California's New Vaccine Verification System Has Major Privacy Implications

Thomas Smith
Thomas Smith/Gado Images

In June, California became among the first states in America to launch a digital Covid-19 vaccine record system. (The state hasn’t provided a convenient acronym, so I’m going to call it the DCVRS).

State leadership shies away from calling the DCVRS a “passport”, but effectively it is. According to the system’s website, the system is intended to allow “venues” to determine a person’s Covid-19 vaccine status by scanning a QR code which the system issues to vaccinated individuals after referencing their state vaccine records.

The system is voluntary, but the intent is clearly to give businesses or institutions an easy, digital way to verify that a person has gotten the Covid-19 shot. For example, a restaurant could scan diners’ vaccine QR codes before allowing them to dine indoors with their masks off, or a concert venue could require users to upload their code before purchasing a ticket. The state has also said the system could be used for status verification during travel.

Verifying a person’s status digitally makes sense, but how would one actually accomplish it? On this, the DCVRS is relatively silent. An FAQ on the system’s website says only “If you are at a venue that can read SMART Health Cards, present your copy of your digital vaccine record for scanning.” What’s a SMART Health Card, and how can someone access the data which it contains? Also, what are the implications for user privacy, and how can users keep their data safe?

Smart Health Cards

SMART Health Cards are an open-source framework for storing and accessing “verifiable clinical information”. The framework is maintained by an organization called VCI, which describes itself on its website as “a voluntary coalition of public and private organizations committed to empowering individuals with access to verifiable clinical information, including a trustworthy and verifiable copy of their vaccination records in digital or paper form using open, interoperable standards.”

Basically, VCI appears to be an industry group which is creating a standard, open-source framework for storing health data. VCI lists hundreds of public and private organizations among its members, including Allscripts, Google, and the University of California at Davis. The members commit to “testing, refining and implementing the SMART Health Cards Framework within their sphere of influence.”

The framework itself is well documented, both in several briefs provided by VCI, and on the organization’s GitHub. One brief deals specifically with using the framework to verify Covid-19 vaccination status. It envisions three “actors”: an “issuer”, a “holder”, and a “verifier”, who are responsible for giving vaccinations, receiving a SMART Health Card, and verifying the data present in the card, respectively. Under California’s DCVRS, the state itself would be the issuer, Californians like you and I would be the holders, and a venue or business would be the verifiers.

In this use case, the brief says that VCI’s goal is “representing the minimal set of clinical data necessary to represent COVID-19 vaccination status and laboratory testing for verification purposes in a SMART Health Card.” In other words, the card itself is designed to store — in its QR code — all the data which is needed in order to verify that you’ve gotten the Covid-19 shot.

Your QR Code

If you’ve downloaded your own QR code, what data does it contain? Pull out your phone’s camera, scan it, and see what comes up. Most likely, you’ll get a big series of numbers, and a message from your phone saying that it’s unable to read the QR code’s VCI format. In my own research, I was unable to find a simple app which could read the framework’s codes and make sense of them. That makes it hard for users to know what their code contains, and also means that as of now, venues have no easy way to scan the codes in order to verify an individual’s status.

That doesn’t mean that it’s impossible to scan the cards, though. While investigating the cards, I found a SMART Health Card demo website, which appears to be intended to allow developers to test SMART cards. The good news? You can use the same site to scan your own DCVRS QR code and unlock the data it contains.

Pull up the website’s URL ( on your phone. Press the Scan QR Code button. Your phone will pull up a basic scanner. Use it to scan your own code. When you’ve scanned it, the text fields on the site will populate. You’ll see the same weird string of numerals that you saw before if you scanned a code with your phone’s native QR scanner in the first text field. But this time, the other fields should be populated, too.

Scroll towards the bottom, and find the “Extract FHIR Bundle” field. This appears to contain the actual information embedded in your own DCVRS QR code.

What’s in there? Quite a lot, it turns out. My own code looks to contain my full name and date of birth, as well as the two dates that I got my shots. It also contains a “vaccineCode”, which presumably identifies the manufacturer of my shot. The code also appears to contain the specific lot number of each shot that I received, as well as the name of the health provider who gave me each jab (in my case, the Contra Costa Immunization Program). Some of this data is shown to users when they download their QR code, but some (like the name of the provider who gave them their shot and the lot codes) is not.

