 My name is Anjan Brouwer. I am a software developer. When my father bought a Commodore 64, I was six, and it was fun. You had those floppy drives and those tapes, but the games were so expensive. So I went to the library, got some books, started typing the basic code, and you learned debugging really quickly because the editors of those books were not that good. So with some pencil, you start editing, and you learn how to debug, and I never stopped coding since. I am a professional developer for 20 years, been working for no protocol for the last six years. You might also know me from Badge Team, QTPass, or Angry Nerds podcast. Hello, good afternoon. I'm Lord Berkeley. Other people know me as Mandel Mowach, which is also not my real name. I do weird things with computers. At the moment, I'm also a crypto and security architect at the Dutch Ministry of Health. I'm a Hack42 board member. It's the best hackerspace in Western Europe. I'm a foyer request fanatic to the Nordic government, and I like to talk about weird interfaces and connections. But not today. Today we're talking about something that you might have heard of. Some people call it corona, some people call it COVID-19, and in February 2020, it arrived in the Netherlands. So how this all started and what our talk is about. Somewhere in March 2020, there was an epitome, and that was very interesting for us as hackers because it was live-streamed. The Dutch government, well, mostly Roem Rosendal, who has a talk together with Breno de Winter at Abacus here tomorrow at 1. They did an epitome to do a corona melder notification app, and there were lots of companies with lots of interesting ideas that all could not physically or lawfully work. So a lot of hackers had a lot of big mouth, started talking about laughing at it, so to say. And then Ron Rosendal did a smart thing and said, if you all know so well, prove it. So he started hiring hackers, for example, Breno de Winter. And Breno started looking around and thinking, who do we need to do this kind of stuff? Well, we need people we can trust, people who build camps like this. I mean, those are people you know, you can trust, you can rely on. So at one point, somewhere in October 2020, just after, I think, the second lockdown or before whatever measurements were there, Breno de Winter called me and he said, hey, Buck, yeah, I have a question for you. Do you have some time left, some spare time? No. Yeah, but it's in for the state and for the world country. And can you do a few hours per week and for a few weeks and said, I could do that. OK, that's fine. I have to work. But no, things need to happen. So it was for GGD Contact. It's a municipal health care organization, and they need better contract tracing app and a web app to do their work correctly. So I worked on that a bit. And meanwhile, vaccines started to appear somewhere in the near future. So November 2020. Working, working. Oh, no, vaccines are here. During a lunch break, there was some chat at the Ministry of Health about registration of them. But yeah, there are solutions for that, right? Well, turns out there weren't solutions for everything. There were solutions for the municipal health care for massive vaccination campaigns, but that's not what the first vaccines are going to. The first vaccines are going to health care professionals, people in old age homes, those kind of people. And they don't get vaccinated by the municipal health care system. They get vaccinated by our doctors. So all of a sudden I get a call from Buck Blue. He patches in Breno in the call and Breno says, do it for the country. We need you just a few weeks. It's a simple web app, but it needs to be secure and safe. You have a proven track record of doing that kind of stuff. We need you. So yeah, I started working. So 15th of December, 2022, it was the third lockdown or the fourth. I really forgot, but we all remember it. At nine, we had the start of the first workday, which was unusual for me because I never get up that early at 10. That was a basic design ready. We never changed it at 11. There were the first commits to the Brani Banani repository because we were plan C. We were not meant to be the vaccination registration portal. No, we had to be a bit undercover. So we took a GitHub organization, 91 Divock LN, which is NL COVID-19 in reverse. And we started in making some interesting repository names there. Later that evening, first review. So what did I do commit first? Well, CI, continuous integration pipelines, linting, testing, static code analysis. And then because we had a design, we knew what had to come in. We knew what had to come out. I started doing it all test driven. And the next day. Yeah, Alnijan needs to go shopping because sometimes you need to eat. So he puts on a face mask, walks 10 meters to his nearest supermarket. And he gets a call from Brenno. Hey, we need a picture for a web shop because we need to hide it, whatever. So Alnijan takes a picture of the new banana web shop. We put it online and there we have the first governmental in the future to be soon web shop for bananas, which is something that's going to happen. Luckily, help arrives because the second day of work, all of a sudden I get a team. I get two developers from the hacker scene, people you might know. And they do their first commits, they make a pull request and everything gets red crosses because of my very tough CI rules. So that was a good start. Next day, my birthday. Yeah, I do a quick remote party with my family because you can't do it in person. So then we come to the 22nd of December and we're searching