Privacy Concerns around Covid-19 immunity Passports

news Tags: #covid-19#passports#privacy#vaccines

Countries worldwide have responded to the Covid-19 pandemic by closing borders and shutting down services and facilities to prevent the virus's spread. This has had a devastating impact on businesses, particularly the travel, hospitality, and entertainment sectors. At the height of the pandemic, it was hard to see how these industries could recover while the virus remained circulating within society.

Contents

  1. So, what are Covid-19 Immunity passports?
  2. Are immunity passports inevitable?
  3. Why are Covid-19 immunity passport contentious?
  4. Privacy concerns
  5. Privacy of centralized solutions
  6. Wider concernS
  7. Gateway to freedom or dystopian nightmare?
  8. Conclusions
  9. Resources

We are now in the position where vaccines are being deployed worldwide, offering a potential long-term solution for managing virus spread. While the vaccine may not necessarily prevent contracting and spread of the virus, it should, in most cases, offer protection against serious illness while the immunity is effective. This provides the possibility that sections of society with an active immunity may safely engage in tourism and leisure activities. This idea is being seized upon to revive businesses that rely on social mixing and revitalizing economies worldwide.

Restricting access may offer businesses a way to safely reopen, and proof of active immunity could allow an individual to take advantage of such services. At first sight, this appears an attractive option. As more and more people are vaccinated, the opportunities become available to a larger population pool. This possibility has given rise to the concept of a Covid-19 immunity passport as a means to achieve this.

So, what are Covid-19 Immunity passports?

An immunity passport is a method of providing evidence that the holder has acquired immunity from Covid-19 and may be safely exposed to the virus's carriers without risk to their health. This is not a novel concept. Proof of immunity is universal worldwide; many countries require evidence of vaccination against diseases such as yellow fever as a prerequisite for entry. Until its eradication in the 1980s, proof of smallpox vaccination was a standard international travel requirement. However, the difference with Covid-19 is that there is no evidence that everyone vaccinated or who has recovered from the virus will be immune, or more importantly, that they cannot still carry and transmit the virus to non-immune members of society.

Medically, an immunity passport will never guarantee that the holder cannot get infected or seriously ill. No vaccine is fully effective across the entire population. Currently, the period of effective immunity following vaccination or recovery from the infection is uncertain and has been seen to vary from patient to patient. Also, virus mutations are common and difficult to predict and counter, with no guarantee that existing immunity will always be sufficient for future strains of the virus. This final point is exacerbated by the actions of several countries that are allowing the virus to circulate as their governments rely on vaccination as a solution, rather than adopting the strategy of eliminating the virus from the population as other countries have been able to achieve.

It could be argued that the immunity passport should be based on the medical evidence of a positive immune response against the virus rather than simply having received the vaccination or recovered from an infection. This adds complexity and cost to the process but does counter those cases where the vaccine was ineffective for whatever reason. The person receiving the vaccine may fail to gain immunity, or a mild infection may not generate a sufficient and sustained immune response.

Are immunity passports inevitable?

Woman waiting in an airport

Arguments in favor of passports center around opening international travel.  Key proponents are the travel firms and airports seeking to reopen the global travel and holiday markets and governments looking to reduce the economic impacts of lockdowns. When the virus spread first impacted international travel, digital immunity certifications based upon infection recovery were first proposed. The concern is that advocates are focused on revenues from tourism and not preventing the spread of the virus.

The development of immunity passports for travel across borders is gathering pace across parts of Europe. Many countries now look for arrivals to prove that they have gained protection against the coronavirus through vaccination or have a recent negative test. One argument put forward is that vaccination will not be compulsory or a prerequisite for international travel but that persons who have been vaccinated should be free to travel. This implies that persons who have not been vaccinated may not be able to travel.

Some countries that allow some international travel, including the US, have introduced a negative Covid-19 test requirement as a precondition for entry. This raised the bureaucratic nightmare of both systems operating in parallel, with potential every country having different specific entry requirements.

Countries like Hungary have already introduced policies where travelers may enter these countries to provide evidence of immunity through recovery from infection. Iceland is reported to be planning on reducing restrictions, including mask-wearing, in similar circumstances. Currently, there is significant resistance against such an approach, primarily as it encourages the immune to become less cautious when there is no evidence that they will not still carry and spread the virus.

The travel industry, including the International Air Transport Association (IATA) trade body, recognizes that restarting international travel may require immunity passports. However, they do acknowledge that the medical evidence to support their use does not currently exist. Should immunity passports become a practical tool in opening travel, they advocate that the passports should be based on a recognized global standard and based on digital technology to facilitate automation of decision-making processes when granting access to cross national borders.

