Easter marks the start of the travel season in many European countries. The Corona pandemic still has the world in its grip. With the virus variants BA.1 and BA.2, the course is often milder, but the risk of infection is higher. When traveling abroad, therefore, proof of vaccination is usually still required in hand luggage: in Europe, it facilitates entry in about half of the countries.
The proof can be in paper form or digitally. The most widely used is the EU COVID certificate. Not only the 27 member countries use it, but also 35 other countries. The International Civil Aviation Organization ICAO has also developed a certificate. It is called Visible Digital Seal and is compatible with the EU’s COVID certificate. The World Health Organization is in the process of developing a Covid certificate and the necessary infrastructure. This, too, is to be compatible with its European counterpart. All of these certificates work according to the same principles and focus on data privacy. But how does it work exactly?
What does the QR code say?
Square, practical – and widely used: The QR code, in its largest version at 177 by 177 pixels, stores just under three kilobytes of data. That corresponds to about 4,000 digits or letters. But the EU COVID certificate doesn’t need that much. It contains only the necessary information: Name, date of birth, issuing body and a unique certificate identifier. Depending on the certificate, additional information is added. These are:
- For the vaccination certificate: vaccine and manufacturer, number of doses administered, date of vaccination.
- For the test certificate: type of test, date and time of the test, test center and result.
- In the case of the recovery certificate: date of the positive test result, period of validity.
In addition, each certificate is given a digital signature. It is like a digital fingerprint. The system behind it is public-key encryption. A private key signs the certificate. With a public key, anyone can verify the authenticity of the certificate. If only one character in the certificate was changed after the signature, the authenticity would not be given.
What happens when the QR code is checked?
The Covid certificate has become an indispensable companion for traveling. In Germany, CovPass app and Corona warning app manage the certificate. The matching smartphone application for scanning is called CovPassCheck app in Germany. In France it is called TAC Verif, in the Netherlands CoronaCheck Scanner. Many names one principle: The so-called Verifier app reads the QR code and outputs the vaccination status as well as name and date of birth.
The app also checks the authenticity of the certificate. To do this, the Verifier app regularly loads all public keys of all signed EU COVID certificates of the more than 60 countries. TAC Verif, for example, obtains the keys from a French server. This receives the keys from a central network computer in Luxembourg. In Germany, the Robert Koch Institute signs the certificates. Sounds like a lot of data, but the total package is not much larger than a megabyte. With the matching public key, the Verifier app recalculates the digital fingerprint of the individual certificate. The fingerprint is the result of a computational operation on the text itself. Every letter, every number, every space is included in the calculation and results in a so-called hash. If the Verifier app’s calculation with the public key produces the same hash value as stored in the certificate, the certificate has not been changed after signing and is genuine.
And data privacy?
The personal data of Covid certificates is not stored centrally. They are only located in the users’ certificate app. The verifier app does process the personal data – but only in the device’s RAM. And this is regularly deleted. The public keys do not contain any personal data.
The EU COVID certificate is expected to remain a permanent travel companion for at least another year. The Council of the 27 EU member states recently agreed to extend the regulation introducing the EU COVID digital certificate until June 30, 2023.