a hosting provider for when this might be plan A. That's a little bit of work because almost everything is closed. The government is completely closed in December from the 4th of December till the end of December. You cannot request anything because of the budget is being closed. Getting hosting everything signed is very hard. So what we found three providers and we did assessments, which provider would be the correct one and would could help us the best and we found one. So that was good 23rd of December. We also need to store secrets. All the data that we collect has to be encrypted and where do you store secrets in a hardware security module? So they can't be, can only be used and can't be taken out. Yeah, so hardware security modules is you get the real stuff. They need to burn in test. They need some set up time and it was somewhere like Christmas, New Year's, nothing could be done. It takes two weeks and we had a deadline in the first week of January. So it's not going to happen, but we got the solution. We found very smart people working in our team already. Thank you, Breno. He has friends everywhere that know things and we found a solution. It's called Yubiquis. They are basically also a hardware security module there. You can store in secrets. You can generate secrets in them and not to be taken out. And you can hang them on your keychain. Yeah, but also you can put them in a server in the data center and physically put a label over it and have it all in nice procedures. And it's just like a hardware security module. Yubiquis. Pretty nice. Yeah, they're pretty nice. They're cheap, they're cheap, which is not the biggest thing. They're available. You get them next day order, even on 23rd of December. And they're capable and they have standard libraries and software to integrate with all your software. So, as I said, Christmas. Oh, no. Yep, workday 10. From this point, we have been working for 10 days straight. I mean, the weekends are also workdays, right? And 13 hours a day. But yeah, this is a day like no other. We just continue working. We get our first sysadmin on board because, well, it's nice to have software. You also need to run it somewhere. And we found a data center. But now we need to provision the servers. Luckily, we get a sysadmin and also we get a DBA because what is the best way to store non? Post SQL is just the best. No SQL database for you. No SQL, that's what I was looking for. Thanks. Luckily, the DBA team came redundantly supplied because they're two brothers and they work very nicely together. 26th of December. There was an interesting peak in the number of COVID infections in the Netherlands, and we finally have a good schema of how this stuff should be run. Yeah, it still works this way. So then we skip some workdays because we're working hard. 31st of December. We have been working for two weeks now, nonstop. So we were ordered to stop working at six in the evening and at least not talk to your colleagues anymore. Reintroduce yourself to your friends, family and all the people living under your attic in your house. There were no fireworks because it was forbidden. So yeah, at 12 o'clock, we had fireworks. Do some sleeping. Oh, no, fireworks. Yeah, so do some sleeping. Then on the other side, at the first of January. Yeah, we would not do a stand-up at 10 because all this early stuff, let's just do weekends and holidays. We started one. That's probably a better idea. Also, we got the first machines provisioned by the new sysadmin. And we had to change the application name because someone decided that Brani-Banani is not something they want to present to parliament as a solution for registering COVID vaccinations. So the name was changed to BRBA. It stands for Beveiligte. Totally not stands for Brani-Banani. No, no. It stands for Beveiligte registraties van bijzondere assets or short as we shorten it for Brenno and Barbara. We told them afterwards. Oh, it's not the secret. Then we had a long weekend so you can just keep working. You have no distraction from other people. All management is not all management, but all the government is on holiday and on weekends. So it's double better plus good. And we start continuing. But yeah, now I also get some normal developers. I mean, the ones you can double click order from agencies. And I've never managed the team before. So I call my good friend Ransbak. You might have seen him last time we were here doing a talk together with me about privacy and penises. I gave him a call and luckily we were just bouncing of some ideas, got the whole idea to do simplified scrum just every day, early meeting. Well, 10 is early for me. And ask three questions. What have you done yesterday? What are you doing today? What do you need from anybody else in the team or outside of the team? That worked and we also got our data models from the National Institute for Public Health and the environment to do some data exchange because well, registering COVID vaccinations is interesting but we need some science to be done and they are the ones doing the science. Yeah, so we tried to exchange the data and we found out that exchange should be exchange to secure exchange so we can exchange the data in a secure way to exchange it. Yeah, FTP and CSV files is not something we would do. It's the industry standard, we set another standard but we also got the data models and data models are nice, especially within government they make large, big data models. You feel so dirty after reading them that you need to go to shower. So we got a lot of shower, a lot of showers. January 5th, application is ready, which