Once sizeable sections of the population become vaccinated, we can see that entertainment and hospitality venues will seek to reopen by restricting access to these groups. With businesses such as these forcing governments to act, the pressure for an official document to show immunity will grow. With the loss of income from taxation and the increased expenditure supporting businesses, governments may be forced to adopt measures that allow enterprises to reopen to stem the unsustainable government borrowing seen in many countries.

And if the vaccine does prevent transmission and provide immunity, well, in that case, it is not inconceivable that the requirement for vaccination against Covid-19 may become as common as the requirement for vaccination against Polio as a prerequisite for entry into a country from abroad.

Why are Covid-19 immunity passport contentious?

The main point of contention of the proposals under discussion for a Covid-19 immunity passport is that some recommendations go beyond merely facilitating entry into countries from abroad but expand into access to services, facilities, and specific locations.

The critical point that we'll look at is the ethical and practical implications of dividing the world's population into two classes, those with an immunity passport and those without, and granting additional privileges to the former group. At present, those in the former group represent a small minority, but this will have changed significantly at current vaccination rates within the coming months. Of course, not all countries are equal; those with the resources and the manufacturing facilities are at the forefront of delivering vaccinations to their populations, while other countries have yet to gain access to vaccines.

The introduction of vaccine passports also poses essential questions for protecting data privacy and human rights. There is the potential to create a distinction between individuals based on their health status, used to determine the degree of freedoms and rights they may enjoy.

At present, vaccinations are predominantly prioritized at those most vulnerable to the virus. It is easy to imagine priorities may change if the more privileged members of society are suddenly incentivized to get vaccinated, and governments are susceptible to influence.

The World Health Organization (WHO) has cautioned against using immunity certificates due to insufficient evidence about antibody-mediated immunity's effectiveness to guarantee an immunity passport's accuracy. People who assume that they are immune to infection may ignore public health advice and increase continued transmission risks.

Immunity passports could also become a target for corruption for the privileges they offer.

More concerning, any existing socio-economic, racial, and ethnic inequities might be reflected in the administration of such a scheme, governing who can access antibody testing, who is at the front of the queue for vaccination, and the application process's burden. By replicating existing inequities, the use of immunity passports would exacerbate the harm inflicted by COVID-19 on already vulnerable populations.

Privacy concerns

A key concern being expressed regarding the implementation of immunity passports, particularly in Europe, is privacy. Any record identifying if a person has received a vaccination is by definition a medical record and therefore classified as sensitive personal information under the European GDPR legislation. This is the highest classification of personal data and subject to the strictest privacy protections.

Suppose the record simply indicates whether or not the holder is immune. In that case, it can be argued that this is no different from showing a border guard evidence of vaccination against yellow fever. However, some proposals go beyond this approach to record detailed medical information.

The issue is there is no one single integrated approach at present. Even within the US, indications are that airlines' systems will not be the same as the systems used by music venues, sports stadiums, educational, or any other location of facility interested in using such technology. This raises the prospect of medical information being shared across many different access management systems, each with its security weaknesses and vulnerabilities. This will make the medical information more vulnerable to theft where its value for a diverse range of markets from simple criminal extorsion to targeted advertisers can be realized.

For international travel, biometric passports could resolve this by only storing a record to say whether the passport holder complies with Covid-19 immunity requirements without specifying specific medical records such as date of vaccination or recovery from infection or last negative test date. This approach is favored by airlines looking to streamline enforcement of passenger carriage rules in the post-pandemic environment. An initiative such as the CommonPass app works on this principle to provide a simple green light/red light indicator for each passenger on a planned route. The logic would not be Covid-19 specific but rather based on a whole raft of medical records to determine if the passenger is permitted to travel. This solution is not practical for immunity checks within a country where not everyone will have a biometric passport.

People infected with some diseases are still marked out in society, subject to discrimination or hate crimes. This is of particular concern for HIV/AIDS individuals where there remains a considerable stigma in some countries. The risk is that such information could be used to discriminate against such persons and incentivize them to avoid coming on board with the vaccination program.

There is the potential to create three classes of people. Those vaccinated, those unable to be vaccinated, and those who choose not to be vaccinated. Public opinion may well be sympathetic to allowing the second group privileged access, but how would they feel about the third group, especially if it were a small minority with no voice in the argument. However, you think about people that choose not to be vaccinated, discriminating against them opens a can of worms that could damage or undermine society in general.

