The QR code on South Africa’s Covid–19 vaccine certificate contains personal information that is easily decoded, and should be treated like any medical record.
People who have been vaccinated in South Africa should therefore not post their vaccine certificate QR codes on social media.
When scanning the QR code displayed on the vaccine certificate, it returns a string of characters that looks enciphered.
However, a MyBroadband forum member pointed out this is simply Base-64 encoding, which is trivial to reverse.
Base–64 is not an encryption algorithm but a way to convert any data into alphanumeric characters. It is commonly used to transform data into a string of characters that is safe to use in a web URL.
It contained the following fields:
- ID Type — RSA ID no., passport no., or refugee no.
- ID Number
- First Name
- Date of birth
- Immunisation events, including:
- Vaccine received
- Date of vaccination
- Proof of vaccine code
If you received the Pfizer-BioNTech Comirnaty vaccine, the dataset would contain two immunisation events — one for each dose.
Should you receive a booster shot in future, this will also be shown in the array of immunisation events.
While the vaccination certificate does not display an expiry date, the encoded data still contains an expiry date field.
The expiry date is set for three months from the day you generated the vaccination certificate.
Acting health department director-general Nicholas Crisp confirmed that the QR code on South Africa’s vaccine certificate was intentionally designed to contain identity information.
“It is a private document like any medical record,” Crisp told MyBroadband.
“The ID is essential to verifying that the person carrying the certificate is indeed the person with the ID document with the same number.”
EVDS project manager and chief director for policy coordination and integrated planning at the Department of Health, Milani Wolmarans, said they have taken steps to ensure the security of South Africa’s digital vaccination certificate.
“The QR code will have cryptographic signature linked to public key infrastructure (PKI) to prevent any fraudulent production of vaccination cards,” explained Wolmarans.
Wolmarans said that a cybersecurity specialist is working with the department and is helping to ensure that they are putting stringent security measures in place.
They also conduct regular penetration testing with security specialists, Wolmarans stated.
On the question of whether South Africa’s vaccine certificate would be recognised internationally, Wolmarans said that most countries would accept our digital vaccination certificate.
However, she said it depends on the country you are visiting and their verification requirements.
She explained that the infrastructure to enable verification of South Africa’s digital vaccine certificate is being rolled out and should be available locally from the end of October.
This includes QR code readers that can scan the certificate and verify it against the EVDS.
South Africa will share security codes with other countries to verify vaccine certificates using our public key infrastructure.
“It is a huge, complicated technology platform we are creating,” Wolmarans said.
She said the department is ensuring that South Africa’s certificate is adhering to international standards.