Should digital health passports be denied entry?

Will digital vaccination certificates transport us back to reality? Or given the privacy risks should they pack their bags and go home?

The UK began mass vaccination this month and for many the country-wide effort offers a route out of lockdown woe.

Currently, those who have been inoculated must abide by the prevailing restrictions – but what if they could prove somehow immunity, be granted exemption from wider regulations and return to life as normal?

This is the promise of the digital vaccination certificate, or health passport. For proponents the digitalisation of vaccination data is a necessary component of the global Covid-19 exit strategy. But critics have raised concerns over potential data privacy, health and discrimination implications.

Digital authentication

Digital authentication is nothing new. Digital passports, also known as biometric passports, electronic passports or ePassports have been around for over a decade and you’d be hard-pressed to find a country that doesn’t rely on them to authenticate visitors crossing their borders.

In a nutshell, a chip containing biometric information (typically a facial scan encoded as JPG) that authenticates the holder is inserted into a traditional passport. The passport’s key information is also printed on the chip in addition to being printed as normal. 

While digital passports use biometric data to prevent identification fraud, Covid-19 passports or “health passports” take the concept one step further. 

Instead of a passport with facial or fingerprint data, a health pass is a certificate in digital form that verifies the owner has low chances of spreading the disease. Solutions devised invariably use a smartphone as the vector for authentication.

If you’ve been vaccinated, the certification would prove immunity, thus granting a privilege – access to a country or gathering (such as this year’s planned Tokyo Olympics) or exemption from quarantine.

Different strains

Over the last few months international organisations, countries and private firms have been trialling different forms of Covid-19 health passports.

Estonia, recognised as a leader in digital verification, is piloting a digital vaccine certificate or “smart yellow card”, with the World Health Organisation. 

China operates a traffic light system based on travel and medical data stored in a user’s app, while India is adopting a QR-code based system.

As with the contact-tracing app, private firms are putting their names forward too.

On 12 January, the Telegraph reported that Mvine, a cybersecurity company, and iProov, a biometrics company, would trial a digital vaccine passport with two local UK health authorities through March.

And last week tech giants Microsoft, Salesforce and Oracle joined the Vaccination Credential Initiative, a cohort of technology organisations collaborating to develop a digital vaccination passport.

Certified controversy

Countries first suggested Covid-19 related digital documentation during the first lockdown. 

But with vaccination rollouts placing the pandemic’s end within tantalising reach, debates surrounding the possible use of digital health passports have reignited. 

Arguments against them usually fall into three categories.

Is it necessary to digitalise this data?

There’s no point doing digital transformation for digital transformation’s sake, and firms often fall foul of being attracted to a digital solution simply because it’s digital rather than because it provides real benefits. 

The digitalisation of health is no different. While cloud-based eConsultations proved invaluable during lockdown, critics of digital vaccination passports argue paper alternatives are up to the job.

When we’re dealing with highly sensitive data – why not stick with good old fashioned pen and paper? 

After all, WHO already issues an official vaccination record – the ‘Carte Jaune’ or Yellow Card – a medical passport recognised internationally and already required for entry to certain countries.

But like ePassports, the principal motivations for digital vaccine certificates is to prevent fraud and speed up exit and entry at borders or other public venues. 

Simply put, vaccine certifications would confer huge benefits that some at the back of the vaccine queue would not be prepared to wait for. 

Given huge incentives to forge Covid-19 health passes and that falsifying paper documents is easier to do, only a secure digital system can ensure the spread of Covid-19 is actually contained.

Digital certificates also combine with physical security to speed up exit and entry, thereby reducing human traffic that presents a health risk.

Is authentication watertight?

Critics say digital health cards would still not be completely tamper-proof, allowing some to create and deploy fakes that send society back to square one. 

Similar fears were raised about digital passports when they were conceived, worries which never really transpired. 

Public Key Infrastructure (PKI) is used to authenticate ePassport data stored electronically in the passport chip. 

PKI is highly secure and difficult to forge when auxiliary security mechanisms, including Basic Access control (BAC), Passive/Active Authentication, are correctly implemented

If anything, our years of experience developing and refining biometric authentication through ePassports will enable digital vaccination certificates to take authentication to the next level. 

Technology and identification standards have become more sophisticated since 2006, with some digital verification companies, like Britain’s Onfido deploying artificial intelligence (AI) to prevent identification fraud.

How can I trust my healthcare data will be protected?

A central component of digital verification is trust. If users don’t trust that sensitive health data such as vaccination results will be protected, adoption will be low. 

Think about an independent petrol station in days gone by that was rumoured to have a tampered card reader that stole sensitive information – would you go there or drive a few extra miles to your nearest Shell? 

This is where we depart from ePassport comparisons as we’re not just talking about international borders as checkpoints. It’s likely every bar and restaurant will have to, and even want to, adopt a technology that can verify immunity and allow them to reopen their doors.

Struggling venues might be tempted by firms that provide cheap scanners, where margin is made on the selling of healthcare data to data brokers, a practice some refer to as data exploitation..

Think tanks and policymakers warn no one should ever feel pressured to sacrifice data privacy in order to return to life as normal. But the burning desire to recuperate liberty and the economy is challenging the sanctity of privacy like nothing else before it.

Any digital verification solution must protect the minimum amount of necessary sensitive data at every step of the verification chain. In other words, keep people’s private data private. 

Winning solutions will likely anonymise data and store it on user devices rather than the cloud, but anonymisation may not be enough.

The Vaccination Credential Initiative, backed by Microsoft, Salesforce and Oracle, for instance, plans technology that encrypts a digital copy of immunisation credentials, one that is then stored in digital wallets like Google or Apple Pay.

All signs suggest digital health passports are a matter of when, not if, so these and other ethical implications must be explored in depth (the UK’s Ada Lovelace Institute is calling for experts to consider all of the ethical implications to keep Britain’s potential rollout in check). 

But in whatever form they materialise privacy must remain at the forefront so the digital transformation of health data begins on secure foundations.