Privacy of centralized solutions

Implementing a centralized system is seen as attractive as it is technologically simpler to build and maintain but at the cost of privacy concerns surrounding sensitive personal information aggregation. Access controls can be added to limit access quite easily using existing technology. However, the risks remain that such a valuable hoard of data could be misused or subject to a sophisticated attack.

Proposals for introducing a global digital system based around a centralized database to allow people to demonstrate Covid-19 immunity have raised the fear that this could lead to authorities, service providers, and employers having access to sensitive medical records. It is not inconceivable that employees or visitors to a site may only be permitted entry if they can demonstrate they do not pose a Covid-19 transmission risk. The same may apply to students accessing a school or college, shoppers accessing a store, or sports fans accessing a stadium.

In the US, the Vaccination Credential Initiative has been formed from organizations including Microsoft, Oracle, and the Mayo Clinic to investigate a solution that allows individuals to demonstrate vaccination. Simultaneously, the governments are looking at systems that would enable individuals to prove they have a recent negative test result. Both methods are focused on preventing the demonstration of false claims.

The concern is that the systems would have access to medical records and work, travel, leisure, and shopping records. This would represent the ultimate big data repository that would be irresistible to everyone from oppressive regimes, state bureaucrats, and targeting advertising agencies and criminals.

But despite the opposition, such schemes are gaining support. Several employers worldwide have expressed their intention to include vaccination as a prerequisite for employment for future employment contracts, particularly service providers whose employees visit client premises to undertake repair and maintenance services.

Many processes for sharing personal information are based on the principle of consent being granted at an insular level governed by the consent giver. For example, you may choose to share that you are above the age of consent but not share your exact birth date. For may choose to share that you have been assessed as fit to drive a vehicle but not share what medical conditions were considered when the assessment was made. Solutions based on consent are not appropriate in the case of an immunity passport. The holder seeking to access services, buildings, or public transport will not choose to hand over their information or be deprived of access to essential services.

For a global immunity passport scheme, the question becomes how this will be monitored, who will be trusted to do this, and what powers they will have to address instances of misuse or inappropriate behaviors. There is currently no credible solution to this question.

Whenever an immunity passport is presented, the organization to whom it is given will collect the personal information contained within the document. What they then do with that information is fundamental for privacy issues. Individual stores now have a record of who entered the store, whereas before, they only knew who purchased goods using a payment method that included identity information. They can now see who entered the store and either did not make a purchase or made a cash purchase. This is valuable information for advertisers. If all the stores within a retail group share this information, this builds up a valuable shopping habits database. Suppose data processing organizations obtain such data from every store, business, leisure facility. In that case, they have the potential to know exactly how everyone behaves and target advertising to a precise level of detail.

The opportunities for exploitation of such repositories of personal data in this way are huge and potentially lucrative. Data exploitation is also a common feature within smartphone apps, leaking data to platform operators, infrastructure service providers, and social media companies.

These concerns are not without foundation. The development of contact tracing solutions for Covid-19 has seen a few cases where data gathered have been used to monitor behavior outside of the original purpose of the solutions, including security and law enforcement activities and immigration monitoring. Many contact tracing solutions have been based on using smartphones interacting with each other to record potential exposure events. Countries in Europe and North America have adopted such solutions because if enough smartphone owners use the contact tracing app, that provides sufficient coverage to be effective when backed up with manual contact tracing processes. Other countries have introduced specific devices that record a person's location, feeding that information into a central database where interactions between infected persons and the people they encounter can be deduced. Such solutions have raised significant privacy issues as the state can trace an individual's exact movements and extrapolate various conclusions about their behavior.

Any global solution would also require nations to achieve consensus on common standards and governance for data privacy factors. This is something that, to date, is unachievable. The differences in approach between the US and Europe regarding data privacy and the issues that this continues to raise suggest a solution that would be unlikely to be forthcoming any time soon.

Wider concernS

Suppose immunity passports are introduced to give the holders greater freedoms. In that case, it's not hard to foresee that this will encourage non-vaccinated people to either jump the queue for vaccination ahead of more vulnerable members of society or fraudulently obtain and a false passport. Some of those with the opportunity or money to get around the system will undoubtedly do so. Sadly, such behavior is not uncommon.

Even worse, it may encourage those without the resources to obtain vaccination to deliberately get infected, hoping that this will provide the immunity needed to get a passport. Literally taking the gamble that infection will not lead to significant illness to get the freedoms on offer. Such behavior could lead to a resurgence of the virus and the overwhelming of health services.