is a good thing because it's gonna have to be live the next day. We do some last testing in our future production environment because everybody knows you do development, testing, acceptance, production, but in practice, nobody does that. Everybody does it in Dutch, the opta-way or in English, DPTA, acceptance always comes last. Just look at the stages of grief and if you want to know more about doing stuff in production, there's an interesting batch talk this Tuesday at 13.40 on this stage. So, but 5th of January, we needed to have credentials handed out to a lot of people working in hospitals and people's homes and all those things. More in Brenno's talk, but we needed some help to distribute it, not normal companies, it was an obtainium, they had no people, they had no time. So we called the military, seems to have some friends there, which was not the correct way to do it, but it worked out very well in the end, nobody got fired over this. January 6th, this was early for me, seven in the morning, you log into the server, four eyes because everything has to be done with at least four eyes on there. You delete all the registration data from the production database, you drink a couple of beers and you go to sleep. So, next day, yes. Finally, first vaccination, it was a nursing home worker and she got registered through BRBA. Good, meanwhile, there were some other projects because we're working hard on this, but also there were some other projects as ministry. They were working on QR codes, this one you can actually scan in, it will show you, it's a demo code. We decided together that you can have more privacy with less data, which is not a revelation for us, but for some people in the government, it's very new. In Europe, like this QR code, this contains a lot of data, it contains first name, last name, date of birth, where your vaccination was, all those details. In the Netherlands, we decided, we don't need that much information, but we'll come back to that for you. And we started small in the application, but it got extended with the European connection and now you can travel the world around with it. We also started to have it printable by medical personnel because that will work for everybody. You don't, yeah, you need somebody, a medical staff when they vaccinate you in that hall or test, but we also got, you can request it by snail mail if you don't have anything digitally. You can go to the website and print it or you can use the app. And yeah, those European codes, they contain all that data, but do you need that? Do you need for your cinema, for your pub, for your restaurant, do you need to know someone's full name, date of birth, where they were vaccinated, what they were given? No, of course not. All you need is to be able to check their identity. So we got initials, first letter of first name, first letter of last name, if applicable, and the date of birth without a year. That was all that is in the Dutch domestic QR codes. The app was way more fancy because it made you untrackable between two QR codes which switched every minute. It's very fancy crypto based on Habi by the Irma team if you want to know more about it than tomorrow at nine here. But meanwhile, we just had about truncating data again. Our first data delivery, a lot of people have been vaccinated, a lot of people have been registered, we need to get that data to the National Institute for Public Health and the environment. And we did get it to be sent encrypted this time, public key encryption. And we do an export and because of the very slow HSMs, we use the UB keys, it took us two hours. Well, you do that in a screen because for eyes, two people looking at the screen over Jitsie and we do the export, it runs for two hours and the CIS admin says, well, my screen is stuck. I said, well, mine isn't. So I type poi, space, exclamation mark, exclamation mark. So the next line was command dot found and the output in file dot ang was empty. Because the other guy was pressing enter a lot. Yes. So we run again, another two hours, we copy that stuff over to the National Institute for Health and Environment and the other people in the Jitsie shout date, date, date. I type date and ta-da, we had 10 minutes to spare. Then I walk out in the snow to take a very relaxing walk and I got a nice t-shirt in the mail a week later. So, but back to the serious business, the QR codes. It should be work for everybody because if you are making something mandated by law, then it should work for everybody. What we did was make a basic solution that works for everybody. Healthcare workers just type in everything and press print. But we don't hate healthcare workers. So we did optimizations. It's the AD20 rule. If you can optimize it for 80%, then you have only 20% of work left and then you do it again and then you have 20% of 20% left and you do that a few steps, like four or five and then healthcare workers don't start to hate you. It's very nice. Yeah, and also we try to do credentials for all the images, but sometimes it's very hard to find meme sources. So if you know we'll wait, please tell us, we'll fix it. But yeah, there are exceptions to everybody, every rule. You can make as nice system as you want, but not everybody gets vaccinated by the municipal healthcare or gets QR codes via DGD because it's registered somewhere. Some people don't even have a... Have a way to authenticate to the government via DGID or didn't get vaccinated in Europe? Because they travel abroad by plane or by ship and they get vaccinated in a Walmart in America and then yes, how do you get in Dutch QR