Get us in your inbox

  1. A phone screen with a QR code lays on top of a dark blue Australian passport
    Photograph: Time Out
  2. Santosh Deveraj wearing a dark blue suit, champagne coloured tie and a light blue shirt.
    Photograph: Supplied/TrustGridSantosh Devaraj, CEO and founder of TrustGrid

How will Australian vaccine passports work? We spoke to a cybersecurity expert to find out

CEO and founder of TrustGrid Santosh Devaraj offers a glimpse of the technology that will help us prove our vaccination status

Maxim Boon
Written by
Maxim Boon

It’s been 18 months since the virus forced us to shut down our economies, lock down our cities and seal our borders. This was, until recently, our best strategy for controlling the spread of Covid-19, but as vaccination rates continue to climb, both in Australia and overseas, a new normal is taking shape. Welcome to the era of living with Covid.

The question of when lockdowns can end for good has been asked many times since March 2020, but now, for the first time in Australia, we actually have an answer: once 80 per cent of the eligible population have received two doses of a vaccine. In NSW, once 70 per cent of adults are double jabbed, many freedoms will be reintroduced, with lockdowns waiting in the wings, just in case. 

But that’s not quite the whole story. As vaccination is so essential to the success of our recovery plans, being able to access secure and trustworthy proof that you have had both doses is going to be vital. And not just for everyday activities like catching a movie at a cinema or enjoying a pint at the pub. Proving vaccination status for interstate and international travel is also going to be a must.

This is where vaccine passports come into play. Similar digital documents are already in use around the world to provide proof of vaccination, but how exactly will they work in Australia? To find out, we picked the brains of one of Australia’s top cybersecurity experts, Santosh Devaraj, founder and CEO of TrustGrid, who has previously worked with the NSW government on implementing the digital driver's licence.

How difficult is it to produce a secure digital document?

A recent report by the ABC claimed that creating a forgery of the federal government’s vaccine certificate could be done in minutes using easily accessible software.

Devaraj concedes that the document many people currently have access to – an immunisation report via Medicare – is relatively easy to fake, but this is not the kind of “document” that people will use to prove their vaccination status in the future. “In Australia right now, the format of a vaccine certificate is a superficial form of presenting a physical document. But in the secure world, when we talk about a 'document' we’re referring to a piece of information that can be validated and verified, that has data relating to its integrity attached,” Devaraj explains. “It’s semantics, really. A lot of confusion has arisen because people assume the document will operate like they’re holding a piece of paper in their hand. That won’t be the case.”

In reality, the vaccine certificates that are currently available are intended as a personal record, rather than a valid or verifiable proof of vaccination (although it will be accepted as such briefly from September 13 in NSW, when lockdown measures ease slightly for fully vaccinated people until the vaccine passports come online in October). The secure system being developed for the vaccine passport will draw on the detailed data that is created when a person receives their jabs: a record of when, where and what batch of vaccine they have received, as catalogued by the medical professional who administered it. This information is stored by the state’s immunisation database, in much the same way that the information encoded into a digital driver’s licence is stored in a secure government database. In addition to making the vaccine passport very hard to fake, this also ensures a user’s privacy and personal data are safeguarded.

How will vaccine passports be validated in hospitality or entertainment venues?

One of the challenges that developers face is that the vaccine passport system will need to be fast, reliable and easy to manage. It won’t be police officers or customs officials verifying these documents, but baristas, front-of-house staff and box office attendants. Devaraj says the solution will be a type of identity process that most people are already very familiar with.

“Think of it like boarding a flight. You have a boarding pass with a QR code, which gives a very simple response to the flight attendant: either ‘yes the person can board' or ‘no they cannot',” Devaraj says. “The staff that will be verifying people entering a pub or restaurant, are dealing with large crowds, fast foot traffic, in a very similar way. They don’t have time to read through forms or cross-reference IDs. The process necessarily must be seamless. It’s the same with an airline: the plane needs to take off on time. So what we’re recommending to the government is that they use a similar machine-read system.”

NSW premier Gladys Berejiklian has already confirmed that the vaccine passport will become part of the check-in process that has been in place across the state for more than a year. Patrons will scan a QR code, which will not only capture the time and date of their entry to the venue but will also request the patron’s vaccination status, which a Covid marshall will see as either a green tick for entry or a red cross if that person is unvaccinated.

Victorian premier Dan Andrews has indicated a similar system would be in place in Victoria, but he has not yet provided details on exactly how it would work. A pilot program to trial the technology is expected in regional Victoria in coming weeks.

What about people who don’t have access to a digital device?

When it was first rolled out, a clear weakness of the centralised check-in system was its reliance on people having a smartphone. While a majority of Aussies do have a personal, web-enabled device, there will always be a portion of the population who do not. But proving their vaccination status will still be necessary. This is a conundrum that has big implications for international travel too. “If you look at the majority of the world, digital advancement has only happened in relatively few countries. A lot of nations still rely on physical ID like cards and documents,” Devaraj says.

The vaccine passport will need to be flexible enough to function in three different scenarios. The first is entirely digital, as outlined above: the customer scans a QR code that automatically verifies vaccine status. This will be the most common and most secure method.

The second, in the event that a customer has a device but a venue or destination does not provide QR codes, is a hybrid where the vaccination status can be manually requested by the customer as a digital document that can be displayed on a screen, not unlike the vaccination certificate Australians can generate now via Medicare, but with added digital security.

The third, where the venue or destination has a QR code but the customer does not have a device, is the inversion of this: a one-time QR code that is only valid for a limited amount of time can be requested via email as a printable hardcopy that can be physically scanned.

Will we need multiple vaccine passports in the future?

At present, not only are Australia's international borders sealed but its interstate borders are also closed. Managing the pandemic has largely fallen upon state governments, which means currently, only statewide vaccine verification is being developed. This is fine for the time being, but try using your Opal on a Melbourne tram or your Myki on a Sydney train. No dice. Once interstate and international borders reopen, a more universally recognised system will need to exist, Devaraj says.

“We can’t walk around with a hundred different passports in our pocket, that’s just not practical. What we’ll see moving forward is a unification of these different systems,” Devaraj explains. “Ultimately, the digital footprint that’s created when a vaccine dose is administered contains all the relevant information needed for this. It should be pretty simple to create a system that can request those details, but from a privacy and security standpoint, in an encrypted form, so no one's personal information can be compromised.” 


    You may also like