Also, not everyone can be vaccinated. There are always society members with medical conditions or other circumstances that will prevent them from being vaccinated. These people are generally protected from exposure to viruses by the rest of society, obtaining immunity and eradicating the virus through herd immunity. There is now the genuine possibility that such people may become an underclass who will be permanently deprived of access to countries, facilities, or events that mandate an immunity passport requirement.

Another issue with digital-based systems is one of financial inequality. For example, a system based on digital records stored on a smartphone may appear attractive, thanks to the convenience of using a compact and highly portable device with processing and security functions in place, but not everyone has a smartphone. While affluent countries in Europe and North America boast smartphone ownership of around 80%, this figure is down to less than 20% for poorer nations in Africa and Asia. This raises the prospect of those people unable to afford to own a smartphone becoming excluded from services.

A possible solution to the smartphone ownership issue is for the government to issue a smart card as an alternative. Now society is divided into those who can afford a certain level of technology and the rest who must carry an identity card and endure the potential stigmatism that accompanies it.

Several proposed solutions rely on the immunity passport holder to prove their identity using a state-issued identity document such as a passport or driving license. In the UK, for example, it is not mandatory to hold such documents, and indeed there is a financial cost to obtain both documents with periodic renewal costs. Those unable to bear the financial burden of maintaining such identification are in danger of exclusion from the scheme. While for opening international travel, it's clear that a passport is a prerequisite, so there is no potential for exclusion from such an immunity passport scheme, the use of such passports to access local services becomes are a real issue.

The same is true for records that require a physical address, a telephone number, or an email address. Those members of the population without access to this data through homelessness or lack of connectivity will also become part of the excluded classes.

The danger is that the introduction of digital immunity passports will result from a technologically dependent crisis-driven response rather than a carefully planned program with comprehensive and diverse consultation.

Identity systems raise complex issues regarding the relationship between citizens and states, particularly the power they can grant governments to monitor and control individuals and groups based on ethnicity, class, political affiliation, or even sexual orientation. The power that digital identity systems can grant to non-benign governments can lead to suppression, discrimination, and coercion. With the proposals for a Covid-19 passport having a wide range of users from employers to service providers, this could be virtually anyone. New and more significant problems may be created in a rush for a solution.

Access to vaccinations would need to be a universal right worldwide for immunity passports not to be inherently exclusionary in nature. Not all governments are open about their vaccination programs and the prioritization of recipients. Denying certain groups or races access to vaccinations or testing can be an effective method of denying them free movement across borders or access to services that use Immunity passports to access decision-making processes.

There may also be cases where sections of the population may deliberately avoid vaccinations and testing to prevent the state from identifying their presence with the country. Groups such as illegal immigrants or undocumented migrants may be fearful that the state may seek to deport them should it become aware of their presence. This will create a section of the population unprotected from the virus that can become a pool for the virus to circulate and mutate. It can then be transmitted back into the rest of the people in a mutated form that overcomes existing immunities.

There is a real potential for the impact to spiral out of control. An individual unable to obtain an immunity passport for financial reasons or due to discrimination may find themselves unable to enter the workplace or shops, excluding them from society and removing their employment opportunities. They may be denied access to public transportation networks. They may be unable to access financial services such as loans or insurance. With no income comes destitution and reliance on aid or charities.

Another concern is law enforcement and other agencies' potential to carry out spot checks of people's immunity passports in public places. There are many countries with mixed-race demographics where the police are more likely to stop black, Asian, and minority ethnic (BAME) people. There is no reason to suspect that this behavior would change. Failing to have a valid immunity passport may well be criminalized, leading to a fine or detention. As BAME people are more likely to be stopped and more likely to be unable to afford an immunity passport, it can be seen how they would be disproportionately affected in this scenario.

Given the evidence for failed and discriminatory government identity initiatives around the world, this raises the question of if it is possible to design an immunity passport scheme that could work in practice without the risk of causing social injustice. The problem is not that such identity systems may inadvertently cause harm; such systems have a history of being intentionally used to discriminate and control, which directly causes damage.

Gateway to freedom or dystopian nightmare?

While the stated aim of an immunity passport is to ease lockdown restrictions put in place to counter the virus's spread, the result of proposed solutions would be establishing centralized digital identity schemes on the back of immunization programs.