code? There are solutions made for that. It's a lot of hard work, but the idea was leave no one behind. But also we try to have a bit of data hygiene because else you get data doh off. Incomplete data really hurts people if you need two vaccinations and only one is popping up. The other one is gone and now somebody says, yeah, but you can print it, but it's not complete. But I need to take an airplane to my family in somewhere for my parents who are on their deathbed. Yeah, no, you can't fly because your data is not registered correctly. Well, yeah, business rules are important. You should define them well. So what does this data mean? What does the data represent? Delete all the data you don't use always because if it leaks, if it's not there, it cannot leak. You cannot abuse it. You cannot use it for things that is not supposed to be used for. We're hackers, we misuse everything what's not supposed to be used for. Don't do that with people's personal data and especially not with sensitive data like medical data. And when you do something with data, always refresh at the source. There's something with caching who come to that. And you should have exception routes because and have them ready day one because you can't have true equity if all marginalized people who already have to do run through hoops have to do it again and again and again. But also you have to prevent those exemption routes that we've built to become the rule. It would be very stupid if you have someone go through loops, go to their care professional, get a printed QR code and have to redo that every three months. So we worked hard on getting that stuff done. Also for attributions, you know, newspapers say source YouTube, so we say source newspaper. All that hard work comes to a point of going live again. The European QR code system gets live and our minister of health wants to meet the people that build it. Normally in the Dutch government, all those kind of conversations go through Cisco Webex, which is a terrible chat application. And we said, yeah, that's fun, but no. Just come to our place, come to meet hack 42 Yitzie. And he did. And the first thing he does is send this Twitter image. So yeah, that's easy to get it cleared because it's already public. And the second thing we do is ask him, are you wearing a seatbelt? And yes, he showed he was wearing a seatbelt. So that's of course. And the informal tone was set. Yes. So then you have had, will have lots of discussions about political, about 2G, 3G, 4G, 2G plus, 2G minus, 3G plus, 3G minus, 1.5G, 2.5G. Really, they invented a whole lot number of Gs for this. It's a lot of political discussion and you never know what the outcome is. And for people who don't know anything about the Gs, it stands for geinft, it was all German, but in Dutch, gevaccineerd, get test of genezend. Yeah. And they made different combinations of that and gave it different numbers and nobody knows what it means. So, but we had to prepare for all the options because then the politics might say that next week we should have these rules and it should be enforceable and how we do it. We were doing news driven development in some places because the information was faster through news outlets like new.nl than through the official lanes of communication. Yes. So make it configurable, sign your configurations and have it work that way. Yeah. So then we come to the two hardest problems with computer, naming things, cash validation, especially for maybe off by one errors. So, off by one errors, birth date. A birthday is not a date. It can be a birth year. It can be a birth year and a birth month so you don't have a birth day. Don't store it in a date column. See, everybody does it everywhere and it's giving us real lot of hassles to do this. Some points in the government they do this correctly and that's where it starts to get incompatible. And also, not everybody has a legal birth date. We didn't know that. So, the second thing is naming things. We name a lot of things, this is called the stage. All the things are humans, we name them. Not everybody has a first name, not everybody has a last name, not everybody even has a name or a legal name. And for character sets, my dear friends every government place that use it, Latin one is not an option, use UTF-8. And for one special department, tailor text encoding should not be used anymore since the 90s. Cache invalidation. Yes, so how do you delete data you don't know about? Because, as I already said, don't cache, start as source if possible. But if somebody prints out a QR code or has a yellow booklet and you want to invalidate the information in there, is that even possible? We know that it's not impossible until you start attaching claimors to yellow booklets, which was declined by request. So, it's impossible at some points. So, always assume that once data is out there, it's like oil, it will stay there. But we'll get back to this. Yes, good thing we have all those exception routes because estimates are always low. How many people do you think will need to be registered via those systems? Wow, 10,000, 50,000? Well, it was more like a million. Q started showing up at Schiphol Airport because people couldn't fetch their test data in the app. People didn't even know they needed to be tested and all the test facilities couldn't get their data out soon enough. We had people whose name in the passport was different than in the government database, which is weird because they should have been made from that database. Yeah, things happen. But this is a manual labor intensive process. So, if you want to scale it up, you