Abstract
Covid-19 has halted many things we once thought of as normal. At the beginning of the pandemic, countries quickly closed down their borders in an attempt to staunch the free flow of infections. Given the limited information about the virus at the time, these restrictions were a natural response; after all, health authorities could often trace initial infections in a country back to a handful of international travellers.
Stephen Davidson
As the pandemic raged on, borders opened up here and there but international travel remained severely restricted. As a result, the travel and hospitality industries have suffered significantly, as have countries that rely on seasonal tourism to prop up their economies. In 2019, tourism accounted for around 12% of Spain’s economy; by 2020, it was only 4% – two-thirds smaller.
The pandemic is now turning a corner and vaccination programmes are advancing in most countries. Normality might still be a long way off, but by suppressing the spread of SARS-CoV-2, mass immunisation is a critical step in the journey back to ordinary life. But while the world wants to reopen, it needs a way to do that safely, without triggering new waves of variant infections.
Vaccine passes, secured by biometrics, have the potential to unlock international travel once again. Many people and organisations are counting on just that, not least airlines, travel agents, the hospitality industry and weary global citizens, hoping perhaps for their first holiday in two years. But as these vaccine or health pass schemes begin in earnest, fuelled by huge demand from the public and the global economy, there are many questions still to answer. The route back to normality is not yet clear – and the development choices that are made now will be critical.
Need for digital ‘Carte Jaune’
It is important to remember that vaccine passes are not new: the status quo is the World Health Organisation’s (WHO) ‘Carte Jaune’, or Yellow Card, which has been used since the 1930s. Standardised internationally, the Yellow Card is a booklet that your doctor can sign whenever you have a vaccination. It’s simple, contains just the required information and is under the control of the individual to show to relevant authorities, such as border officers.
Many commentators therefore believe that the best course of action now is to find a way to update the Carte Jaune with modern biometric protections against counterfeiting. This is not a passport aimed at restrictions, it is a Covid-era portable and limited medical record. The development of such updated vaccine passes is well underway, with the same creativity that was seen in the initial pandemic response, leading to a process where regional and international norms will become established for these passes.
Individual countries and political blocs are going through their own processes1. Israel, for example, which vaccinated its admittedly small population at breakneck speed, already has a ‘Green Pass’ system in place for domestic activities and has proposed using the same pass to open international travel to certain countries. The African Union Commission is also developing a scheme so that citizens can verify their status to authorities. The Commission intends to extend this to vaccinations, though there is some scepticism. John Nkengasong, head of the Africa Centres for Disease Control and Prevention, told the press2 in April that: “Our position is very simple. That any imposition of a vaccination passport will create huge inequities and will further exacerbate them.”
The US Government, meanwhile, has stated that it will not create a central immunisation record system and is instead leaving it to individual states and the private sector to create their own. On 6 April, White House press secretary Jen Psaki said3: “Our interest is very simple from the federal government, which is that Americans’ privacy and rights should be protected, and so that these systems are not used against people unfairly.”
State governments in Texas, Florida, Arizona and Utah4 have banned vaccine passes on the basis that they would violate the privacy and freedom of individual citizens. Meanwhile, New York State has partnered with IBM to provide blockchain-based vaccine passes that allow people to attend large events. Even communities as small as Bermuda are rolling out vaccine passes in an attempt to restore tourism and social life on the island5. The UK Government also began using vaccine passports from 17 May, despite some privacy groups and lawmakers saying that this “divisive and discriminatory” scheme would violate privacy and create a two-tiered society6.
Vaccine passes, secured by biometrics, have the potential to unlock international travel once again.
However, it seems the European Union is offering one of the most promising options globally. After several months of debate about the viability of such a scheme, the European Commission presented its proposals in mid-March, with the intention of unlocking freedom of movement across Europe7. It would allow European citizens to once again travel freely across the continent, carrying a QR code certificate that asserts their Covid-19 status. These passes, dubbed the ‘EU Covid-19 Certificate’, would include a minimum amount of information to securely verify the holder’s vaccination details, test result or recovery status.
This EU certificate might be the most promising proposal so far, partly because it aims to do something that many current schemes do not: to unlock cross-border travel. In doing so, it could set international standards for such passes. As a supra-national bloc, one of the main political foundations of the EU is freedom of movement across its member countries’ borders. This had to be suspended in many ways during the pandemic, but at time of writing the EU Covid-19 Certificate is set to restore that foundational political tenet. As such, it faces certain requirements that other schemes do not.