This has caused a backlash and a drive to any immunity passport scheme to be decentralized and decoupled from digital identity, with strong governance and auditing to guarantee mission creep towards centralized digital identity schemes. Of course, such controls are only practical in countries where government processes actively support such aims. And introducing such systems is unprecedented, presenting complex technical and administrative challenges and the financial burden that goes with such schemes. The current trend for complex government programs is to rely on private sector organizations to manage and deliver solutions, bearing development costs and recouping these by monetizing the product. It's not hard to see how a commercial organization managing a database with personal details of a countries entire population will leverage that data for gain. Big data processing developments have shown how amalgamated anonymous records can be correlated at scale to identify individuals. With enough information available, there is no privacy.

A common feature seen with the proposed immunity passport system is the general nature of their application; rather than meeting the specific needs of an immunity passport system, they encompass a broad range of identity functionality, often building on existing products. This leads to the potential for function creep. The danger emerges that once an immunity passport system is accepted and in general use by a significant proportion of the population, it will gain traction for use as a more general digital identity solution and build inertia for state-mandated adoption.

Standard checks and balances for such systems also tend to be deferred during national crises such as a global pandemic, taking away the typical policy and regulatory scrutiny, public debate, scientific study, and deliberation. Once the system is established, it is tough to retrospectively apply such checks and realign to previous norms for acceptable practices. In countries such as the UK, where the future of digital identity is an ongoing activity, the normal process of debate and consultation may become bypassed and negated.

There is an argument that any immunity passport could, in theory, be mothballed once the pandemic has ended and the associated infrastructure dismantled. In practice, the tendency would be for governments to use the infrastructure and impetus of the scheme to turn it into a more general digital identity system.

It is worth considering that most of the lockdown restrictions have been put in place to protect society's most vulnerable members. These are the very people who are most likely to be disadvantaged by any digital identity-based immunity passport solution.

Conclusions

Immunity passports appear at first sight to be a reasonable solution for help managing the Covid-19 pandemic by offering a solution for easing restrictions. The issue is that the mechanisms for making this work in practice are untested, and the potential for abuse is extensive. Leveraging existing digital identity services to implement immunity passports may appear attractive quick-fix solutions. Still, they raise the specter of creating digital divides and inequalities that have so far help back universal adoption of such solutions. Finding a global solution for immunity passports that do not increase societal harm risks will be challenging. Any solution must be necessary and proportionate and was still at the stage of agreeing on requirements, so any talk of building technical solutions must be considered dangerously premature at this stage of the process.

An argument for identity documents is that if carefully implemented, they can demonstrate abstract verified credentials such as proving the holder is above a certain age without revealing their age. So, they could indicate Covid-19 immunity without revealing the source of the immunity. Such documents rely on being issued by trusted authorities to be accepted to grant certain privileges that they present.

The requirements must be based on medical evidence on virus immunity, transmission, and prevention to be effective and appropriate. The requirements should include regulatory and legislative governance and fully transparent operations. The requirements should consist of safeguards to address the risks of exclusion, discrimination, targeting, and profiling. The requirements should also be mindful of pandemics' transitory nature and allow for the scheme's retirement once it is no longer required.

Immunity passports have the potential to be more complicated than previously implemented systems in that proposed solutions combine identity systems with public health systems into a single integrated solution. This exacerbates the system's problems being used to unfairly target or exclude sections of society, overtly or inadvertently.

Resources

International monitor: vaccine passports and COVID status apps | Ada Lovelace Institute

https://eandt.theiet.org/content/articles/2021/01/vaccine-passports-present-data-privacy-risk-mps-warned/

https://privacyinternational.org/long-read/4074/looming-disaster-immunity-passports-and-digital-identity

https://www.thelancet.com/journals/lancet/article/PIIS0140-6736(20)31034-5/fulltext

EuroHealthNet Factsheet on Vaccination _ April2019.pdf

Article by
Stephen Mash

Stephen is a UK-based freelance technology writer with a background in cybersecurity and risk management.

About writer

Related Posts

Onion Routing Explained
Onion routing was initially developed in the mid-1990s at the US Naval Research Laboratory and further developed by the Defense Advanced Research Projects Agency (DARPA). This technique was patented by the Navy in 1998, the patent document providing interesting background information to the original concept.
Five Eyes Demystified
There are lots of myths around Five Eyes. In the last few years, the countries involved have officially acknowledged the existence of the Five Eyes agreement in public forums. In this article, we will look at the facts and explain what it actually means. It all revolves around collaborative intelligence gathering and sharing.