need more people and as we know all that shortage of workers, it starts to get more expensive. So, try to avoid it. Try to avoid big data. When I was waking up that morning, I read that there were queues at Schiphol. I do a stand-up. Where is our sysadmin? Well, he's at Schiphol. What is he doing? He's buying new inkjet for the inkjet printers. Why were they inkjet printers? Or was it Breno that bought the inkjet printers? It was Breno. He was setting up the network because public Wi-Fi was a bit flaky. Anyway, big data. Yeah, big data. We try to avoid it. We try to have decentralized storage because sources are decentralized and we want to have as source much as possible. We use strong authentication. The client controls the data, so you get to first see what data is fetched from you. You can review it before you even start to use your data and we use as little as data as possible. We try to talk to the European Union about it that sadly failed in some parts. So, ethics and social impact. In the Netherlands, we have a democracy. Well, a constitutional democracy. We have a parliament, they make rules and then we try to implement those laws with as most freedoms as possible. And that is really hard, apparently, for government workers because normally they just look at laws and go by, oh yeah, we could interpret this very strict. Try not to. Also, the COVID virus is hard to battle. I mean, we are missing a lot of people at this event because they got tested positively and now had to go home. Also, outcome isn't sure. We don't know how this thing goes, how long it will continue. So, we have to implement fail-saves for a lot of that stuff and all the temporary restrictions, we have to make sure, in code, that everything that is temporary stays temporary. Yeah, because normally, as we hackers know, nothing is as temporary or as permanent as a temporary fix. Yeah. The cable you duct taped to the wall 10 years ago still hangs there, it works perfectly. You never gonna fix that. That's not an option if you do things like this. Also, when battling the coronavirus, yes, you have your expectations, that vaccines work. We found out that they don't work just a second after you got them. Dancer with Janssen was not a very good experiment. But you don't know if it worked and vaccinations people couldn't get infected it would be very fine and then some of the solutions would have worked better. So, you don't know, but if you wouldn't have built it, you couldn't even use it then. So, then we come to the privacy and the security part of it. We have privacy, we have security, both are very difficult to do correctly. And a lot of people have this false idea that there is a balance of privacy and security. No, there is not. That is utter bullshit. You can't have privacy without security. You can't have security without privacy. So, you make sure it's encrypted everywhere. If your database is encrypted and you had database administrators cannot see the data. When they falsely might see some data, they see encrypted blobs and that's it. And that's protecting them, but it's also protecting the data. So, privacy and security come from both ends. So, we try to implement technical security first. That means that like encryption of data and then procedural security like database administrators are not allowed to view the data. That's the second one. And we implemented them both of course in every occasion because that's the best thing you can do. Security is like an onion layers. Oh, yes, finally I got my vaccination. Oh, and I can load it into the app. That's awesome. Next. Yes. In the future, because what are you still doing there? No, we're helping out. We found out that there are some big, yeah. Outdaring? Challenges. There are some very, yeah, challenges. This was a challenge. Thank you. There are some big challenges within the government to replace smart cards with authentication methods. We need to open source all the things. And thanks to the question, everything we open source is European public license. But we have more to do because at one point our government decided that we don't use QR codes in the Netherlands anymore. So the whole privacy preserving night thing, yeah, it's gone. It's still open source. It's still in the source. You can still build it, but it's gone. It's not used anymore. You're not allowed to use it anymore. But what about those printed QR codes then? Yeah, they still exist. And you can rebuild the source and then check them. Because the public key is available so I can see, oh, yeah, they were signed by the Dutch government. Yes, yes, yes. So we found a solution. It's a wall talk to explain why this perfectly makes sense. But the idea is that it might be a very good idea to publish the private key. Because once you have published the private key, you can do everything with it. You can check the integrity. Was it a real good private key? As you promised always. But also you can make any QR code in anything in the past or the future with this key. As this key is no longer in the trusted list, it's not. It's nothing anymore. So tomorrow night, I have a talk. Sorry, tonight in Clairvoyance, I have a talk at 10. I'm not going too deep in this, but if you have questions about it, please ask me after my talk. Well, I have a question. Why is that key not in an HSM? Oh, yeah, we did fancy trip though. And the HSMs don't support those. Yes. So that's why you need to go to the Gaby talk. So we have some time left, I think, for the questions. Sir Harold, yes. And if you don't know a question, you cannot come up with a question. We provided you