Any Covid-19 vaccine passport scheme set up in the UK could easily turn out to be discriminatory and invasive, and open the door to worse abuses of privacy in future, say security experts and campaigners.
This follows an announcement by prime minister Boris Johnson that Cabinet Office minister Michael Gove will lead a review into the potential to use vaccine passports as a means to fully open up the UK economy in the wake of the pandemic.
Speaking on 23 February, Johnson said the review, to be delivered before 21 June 2021, will explore the issues around vaccine passports. He said it was easy to see how vaccine passports could discriminate against people who, for example, had legitimate reasons why they cannot have the vaccine.
Johnson said Gove’s team will consider scientific, moral, philosophical and ethical viewpoints around vaccine passports, and may ultimately choose to rule out the idea altogether.
Commenting on the review, Open Rights Group executive director Jim Killock said: “Vaccine passports have the potential to be extremely discriminatory and invasive of personal privacy. They could be used as an excuse for ID cards through the back door. And the supposed benefits may be limited and temporary.
“It is right that the government proceed with caution – it must ensure that there is public consultation and that it interrogates the benefits and the downsides. It could be a very concerning path to take.”
Campaigners at Big Brother Watch also spoke up against the concept, agreeing that vaccine passports risked opening the floodgates to worse abuses.
It highlighted the government’s wider pursuit of a new digital identity framework, and the proposed introduction of a bill that would require ID to vote in order to stop alleged voter fraud, as other concerns in terms of the direction of travel around digital privacy.
Big Brother Watch said the fight against ID cards in the UK had surfaced time and time again, and was about more than just databases, but about “protecting the presumption of innocence and liberty”.
“We are more than just a number, and registration code, or worse, a vaccine risk score,” said the Big Brother Watch team. “At this moment, the UK should be showing courage and leadership to build a freer future – to ‘set the people free’. Instead, with vaccine IDs and more, the government is offering us a future of more controls, not more freedom.”
Writing in Computer Weekly, Carsten Maple of the Alan Turing Institute, who is currently working on issues around trustworthy digital identity, said: “They [vaccine passports] are controversial and evoke clear ethical concerns to be addressed if they are to be trusted and deliver on any promise. The systems for managing them must also be designed to be trustworthy, requiring anticipation of a complex array of factors for their design and deployment.”
Ed Rayner, commercial director of Blok BioScience, which has already produced its own digital health pass, said he understood the public’s concerns.
“We know that there is some apprehension about the idea of vaccine passports in some quarters, which is why it is so important that great consideration is given as to which do the best job of addressing the public’s concerns around data privacy and ethics,” he said.
“If they are delivered in this way, then we truly believe that vaccine passports provide the best way to enable life to return to normal while protecting privacy and health – and that return to normal is something that we all so desperately need.”
Synopsys principal strategist Tim Mackey said technology was far from fool-proof, and that serious security reviews were much needed – last year’s contact-tracing app debacle being a proof in point.
“There is no single solution to any problem, and often cool new technologies like blockchain or complex technologies like encryption are applied without understanding how they might function under adverse conditions, like those found during a cyber attack,” he said.
Blok’s Rayner agreed that the evidence of the past year showed that failure to address privacy, security and ethical aspects of digital solutions did hamper adoption. “Vaccine passports really need to be designed with these principles at the forefront from the very beginning if they are going to be widely adopted,” he said.
“Our own Blok Pass is ID2020 certified for meeting 41 technical requirements for privacy, security and ethics and it is based on self-sovereign ID, which means the individual’s data is fully owned and controlled by them, never shared with anyone else and completely tamper-proof. And we provide offline options, too.
“If the government is going to conduct a review of vaccine passports, there needs to be a formal tender process to ensure that the very best solutions are considered. The truth is, though, that forward-thinking businesses have already started moving on this and many are already working with us to evaluate Blok Pass and see how it can be applied within their organisation.
“We are talking to companies across the travel sector, care homes, schools, event businesses, entertainment venues and even governments in other countries about how to introduce vaccine passports in an ethical way that protects public health and privacy.”
Synopsys’ Mackey added: “Returning to a world where international travel and even air travel is once again commonplace is something we all want, but it requires far more than an app to be solved. Significant coordination between international entities is required to ensure that the data recorded by the app is correct and complete.
“Once in the app, the data needs to be verifiably secure and stored in a tamper evident form that itself can’t be modified. Building confidence around this process requires some of the transparency seen within open source software development, where skilled practitioners are able to review the implementation and configuration of the proposed solution.
“Mis-steps along this path could easily tarnish the reputation of digital health passports and form a setback to the return to a pre-Covid-19 travel experience.”
