July 19 will henceforward be known as Freedom Day in the UK. As the country – along with many others – emerges from the Covid-19 pandemic, people are beginning to see life return back to normal, or at least, a new normal.
Vaccine passports and digital Covid passes are a much-touted way to get the world back on its feet and the tourism industry running again.
The EU introduced a digital Covid pass on July 1, which is presented as a way to resume travel across European countries. Similarly, the UK recently announced that proof of vaccination certificates can be requested through the national health service (NHS) app. It is also increasingly possible that these vaccine passports will be made mandatory to enter pubs, bars and restaurants.
On the face of it, this appears to be an easy and quick fix. However, privacy advocates warn that implementing digital health passes raises numerous political, social and privacy issues.
What then are the legal and technological options available to ensure that privacy concerns are kept at a minimum?
Is it real or is it fake?
Arguably, the easiest option for an internationally recognised proof of vaccination system would be the Yellow Card (more formally known as the international certificate of vaccination for yellow fever) issued by the World Health Organisation (WHO).
However, the main issue here is credibility. Paper documents don’t have built-in security features and are thus easy to counterfeit.
In fact, fake coronavirus vaccine passports are already being sold online for small sums. If proof of vaccination is truly going to become the golden ticket to freedom, unsurprisingly, there are strong incentives for falsification.
Hence the search for a credible, digital option. Yet this does not automatically rectify the verification problem. Take QR codes, for example. Jake Holloway, Chief Product Officer at Crossword Cybersecurity, explains:
“People often think that a QR code is a validation or verification, but it’s not. A QR code is a URL disguised as a little diagram. It’s not anything in its own right.”
Without an established verification method, there is no guarantee that a document is authentic. There are various technical methods for proving authenticity. One recently developed, popular structure is the World Wide Web Consortium (W3C)’s Verifiable Credentials scheme, which was published in November 2019. This is based on a so-called trust triangle.
This model involves the issuer of a document, the holder and a verifier. The issuer first writes a Decentralised Identifier (DID) together with its public key (and any other cryptographic material needed for the issuer’s verifiable credentials) to a blockchain (or another sufficiently trusted public utility).
Secondly, the issuer uses its private key to digitally sign the document it issues to a qualified holder, who stores it in their digital wallet.
Thirdly, a verifier requests digital proof of one or more credentials from the holder. If the holder consents, the e-wallet generates and returns the proof to the verifier. Since the proof contains the issuer’s DID, the verifier uses it to read the issuer’s public key and other cryptographic data from the blockchain.
Finally, the verifier uses the issuer’s public key to verify that the proof is valid and that the digital credential has not been tampered with.
This is already a commonly used way to verify that a digital document is valid. Unlike typical identifiers, DIDs have been designed so that they may be decoupled from centralised registries, identity providers and certificate authorities. A decentralised system ensures that data is not controlled by one single entity and that it cannot easily be shared with third parties.
Yet privacy and cybersecurity concerns still persist, especially in the case of national Covid-19 passports. Any database that aggregates such a significant amount of sensitive data is likely to draw attention from privacy advocates and cybercriminals alike.
Law and privacy
One of the primary concerns when it comes to implementing digital vaccination passports is the high degree of sensitive information stored in one place. As Thomas Lohninger of epicenter.works, a digital rights organisation, puts it:
“We are talking about sensitive health information that also contains recovery certificates. If you’ve had Covid, there is a good chance that you might have long Covid for the rest of your life, so this is information that people need to protect.”
Indeed, this is information that, for instance, insurance companies or potential employers would like to get their hands on. Comprehensive laws and codes of conduct that safeguard privacy are thus essential.
“It is a question of the rule of law,” Lohninger said.
Holloway adds that a level of legislation would be required “that guarantees people’s security and gives them visibility and gives them the right to understand what protocols are being used to track their behaviour.”
An example would be the Covid-19 green pass system recently introduced in the EU, which promotes an architecture that prevents one central entity from overseeing the data. Under the European model, personal information cannot simply be shared with third parties, and any data must be discarded once its purpose has been fulfilled.
“We’re actually quite happy with the decentralised option that the EU chose. Of course, a QR code gets processed on one’s phone. This might be a border agent or a restaurant, but at least there are legal safeguards so that one cannot retain that information,” Lohninger said.
The concept of non-retention is deeply enshrined in the European model and is also a vital cornerstone when dealing with any digital identity verification. Once a person has checked the certificate, they are not allowed to retain the resulting data any longer than is necessary.
The pandemic has undoubtedly changed how we engage with technology. Implementing a nationally/internationally accepted digital vaccination certificate may normalise a digital health data infrastructure that could outlive the pandemic, and which would in effect create a structure which would be rejected for any other purpose. The UK government gave up its attempts to introduce a national ID card scheme back in the noughties, but its future Covid vaccination passport could wind up being effectively the same thing.
“There is a lot of pressure after the pandemic to change the way in which our health data is shared online,” Lohninger points out.
That is why epicenter.works argues that so-called sunset clauses are essential when drafting pandemic related laws.
“The extraordinary measures that we have implemented in order to fight this crisis need to be taken back once this crisis is over, and afterwards, there should be no negative consequences to our fundamental rights,” he emphasises.
However, relying on the law may not necessarily be the only safeguard for privacy. The technology itself could also be designed so that it handles personal information ethically.
“The debate about privacy is important. It has to happen. It’s a socio-political thing as much as a technical thing,” says Holloway.
