The Vaccine Certificate Experience
"It was hard to write, it should be hard to use"
The quote above was something a programmer friend of mine used to say in the '90s and, despite all the advances in user experience or UX design, it appears to remain effectively true. Let's look at the experience over this past weekend with the newly rolled out enhanced vaccine certificate in Ontario.
Let me preface this by saying that I appreciate that this may be version 1 of a certificate with a QR code and that my comments are intended for an improved version 1.x or 2 of the proof of vaccination. I should also note that CBC has already pointed out that Ontario's enhanced vaccine certificate system is not accessible to marginalized people.
Downloading the Certificate
You will need to go to https://covid-19.ontario.ca/get-proof/ and answer the following questions:
How many doses of the COVID-19 vaccine do you currently have? (required)
Did you get all your doses in Ontario? (required)
Select which health card you have (required)
Do you identify as First Nations, Inuit, or Métis? (required) If you are a non-Indigenous partner or household member of someone in this group, select "Yes."
A couple of more clicks (get the certificate through the website or get it by mail or print it at a local library, ServiceOntario location, or call a friend and you will be asked to agree to the Terms of Service which includes the following:
By inputting your personal information and personal health information into the COVID-19 Vaccination Services you are agreeing to the ministry's collection, use and disclosure of this information for the purpose of researching, investigating, eliminating or reducing the current COVID-19 outbreak and as permitted or required by law in accordance with PHIPA as set out above. You also agree that your information will be made available to the Public Health Unit(s) in Ontario responsible for your geographic area for the same purpose.
More specifically, by using COVID-19 Vaccination Services, you consent to the ministry collecting identifying information, including personal health information, about you that you submit through the patient verification page so that the Ministry can ensure that it correctly identifies you for the purpose of administering the COVID-19 vaccination program.
Neither the ministry nor the Public Health Unit(s) in Ontario will further use or disclose your personal information or personal health information except for the purposes set out above.
When you click on the "Get a copy" button you may be asked to wait because a virtual queue is being used to throttle traffic. When you get through you will be asked to provide information from your health card. I have a green OHIP card with a photo so I get this screen:
Assuming the information is correct you will be shown your new certificate, including a QR code (more on this later) as a PDF. At this point, it is on you to print out copies of the two-page certificate and carry them with you. I took it upon myself to crop the certificate to include just my name, birth date & the QR code and print it out small enough that I could put it in a laminating pouch and carry it in my wallet. This enables me to go to my wallet, pull out the laminate and my driving license, and have both ready for presentation. For me, that is the simplest and easiest way. Your mileage may vary since my approach requires being comfortable with basic pdf or graphic editing and having access to a printer. I also put electronic copies on my phone so that I could use that option
Verifying the certificate
Here is what I observed at brunch (shout out to the Sunset Grill on the Danforth).
Staff person asks for Proof of Vaccine
Customer digs out their phone or paper copy of the certificate
The staff person looks at it (or uses the Ontario Verify App)
Staff person asks for a government-issued ID
Customer digs out their driver's license
The staff person looks at the ID and verifies the name
We can do better
What I oberved is NOT a user-friendly experience for either the customer or the business. For the experience to be improved it needs to be a single presentation operation of either a paper or digital certificate that the business can verify in one step. Here's an example that I mocked up some months ago (the picture is from https://thispersondoesnotexist.com/)
This provides the following functionality:
The existing QR code will return the same (i.e. green checkmark in the event of a good code)
The verifier (staff person) can compare the photo on the card with the person in front of them rather than asking for a government ID.
Digital verification may have the option of showing the verifier the picture on the verify app for increased assurance. Note that the Ministry of Health is already authorized to have pictures for the current health card.
Privacy and Security
The advantage of a paper and ID card presentation ritual is that it is difficult to hack. So if we are going to improve the presentation with a single credential as above, privacy and security MUST be protected. This is why a version 1 that is paper/PDF only is not a bad security and privacy choice. On the Verify Ontario app side, both the terms of use and privacy statement are reasonably clear (although the choice to use Google Analytics could be questioned) and make the right commitments
Recommendations
Provide retailers with a verifier
It's nice that the Ontario Verify app is freely downloadable. I used it to check that the laminated cards that I made from my own certificate were readable. But this puts the burden on the retailer and their staff. When I saw someone come in with their QR code, the waitress had to dig out her personal phone and use that. Not a good solution. Either the provincial government or public health should provide retailers with a low to zero cost option to procure their own tablets for use on entry to the store.
Provide Ontarians with options
For example:
I'm relatively tech-savvy so I'd be happy with a QR code/certificate I could add to a wallet app on my phone for easy display without fumbling around.
ServiceOntario should provide a service to produce laminated wallet cards WITH photos to any Ontarian who shows up at a ServiceOntario site.
On a go-forward basis, ensure that people attending vaccination clinics get printouts of their QR code based certificates WHEN they get vaccinated since the certificate includes the date of vaccination and presumably the QR code won't return a "Green" until the appropriate dated
With all of the above said, I have to say I'm happy that Ontario's first steps for vaccine certificates appear to have respected Ontarians' privacy and look to be built securely. I look forward to the next couple of weeks because I'm sure that security people will be pounding on the service to find flaws. WHEN they find flaws, let's hope that the province is responsive so that we can all benefit.