about those who cannot get access to the website? Equity is still my problem with all of this, and my concern lies with those who are undocumented or are of no fixed address, just to name a few.

Update: it seems that you can just call in to get a non-digital copy of the passport should you run into some issues related to equity.

--

--

Cariad Keigher

Queer dork with an interest in LGBTQ+ issues, computer security, video game speedrunning, and Python programming. You can see her stream on Twitch at @KateLibC.