Paper certificates usually contain detailed information about a person’s identity. When checking such a document, a verifier inadvertently gains access to an excessive amount of irrelevant data. Holloway argues that technology needs to have built-in features that minimise the data that is presented.
“You should only share data or use data for the purpose explicitly collected and no more. Now typically, when you go into a pub showing your passport, they pick up your date of birth, your name and address, your passport number. They pick up all sorts of additional data, and preventing that is one of the things that this verifiable credential standard enshrines.”
Another pertinent issue that arises from the implementation of digital covid vaccination passports is cybersecurity.
Medical record access is a major concern with any healthcare app. If hacked, criminals get access to a notable amount of personal data, including one’s name, place and date of birth, blood type, medical history etc.
Adding comprehensive layers of security to the system is therefore crucial. However, this is also where the main challenges lie. Technology needs to be intuitive and easy to use.
“Any technology is resisted until you make it so easy that people don’t have to think about it,” Holloway says.
“Generally, if you have very secure systems, they’re hard to use. There’s always a trade-off between security on the one hand and utility on the other,” he adds.
One way to strike a balance between security and utility, Holloway argues, is using biometric features to unlock data. Most people will use their mobile device for these digital certificates, which often already has biometric verification functions such as fingerprint or face unlocking.
However, dealing with biometric data raises more privacy concerns in turn.
“Security and privacy are two sides of the same coin in a way,” Holloway says.
Another major cybersecurity pitfall is the lack of agreed standards across borders, opening the system up to fraud and manipulation. Cybercriminals have already used the pandemic to their advantage and a patchwork of vaccine passport systems presents another golden opportunity.
As much as people are eager to return to normal and resume travelling, it is in everyone’s interest not to rush the rolling out of vaccine passports. First things first, the broader citizenry should be made aware that cybercriminals will try to obtain people’s personal information. Any data should therefore only be handed over after careful scrutiny.
Anyone wishing to travel this year will most likely face a choice: hand over personal information or stay home. The least that needs to be done is to make sure that that data is handled and stored with care, according to laws and codes of conduct that prioritise privacy and cybersecurity.
A glimpse into the future
Paper versions will not cease to exist, of course. After all, it is crucial not to disenfranchise those that do not want to or cannot use digital options.
“We often think about the world as being heavily digitised and digitisation as a highly mature thing, but actually it’s only getting started, and one of the things that is not heavily digitised is your identity and the documents around your identity,” Holloway argues.
Yet, a once-in-a-hundred-year pandemic undoubtedly generates the force and urgency to accelerate digital trends, and identity verification may well be one of them.
“It’s crises like these that change the relationship between citizens and the government, and between companies and citizens and governments, and so it’s important to be really mindful,” Lohninger warns.
In many countries, we already see this trend unfold. The EU, for instance, recently introduced a plan for a digital identity/wallet, which will allow citizens to store their passwords, bank accounts and official documents like their drivers’ licence in one place, simplifying cross-border bureaucracy.
The EU already has regulations on electronic ID authentication systems (eIDAS), which came into force in 2014. The new e-ID intends to expand on that by addressing some of its limitations and inadequacies, such as poor uptake and lack of mobile support.
Some EU Member States already offer national electronic IDs, but there is a significant problem with interoperability across borders, according to the European Commission. The EC has noted that today, just 14% of key public service providers across all Member States allow cross-border authentication with an e-identity system, though it also added that cross-border authentications are rising.
The European Commission also wants to introduce the EU e-ID as a login method. The Executive Vice President of the European Commission for a Europe Fit for the Digital Age, Margrethe Vestager, was quoted saying:
“For example, it should be possible to log in not with a Facebook or Google account but with your digital European ID profile.”
For the time being, the requirement to offer Euro ID login will only apply to sites that have more than 45 million users in Europe (10 per cent of the EU population). In addition to Facebook and Google, many other social media platforms are also included.
As Lohninger argues, it is an ambitious plan. However, if implemented successfully, it could constrain the dominance enjoyed by companies such as Google, Apple and Facebook.
“Democratically decided conditions that guarantee us that the software adheres to certain principles and having a democratic consensus about it, I’d far prefer that over Silicon Valley companies and their CEOs deciding how these things work,” Lohninger said.
Looking at Estonia may give a glimpse into the future. For the past 20 years, citizens in the ultra-digitised Baltic country have been able to do everything from banking to starting a business to managing doctor’s appointments via their digital identity.
Issued at birth and valid for life, the Estonian digital ID is a unique digital document that allows people to securely log on to private and public websites, removing the need for extra checks on their identity.
Fully 99% of the 1.3 million-strong country have a digital ID, and privacy concerns are not prevalent. That may be because Estonians are accustomed to carrying out many of life’s activities digitally. A mantra in the country is that the only things people can’t do online are getting married or divorced and buying property.
It also helps that the system’s designers have built-in safeguards against exploitation, protecting it from an aggressive and cyber-savvy Russian neighbour.
The system is decentralised, denying hackers a single point of attack, and individuals are able to see who has accessed their data as well as when and why — unless the request came from law enforcement, in which case they’ll be notified when the investigation is wrapped up.
Holloway points out that, in the end, any technological advances must be sanctioned by citizens and implemented collectively based on democratic processes that enshrine the rights of individuals.
“I don’t think [companies] ought to get too heavily involved in that. We need to implement solutions that protect privacy and that maintain security.”
Verdict deals analysis methodology
This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.