with an array of example questions. And I think that's very, very kind for the audience. But I'm also curious if there are other questions than these or people have questions which are related to this list. Perhaps first I'll also check if they're from the signal. Any questions, not yet? Who wants to start with the first question? Tom, running for the microphone. Of course. What was the most complicated thing that you had to do? What's the most complicated challenge that you gave? Because you now had a story of all the challenges, or at least the bigger ones. But what was the hardest one to solve? Government. Try to talk with normal civil government workers who have been there for years and do everything in procedures that have been existed since the Stone Ages. Yeah, I kind of agree, yeah. So the whole 2G discussion then went going on. A lot of people would say, well, 2G excludes people from society because they would have to be vaccinated to get in somewhere. Did you have any discussions within the team? Yes, yes, yes, not only with the team because this was a real discussion point with us. And we did have a discussion with the minister, Hugo de Jonge, about this. Because he knew we as a team were very vocal about it and we had our opinions. And we had also a discussion with the minister. It was an open discussion which was not recorded and there are no notes from. But so we could really say what was on our mind. Yeah, we could tell our points of view why we thought 2G was a very stupid idea and we got answers why the government wants or at least the thought about it. Yeah, why they did want it. And it came down to lowering the number of cases in hospital because vaccinated people get less seriously ill. So it wouldn't stop the number of infections, it would just lower the pressure on caretakers. You're welcome. Some more questions. So you had a slide about government models and I gather you don't like them, but could you maybe elaborate on that or is that much of a trend? No, no, no, I can explain this. It's because they make data models and they make data models all the life and some people have the job of making data models. So their only job is make more data model in the data model. So you get pages and pages of very old made to be printed on matrix printers, data models that are extended with different images to be printed on needle printers and really that's what's existing right now. If we print some of the data models of the RRVM, what is it? The public health and environment database they use for COVID tracking, if we would print it in readable print it would take this entire screen for that data model of interconnected lines with all kinds of weird combinations of older data types. So they put every exception in the new version of the data model and then. And every time it was, have you seen this bit in quadrant A35 and I'm looking at, ah, fuck, I have to take another shower because. So. Does this answer your question? Okay. So how many systems did you guys have to develop to get all this working and are you still developing new ones? No, we're not really developing new ones. We started with. We're combining older ones together because some of it, because of the speed of development had a lot of shared code and why not just combine them into a shared code base for maintainability? So we started with Hari number three and we got to 12 and then we started with Ingen number three and we went to 10 and then we have some other systems so you can calculate like. I think it's 35-ish different GitHub repos. Yeah, something. Unfortunately, not 42, no, but there are other teams working. Are you even allowed to give this talk? Because, because, because, because very easy, you need to know how the government works. We were told upfront that you need permission. So we know that, yeah, without permission giving this talk is frowned upon and we could get some warning that was the worst that could happen, but okay. So what we did, we asked somebody who was allowed to give some clearance and he asked advice at some other person. The other person said, yeah, my advice is to do it. And he said, yes, and as this government, they didn't read the documents because they didn't have the documents. That's how it works. I believe in the beginning, there was also talk about the tech services being the hosting party. That was for Corona Melda. That was before we started. And yes, the Dutch tech services do a lot of IT. And so they have hosting and they might have something available that didn't go very well due to some things in parliament in the press. It was not the people there. It was more, it was politically not doable. And then the team then found the solution. So, so fixable. The tax office does work for us. As we said, there's a way to get printed documents sent via snail mail. We wanted to get the CEBG to print them because they're the most famous for getting envelopes on Dutch people's doorsteps, like all the traffic tickets and stuff. They didn't want to, couldn't, whatever. Who's the second best at printing and getting it on your doorstep? The Belasting Deans. So the tax office is our postal service. Okay, thank you. You're welcome. And I really, really want to know the answer to the last question. Oh, that's very easy. I can explain this in detail. What is magic? Yes, at once we had the minister of justice, Mr. Hopperhaus. And he said, those people at RDO, they're magicians. And then our reply was, it's only magic if you don't know what you're doing. It's very good question. Yes, hello. Corona check is currently shutting down or at the end of