Things to avoid
When considering new vaccine passport schemes, many developers have the initial thought of making the identities and data contained within them as secure as possible. That’s an entirely understandable aim. Medical records are among the most sensitive information an individual will possess – so the inclination to put it behind a steel-plated electronic identity might seem natural. But in this case, it can be counter-productive.
eID is an area of brilliant innovation and sometimes of bewildering complexity. Some parties may be inclined to create new regimes which provide secure identities, but can’t be rolled out as far and wide as they need to be. These will hamper progress and add more cumbersome characteristics to a process that needs to be streamlined. Others may look to promising new technologies such as blockchain and verified credentials, with examples including South Korea and New York State in the US. However, some feel that these solutions may cause interoperability issues and could be exclusionary in places with modest technological means.
Believing that Americans' privacy should be protected, the US Government has decided not to create a central immunisation record system.
Others feel that blockchain technologies could be a bad fit for vaccine passes. Speaking to the press, Matthew Green – a well-known authority on cryptography at Johns Hopkins University – said8: “There is zero reason for blockchain to be involved in this problem.” He added: “Blockchain solves a very specific problem around not trusting people, and the problem with this vaccine stuff is you do trust people. You have to trust the data being entered into the blockchain is an actual trusted reflection of who’s vaccinated or not.”
Another inclination is to tie this information to either a centralised system of records or to load it with personal information, which might more reliably authenticate the passes. But if the passes have to ‘call home’ to that system to actively verify live data, then that could bog down a process that needs to be agile.
Vaccination is rolling out quickly. And there is pressure to open up even faster. The point we need to underline is that these systems are going to be used by medical professionals, border agents and even event venue operators, but generally not technology experts. That means that each system has to be simple to use; if complexity overtakes usability then the process will be plagued by problems.
What passes should look like
Given that most vaccine passes are updating the old yellow cardboard with new security features, simplicity is their most important feature. Moreover, unlike most vaccination programmes, which may roll out over years, governments are seeking to credentialise millions of subjects as quickly as possible to restore freedom of movement and to stimulate economic activity. So the best schemes will easily accommodate both paper and digital means.
Interoperability is key, which means pinning down the expected uses and reliance on the vaccine passes. What data will be carried in the credential? What technology is required to verify the credentials? Are the security features well-understood and documented? The best vaccine pass schemes must be flexible enough to sit on top of the existing national systems: there is no time for huge integration projects either at the health authorities or at the myriad end points that may rely on the passes.
The protection of personal data is also vital. While a traveller previously could keep their Yellow Card in their pocket, users will have concerns with online vaccination tools. Vaccine pass schemes must be transparent about where the data is held, who can access it and who can retain it.
Many projects are looking to use tried-and-true approaches that have been proven at scale, such as the public key infrastructure (PKI) approach. This has already been well proven in similar use-cases, such as for e-passports, and in many IoT deployments that require fast authentication of users, data integrity and privacy, and acceptance/validation by diverse relying parties. Widely understood and supported in consumer software, the use of PKI building blocks can also simplify the rollout and acceptance of vaccine passes.
Promising EU approach
While a myriad of commercial and community proposals are being floated, the EU’s scheme represents the first supra-national governmental standard. In many respects, it could set the international standard for vaccine passes going forward.
Under the EU’s Covid-19 Certificate, the Union’s 27 national health authorities will be able to issue the vaccine passes. This makes sense as they are already the custodians of immunisation information. Citizens can store their credentials on a mobile device (with or without an app), or even request a paper version. Both will feature a QR code containing essential information about the holder and their immunisation status, which can be visually scanned by many mobile devices.
The QR code will include a PKI-based electronic signature that asserts the legitimacy/origin of the credential and the fact that the data has not been tampered with. The PKI architecture is modelled on the one that has been successfully used by the International Civil Aviation Organisation (ICAO) e-passport scheme for years, which is flexible in enabling countries (and their varying health authority structures) to issue the vaccine passes.
Using PKI, the European Commission will also build a single gateway that relying parties may use to verify the QR codes’ signatures, no matter which country issued them. The personal data encoded in the vaccine pass does not pass through the gateway. The gateway is simply verifying that the QR code was issued by a legitimate authority, and that the data it contains has not been tampered with.
