For the US, everything in the design of the vaccine card system was made to prevent it from becoming another social security card fiasco. They are oversized, freely distributed, not centrally tracked, etc.

If I had to guess, it was made this way on purpose to quell fears that this vaccine effort would mutate into a bigger privacy concern and discourage people from getting the shot.

But yet here we are. People want to use it in exactly the way it wasn't designed to be used.

In a interesting turn of events, in Italy, a Telegram group who sold fake green passes has now turned the operation into a ransom attack. They’re intimating everyone who sent their personal information and payed 300€ for a fake pass to pay another 350€ in BTC or they’ll send all the data to the police.

It's very hard to feel sorry for the victims. This suggests there are people who would rather pay 650 euro than get the shots. Is even the initial 300 euro worth it? This is so bizarre.

Those vaccination cards are a joke. Photoshop and a bit heavier than normal card stock is all you need. Is there a central database where vaccinated are kept? I’d assume for reporting, yes. But in 2021, we get a glorified business card that is trivial to fake. Ah, government.

We do have digital certs in Europe (as mentioned in other comments). I don't know why the article mentions Europe, the cards aren't used to check vaccination here.

In just a few short months, the last restrictions are lifted and Corona passes are no longer mandated in at least Denmark.

That will hopefully show the way out of this division between vaccinated and not vaccinated, so we can go back to being one people again.

Yeah, instead of this war on COVID.

People's health choices should be private.

Agree! As should whether they have a driver’s license, are trained in practicing medicine, are licensed to work on the electric in my home… These are all personal traits that are nobody’s business but the person themselves!

Right. Just like driving drunk is my choice. It doesn’t affect anyone else.

Not if it puts my life at risk.

Not In My Back Yard, eh?

NIMBY is a term for things that need to exist, but people fight against them existing in their neighborhoods. There is no reason for the vast majority of unvaccinated people to be unvaccinated, so the term makes little sense here.

Maybe you didn't understand what I wrote.

> Not if it puts my life at risk.

Good, they are a joke.

It seems the preferred method would be to verify via official state/national health records, I wonder why this isn’t the preferred approach?

In Europe, some countries, we need to certificate to go out to dinner for example. The restaurant is supposed to check the QR code with their own app that is secure and you can't fake it (i actually don't know if it goes to the medical records or it's just digitally signed). Anyway, what i see most restaurants do is to look at the QR code, with their freaking eyes, and say OK pass.

The QR is issued based on medical information but in most cases not directly linked (it's a separate database). But it's not an airtight system.

The gap there is that the venues have to check the QR with your ID to see if it's got the same name. Usually they don't bother. So people can just use someone else's. The QR is super secure (signed with a private key) and can't be faked but the person's identity has to be validated by other means and cross-checked with the QR info. So basically it comes down to the whole fake ID thing that people have always used for underage drinking etc. And a lot of places don't bother in my experience, they just scan the QR and see if it comes up green.

I really hate having to ID myself everywhere though. Especially because the QR is digitally scanned so can be collected really easily. I really care about privacy and this can be used for tracking to the extreme. Nothing to stop restaurant owners and shops from collecting the personal info they scan. I'm fully vaccinated but I'll probably not go for dinner anymore and will boycot public transport as much as I can.

Also, if we just make vaccines mandatory there's no need to check as everyone's got one.. The lowest covid risk possible, and no privacy invasion.

I feel like the current measures are tailored too much towards the needs of the antivaxxers. I understand their concerns but a society where we have to ID ourselves every 5 minutes and be tracked as a result is a horror scenario too. I'm hoping for a bit more debate on this but the countries that have introduced this (France, Italy) have ignored any criticism.

Also, it doesn't really help the antivaxxers as in those countries they will have to get a 50-euro covid test every 2 days if they want to go shopping, use public transport, eat out etc. In the end I think many of them will get the vaccine anyway as they can't afford that. And then when (nearly) everyone is vaccinated, will they drop the QR codes? I doubt it... So really all of us will be worse off in the end.

I know it's not a nice debate to have but we really need to think of the effects of these decisions on society in the long term.

> Also, if we just make vaccines mandatory there's no need to check as everyone's got one.. The lowest covid risk possible, and no privacy invasion

How do you make them mandatory without privacy invasion? You must keep records on who is unvaccinated.

The precursor to every 20th century atrocity was diving the population by decree.

The state already knows who is and isn't vaccinated, otherwise they couldn't issue the QR codes. This is already a total known in Europe. It's linked to your healthcare ID (a lot of countries in Europe have nationalised healthcare)

The QR codes themselves enable businesses and government to track your detailed movements every day though. This is why that's much worse.

I wonder if it's possible to devise a QR code verification system that doesn't erode privacy.

For example, what if guests could regenerate the QR code, or the app did it automatically, every five minutes? And the QR code contained nothing but a cryptographically verifiable assertion that the person presenting it is vaccinated, together with a picture (or a reference to a downloadable picture) of the guest? That would prevent the host from being able to gather anything beyond what they already can from their CCTV, while getting the vaccination assurance they need.

Trouble is, I can't think of a way to do this without connectivity, and that's problematic due to downtime, service availability, and so on. A privacy eroding fallback to an offline system would be possible, but runs the risk of privacy violators simply "accidentally" losing connectivity.

Anyway, there's a challenge for HN. Design such a system :-)

The authorities actually are trying to get us to use their app which does indeed generate a new code every time. However this is something I don't like because then I have any tracking of the actual app to worry about too. Especially because their lineage is pretty murky. I've gone to a lot of trouble to get facebook and google out of my life and this feels like a big step back. So I use the paper code exclusively.

Of course that also presents issues with people not owning smartphones, not knowing how to use them or having dead batteries as you mention already.

But what you describe would be better than the current setup if the operator is really transparent about how any personal info is used, yes.

All the covid tracking apps during the first wave were really privacy conscious (avoiding personal info, using open source etc) but the whole QR thing as introduced in Europe doesn't seem to have taken this into account at all. Of course that's because it's more personal in general but the whole open source thing has been dropped too. Only Switzerland seems to be doing that now.

It's signed. However, all it actually says is that "there exists a person called Joe Bloggs who has this vaccine on this date". The restaurant is then supposed to check this against photo ID. In practice, this rarely happens.