Mark Child (Research Manager, European Security)
Ralf Helkenberg (Research Manager, European Privacy and Data Security)

“It’s not a matter of if, but when” is a truism most often heard in the cybersecurity field. That maxim will now be bandied around with regards to the launch of digital health passports (also referred to as digital COVID-19 vaccination passports). It appears inevitable that we will see widespread demand for such a system — but it is not so clear that it will be a smooth journey.

The motives for digital health passports are compelling: the pandemic has cost millions of lives worldwide, crippled economies, devastated sectors such as travel and hospitality, forced the delay or cancellation of everything from the Olympics to the Glastonbury Festival, and continues to eat away at the very fabric of society and human interaction.

COVID-19 Vaccines

The first months of 2021 have produced, for many, the first green shoots of hope. The incredible efforts put into vaccine development have yielded the first fruits, the Pfizer-BioNTech, Oxford-AstraZeneca, Moderna and Sputnik V vaccines, among others.

Vaccination programmes are rolling out everywhere from Israel to Iceland. And governments, airlines and companies across almost every sector are desperately looking for the jab in the arm this will give to their economies and their operations.

A coalition of organisations including Microsoft, Oracle and the Mayo Clinic medical research institution are working to create a standardised digital health passport that will verify whether an individual has been vaccinated. Separately, American Airlines has announced the incorporation of negative COVID test records into its VeriFLY passenger app, for all passengers travelling to the US. “Madam, Sir, your flight is now boarding.” What could possibly go wrong?

Would Digital Health Passports Cover Every Vaccine?

Let’s start with standardisation. There are multiple groups introducing or developing their own versions of digital health passports. More will come. Interoperability will therefore be crucial.

What of the vaccines themselves? There are currently nine vaccinations that have been approved by at least one national regulatory authority for public use. These include RNA vaccines, conventional inactivated vaccines, viral vector vaccines and one peptide vaccine. There are a further 69 vaccine candidates currently in clinical research.

Will the future see a complicated patchwork of required or approved vaccines for entry to specific countries? Might travellers be turned back at the departure gate for not having the appropriate digital health document or “the right vaccine” for their intended destination?

Vaccine Doses

Early data also indicates that a single vaccination shot may be insufficient, raising questions and complications around second shots and boosters. Opinion is divided on the ideal time lapse between the first and second shots (assuming that national vaccination infrastructures are robust enough to meet those requirements).

Can I attend that conference in Stockholm between my first and second shots?

Vaccine Rollout

Then there is the speed at which this system is intended to be in place. You only have to look at other rushed implementations (such as in France and the UK) to see how rollouts of massive national or regional systems can be plagued by bugs, security flaws and more — a target for cyberattacks, just as numerous other critical infrastructure has been, from national governments to power grids.

Digital Health Passports and Cybersecurity Risks

If we consider security, we come back to the question of not if, but when the digital health passport system is going to suffer a major cyberattack — and whether it will be able to withstand it. What a target for a ransomware attack — millions of travellers unable to board planes or trains because the vaccine passport checking system has been infected, with sectors such as government, healthcare, education and services brought to a halt because their workforces cannot demonstrate that they have been vaccinated.

The idea of a digital immunity passport or certificate also raises data privacy concerns, not dissimilar to those around contact tracing apps. Concerns over data protection may be overcome, provided explicit consent can be given and that there are appropriate measures to guarantee the privacy and security of the data.

How Could They Affect Employment?

Were passports to be mandatory, governments would need to justify the processing on the basis of public health safety. This then also raises the question as to who gets to decide to what extent we’re allowed to participate in public life. Could workers be forced to divulge their health status to employers, as with Pimlico Plumbers, for example?

For those unable to work from home, this is essentially saying that you would need an immunity passport in order to be employed. In essence, these passports could decide who can and who cannot exercise their fundamental rights.

Issues When Travelling Home or for Work

Finally, it’s worth mentioning that freedom of movement is also a human right. What of the expatriate that wants to travel home and visit family after more than a year — but is not on the priority list to be vaccinated any time in the next six months. Can they be denied entry to their home country on the basis of not having a document that is currently impossible for them to get?

Then there is the question of the travelling workforce. If the majority of business travellers are in the 25–60 age range but are nowhere near the priority groups for vaccination, how is the vaccination passport programme helping to kickstart our economies?

Despite all of these challenges, we expect significant pressure to roll out digital health passports, in some form or another, in the coming months, as the world seeks to get the pandemic under control and return to some semblance of normality. However, just as with the coronavirus itself, this represents an extremely complex and challenging problem. It should be approached with the highest standards of planning and coordination, with extensive consideration to all of the delicate issues discussed above.

 

If you want to learn more about this topic or have any questions, please contact Mark Child or Ralf Helkenberg, or head over to https://uk.idc.com and drop your details in the form on the top right.

Sharing