Remembering the dominance of WHO’s Yellow Card, the EU scheme takes into consideration WHO’s guidelines for Smart Vaccination Certificates and has been careful to publicly document its approach, rules for data protection and interoperability, and its data sets. There are defined rules about the retention and use of the vaccination data. Seeking stakeholder buy-in along the way, with the scale of this transparency the EU approach may become the de factointernational best practice. In fact, many aspects of its design are already being picked up by other providers, including open-source projects such as the PathCheck Foundation’s paper-first vaccine pass9.
The EU approach could also accommodate – but does not depend on – the use of mobile apps. In fact, other than helping to develop software that authorities can use to check the QR codes, it sidesteps this issue, understanding user worries that their data may be monitored or correlated in some manner. Like the old Yellow Card, the user can choose not to use the EU Covid-19 Certificate.
Settling on the norms
In summary, while there remain problems over vaccination hesitancy, the global consensus is that immunisation provides a valuable risk-control in restoring normal life. For that reason, vaccine passes will likely play an important role. Yet that process could fragment if different countries and communities rush into partial solutions without regard to international standards. That’s why the EU’s approach seems promising.
Europe’s approach of designing a simple and flexible system that uses well-known aspects of PKI, makes it possible to roll out at scale. The commitment to documented standards means that it is interoperable and will serve well as an international model. Most of all, the EU Covid-19 Certificate sets an example by recognising that the needs of governments must be balanced against the privacy rights of the individual.
Biography
About the author
Stephen Davidson is a senior manager in DigiCert’s Global Governance, Risk and Compliance team. He focuses on standards and accreditations related to DigiCert’s European Qualified Trust Service Provider and digital signature-related businesses. Stephen co-founded QuoVadis, which became part of DigiCert in early 2019. Active in the CA/Browser Forum since 2006, he is chair of the S/MIME Certificate Working Group, writing the first baseline requirements for email signing and encryption certificates.
References
- 1.Ada Lovelace Institute; 22 June 2020. ‘International monitor: vaccine passports and COVID status apps’.https://www.adalovelaceinstitute.org/project/international-monitor-vaccine-passports-covid-status-apps/ [Google Scholar]
- 2.US News; 8 April 2021. ‘Africa CDC Says Vaccine Passports “Inappropriate” for Now’.https://www.usnews.com/news/world/articles/2021-04-08/africa-cdc-says-vaccine-passports-inappropriate-for-now [Google Scholar]
- 3.BBC; 6 April 2021. ‘Covid: US rules out federal vaccine passports’.https://www.bbc.co.uk/news/world-us-canada-56657194 [Google Scholar]
- 4.Fox A. ‘Arizona, Utah, and More States Join Texas and Florida in Banning Vaccine Passports’. Travel + Leisure. 20 April 2021. https://www.travelandleisure.com/travel-news/texas-florida-governors-ban-businesses-from-requiring-vaccine-passports
- 5.Johnston-Barnes O. The Royal Gazette; 19 May 2021. ‘Covid-19 safe key launched as vaccine stocks approach use by date’.https://www.royalgazette.com/health/news/article/20210518/live-updates-covid-19-press-conference-at-5-30pm-3/ [Google Scholar]
- 6.Big Brother Watch; 2 April 2021. ‘70+ MPs launch cross-party campaign against Covid passes’.https://bigbrotherwatch.org.uk/2021/04/70-mps-launch-cross-party-campaign-against-covid-passes/ [Google Scholar]
- 7.European Commission; 17 March 2021. ‘Coronavirus: Commission proposes a Digital Green Certificate’.https://ec.europa.eu/commission/presscorner/detail/en/ip_21_1181 [Google Scholar]
- 8.Biddle S. The Intercept; 24 March 2021. ‘Cuomo’s Covid-19 vaccine passport leaves users clueless about privacy’.https://theintercept.com/2021/03/24/andrew-cuomo-covid-ibm-blockchain/ [Google Scholar]
- 9.Dossey J, Pamplona V. PathCheck Foundation; 26 February 2021. ‘Paper-first Verifiable Credentials URI Specification’.https://github.com/Path-Check/paper-cred [Google Scholar]