GovTech has led developers into the wilderness with the HealthCerts project.

Previously I provided an update on HealthCerts. Now comes the final chapter.

After months of me requesting a data schema and a clarification of whether vendors like NextID could produce verifiable digital proof of vaccination for travellers, I finally got answers this week. First, I received a copy of the schema. And then a Ministry of Health officer in the vaccination operations group communicated to me by email: “At present, unlike testing, vaccinations are done centrally by the government. We have solutions as to how individuals who receive vaccinations in Singapore are able to access their digital vaccination certificate. We will update if and when there are developments on any decentralisation. But its not likely to be any time soon.” So, MOH has decided not to work with the vendors that have invested time and effort in getting prepared for this national initiative.

When asked whether I could share this information publicly, Steven Koh, Director of Government Digital Services at GovTech said: “that’s btw u and MOH, i can’t comment on that.” Clearly the wording from the MOH officer is that of a general policy, not something that applies to NextID only. The fact that Steven demurred shows vividly that GovTech doesn’t really care about the developer community that invested in and supports the OpenCerts (now OpenAttestation) project.

GovTech has consistently failed to provide a roadmap for HealthCerts developers, has no dedicated communications channel for policy and tech updates, has been slow in implementing a portal for vendors who successfully deployed certificate issuance solutions for HealthCerts, and so on. Their introduction of a notarisation process has not only delayed implementation of HealthCerts, it has caused confusion among vendors and the public.

Notarisation has undermined the whole notion of HealthCerts as verifiable credentials — since 10 March, the only certificates which are valid for travel are those issued by Singapore’s Ministry of Health. So I have sincere doubts as to whether, as claimed in the press, HealthCerts will be able to integrate with internationally used systems like Travel Pass and Common Pass. If the rest of the world followed Singapore’s example, only attestations by governments would be trusted. But this is not how Travel Pass and Common Pass work.

Why is this happening? It’s because the OpenAttestation team led by Steven sees the world through government eyes, and they will always prefer centralisation. They pay lip service to openness and decentralisation but it’s not in their DNA. Steven calls it getting the job done, saying: “We are more pragmatic than dogmatic of ideology”.

I don’t have anything against national identity systems, even India’s Aadhaar which captures 10 finger prints and 2 retinal scans. It is important that a government can deliver benefits to those who are entitled to them and prevent graft from facilitators and middle-men. But government issued id and decentralised opt-in identity are distinctly different. Vendors of verifiable credentials need to be wary not to try fitting a square peg into a round hole.

OpenCerts was a good start, but it’s time to move past it. There needs to be a strong independent system of certificate verification. Verification of issuers should not depend on government-maintained whitelists. And finally, credentials should not be shareable by a recipient until and unless they explicitly accept the content as being true and accurate.

NextID is looking for partners who will build this better system. Drop me a note if you have suggestions or want to participate.

By Bill Claxton [williamc at nextid dot com]
Illustration from The Pied Piper of Hamelin is in
the public domain.