development. And I was wondering that published private key. What if Corona check ends up being necessary in some form or shape? Then you just... Then what happens? Then you just generate new private key, put a public key of that private key in the trusted list in the app. And you can continue working. Only everybody needs new documents to prove against what the rules are. Yeah, new codes and stuff. Yeah, the printed codes are expiring anyway in the near future because of the date restrictions that were on there. So everybody would already have to print a new paper, then do it with a new key if it needed to be used again. Thanks. You're welcome. Some more questions. We have example questions left. Please, please. Does? Does the pub exist yet? Yes, yes, it does exist. And it is running in trial now. Well, we were talking about exception routes. Some people in the Netherlands don't have a social security number. For example, Ukrainian refugees. If they come here and they are not vaccinated, they are asked, would you like to be vaccinated? And then they get vaccinated by the municipal healthcare organization of the municipality of wherever their asylum seeker home is. And how do they get their data? Well, they can now with their patient ID and their date of birth and the second factor is either SMS or email. And pub is not a flaw, but it's a product of the FLA team. FLA is not a pub. Fairly clear. Yes, next question. So I wonder why the European cure codes are bigger than the Netherlands cure codes even though they're still... Because that's not true. The Dutch cure codes are sometimes bigger, but the Europeans contain a lot more data. So that was my question actually, why the Netherlands is bigger in size, but has less data. Because of the encryption that's being used to provide you more privacy. So yeah, go to the Gaby talk if you want to know all about how they use it. Yeah, that's two more, no, Sunday at 9, I think. So more questions. Can you repeat the question? Yeah, what's with all the cats? Yes, what's with all the cats? Now, it's very simple. We have Breno on our team and Breno really likes cats. As we said at the start, the first application I started working on was called Brani Banani and that wasn't for a big loaf of bananas or anything, but one of Breno's cats is called Brani and the nickname is Banani. So Brani and Banani became the first two parts of the stack and then later his other cat, which is a really whiny, whiny cat called Zyko. Oh no, Keiko. So we got Keiko and Zyko in there as modules and we just started naming everything cat names. So if we had a new module, we'd just ask in the team, does anybody have a cat name for us? Oh yeah, we have Casper. Oh yeah, we have Mittens. The good thing is I have a cat that's called Monster. So that's with all the cat names. Question here from the back. Is it a good idea to block the recall certificates using GVCI specifically? Is it a good idea? Yes and no, it's very hard to identify which certificates you need to recall and it's only possible with the European certificates because they have an identifier in it. The Dutch ones are privacy preserving, as said. And there are ways to block the UCIs and there's now a scheme in Europe to do that. And currently the only ones I know that are blocked are the very obvious fake ones. We had the Adolf Hitler QR code in the media, Mickey Mouse, but also ones that are found in some stings with massive collections of fake documents. Yeah and also the QR code from Emmanuel Macron is blocked in the Netherlands because it protects. Is it a smart way of blocking? I don't know. There are not so many ways you can do this because privacy also makes risk, but can you take somebody's passport when it's stolen, if you don't know who stole it? It's hard. Does that answer the question? More left. Well you can find us afterwards for more details if you want. More questions? Otherwise I do have one because you have this really nice list and you know all the answers because you prepared them. Are there any questions where you would not know the answer to or would not be allowed to answer? There are two questions I'm not allowed to answer, but they're very private. All the rest is, no, let's make this very clear. We work at the government. The government is open. There are laws about it. There are laws about reusable documents, codes, all the things. There are laws about being open. We know that we work there. We know and you get used to it that your email that you're sending there can be published in some point in time if somebody requests it. We're very open. So if you say is there some secrets? Yeah, the password. But I don't have access to the computers so it would be my login password. The only NDA I have signed is for medical data that I see, so. Nope. All right, anyone for the final question? I mean, yeah. Yeah, final question. The question is monkeypox. Well, monkeypox, the question is, oh, sorry. Does this also can be used for other diseases? Well, yes. We already have monkeypox check, monkeypox, melder and everything linking to the current corona infrastructure. And we've made it very configurable. So, yeah, it's virus agnostic, so to say. So, and since it's open source, yeah, it's very easy to fork and make a monkeypox variant. Yes, we anticipate it on reusability. Yes. I'm not gonna repeat what said he was here in France because... So if people really want to know, perhaps they should check on you because indeed that's end this talk with a very big applause for the speakers. Wonderful. Thank you very much. Very well deserved applause. Thank you. Thank you.