The verifier demo doesn’t seem to stop at simply displaying the information in the QR code, either. It also appears to reach out to the state in order to verify that the code’s information is accurate. Using a network traffic analysis tool, I looked at outbound traffic from the verifier demo page. When I scanned my QR code, the system appeared to reach out to the URL of a state website (, sending it a number which presumably identifies my vaccine record.

The website appeared to respond with a cryptographic key, which likely verifies that it indeed issued me my QR code, and perhaps confirms the information contained in the code itself (I was unable to verify exactly is being checked, because I don’t have a good way to test the site with false QR codes to see how it responds). At the very least, the verifier system is set up to confirm a QR code’s veracity by contacting an external state server. The demo site might be actually doing this, or it might be simulating a check. But the ability to do an external check against state records appears to be part of the verification system.

Implications and Risks

My findings have several implications for users of the DCVRS. Firstly, users should know that it’s very important not to share your QR code publicly. It might be tempting to post the code to social media, to show others that you’re vaccinated. But remember, even through it doesn’t look like a health record, the code contains sensitive information, including your full name and date of birth, as well as the lot code of the vaccine you received. Just as you shouldn’t share your CDC vaccination card online, you shouldn’t share this health record, as it could invalidate your HIPAA protections, among other issues. If you screenshot your code as the DCVRS suggests, make sure to store it in a secure location on your phone where it can’t be easily accessed.

Know, too, that if you choose to present your card to a venue in the future, it’s very possible that when the venue scans your card, their scanner will “phone home” to the state in order to verify your vaccine status. It’s unclear how or whether data on these scans will be recorded or stored in the state’s database. The DCVRS’ privacy policy states that “We do collect personal information directly from individuals who volunteer to use some of our services”, so the system would be able to store data on users’ card scans if the state chose to log this information.

That’s a big deal. Imagine that the state chose to log every time your card was scanned by a venue, recording these scans in its database alongside your vaccination information. Those records would become a de-facto location tracking database, showing which venues you visited and at what times. This data could be used for contact tracing purposes if you developed a breakthrough Covid-19 infection, which would be a useful function. But it could also be accessed by a hacker, or potentially used to track your whereabouts for other purposes (like if you were being investigated for some alleged wrongdoing).

These risks aren’t necessarily a reason to opt out of using the DCVRS. There’s always some risk in connecting with a state database, and there are definitely potential benefits to having a digital vaccine record you can easily present, especially when you’re traveling. But again, most people who are casually downloading their vaccine records probably aren’t aware of these risks. They may not know how much sensitive information is captured in their QR codes, and they may not realize that allowing a venue to scan their code means potentially reporting their location and activities to the state.

As California expands the system — and especially as it rolls out frameworks for easily allowing venues to verify users’ vaccine records — there are some important steps the state and DCVRS users should take. Firstly, the DCVRS website should make clear exactly what data is contained in users’ QR codes, and should include an explicit message about the risks of sharing the code online. As the state rolls out apps and other scanners to verify cards, it should make clear what data the state is gathering and storing about users’ activities and locations.

The state should also provide a framework for “local” verification, where a venue’s scanner only verifies the information present in a user’s QR code, and doesn’t make a remote call to the state’s systems. Local verification leaves open the door to forgeries and faked records, but it also reduces the risks to users’ privacy, because data would remain on the venue’s scanner, rather than being sent out to the state’s servers. Again, the QR code itself contains all the information needed to check a user’s status, even without external confirmation from a state server.

For basic functions like eating at a restaurant, this level of verification would probably be fine. The state could then save externally verified scans for special circumstances, like travel or entering a hospital or another sensitive facility. The verification process appears relatively simple, too, so the state should move forward on launching verification apps and systems as quickly as possible.

Overall, the DCVRS is a major step forward in vaccine verification, and Californians should feel proud that our state is among the first to implement such a system. The system is relatively streamlined, uses open standards, and provides a means to verify information and prevent forgeries. But in using it, we should still be aware of the privacy risks, and we should be prepared to protect our own rights, even as we take advantage of the portability and accessibility of digital vaccine records.

This is original content from NewsBreak’s Creator Program. Join today to publish and share your own content.

Comments / 32

Published by

Award-winning entrepreneur, and the co-founder and CEO of Gado Images. Thomas writes, speaks and consults about artificial intelligence, privacy, food, photography, tech, and the San Francisco Bay Area. As a professional photographer, Thomas' photographic work regularly appears in publications worldwide. Pitches/news tips:

Lafayette, CA

More from Thomas Smith

Comments / 0