It was only last week that Privacy News Online wrote about introducing vaccine passports in order to provide additional freedoms to those who have received one of the Covid-19 vaccines. And yet the idea has taken off in a remarkable way, driven no doubt by the desperate desire by both businesses and the public to return to something closer to normal life. Some international organizations are working on their own vaccine passports. For example, Alexandre de Juniac, Director General and CEO of the International Air Transport Association (IATA), said that airlines have already started signing up to the IATA Travel Pass – its vaccine passport system. According to Euractiv, IATA has called for EU leaders to introduce “evidence-based border restrictions” that would draw on the use of “secure digital solutions, such as the IATA Travel Pass”.
The EU seems to be listening to these calls. Just this week, Reuters reported that the European Commission will present a proposal for creating an EU-wide Covid-19 vaccination passport. The “digital green pass” would provide proof that a person has been vaccinated, the results of tests for people who have not yet been vaccinated, and information about the recovery of people who have already caught Covid-19. There’s no technical information yet about how an EU scheme would work in practice, but Singapore’s new digital vaccine passport, HealthCerts, gives an idea of what is involved. As The Register writes:
Starting March 10, travelers from Singapore will have to use the HealthCert instead of physical paper certificates.
From that date travelers planning to leave Singapore will book in for a COVID PCR test before they fly. Results will be uploaded to a government website and aspiring tourists will then go online to request the results be notarised by the Ministry of Health. If approved, the QR code linking to the notarised digital certificate will appear in SingPass Mobile, the nation’s app for consuming digital government services.
Travelers will present the QR code at airport check-in and/or immigration before being let anywhere near a border or aboard a vehicle.
Leaving aside the more problematic elements of Singapore’s approach – the use of a centralized, government database – the key part here is the notarization. As the name suggests, this is akin to using a human notary to vouch that certain documents are genuine and trustworthy. HealthCerts draws on another technology developed by Singapore’s government, an open source framework called OpenAttestation for verifiable documents and transferable records:
A verifiable document (or verifiable credential) is a tamper-evident document that cryptographically proves who issued it. They are the electronic equivalent of the physical documents that we all possess today, such as: plastic cards, passports, driving licences, qualifications and awards, etc
Transferable Records are documents which extends on Verifiable Documents to allow a document to have an owner.
The document store is a smart contract deployed onto the Ethereum blockchain. When an OA document is issued, a proof of the issuance is stored onto the Ethereum blockchain through the smart contract. The smart contract is used to provide a globally consistent record for anyone to query a given OA document’s issuance status.
The OpenAttestation site has some documents that explain in more detail how a blockchain can be used to produce verifiable documents that are suitable for conveying vaccination and Covid-19 test status. The use of open source is a shrewd move here, since it means that the framework can be used by anyone, and extended as need be.
If such an approach takes off, it could be an important moment for blockchain technologies in general, and Ethereum in particular. It would represent the first large-scale deployment of the technology in an app that is used by millions, potentially billions of people around the world. Although Bitcoin is much in the news these days, Ethereum’s ability to run applications makes its applicability far wider. A successful implementation of an Ethereum-based Covid-19 vaccine passport could see the technology adopted rapidly.
While the programming issues involved in creating secure vaccine passports seem relatively straightforward, there are other factors that are not. These are well summarized in an FT article by the lawyer David Allen Green. He notes a few practical concerns. Some, like ensuring that data input is robust, and that airport staff can scrutinize vaccine passports properly, seem largely technical matters. Blockchain attestation of the kind adopted by Singapore should ensure that it is harder to produce fake credentials, and also relatively easy to automate the process of checking the validity of a certificate. The medical issue of whether those who have been vaccinated really offer no risk of contagion to others, is still open, but will presumably become clearer as data is collected.
But as the article rightly points out: “The key moral and legal issues are not so much about reliability, as about the reliance decision makers will place upon the certificates.” Vaccine certificates might be perfectly implemented, but if politicians shy away from taking meaningful action based on them, they become simply an exercise in window-dressing. As technical implementations of vaccine passports start to arrive, it is vital that the ethical and legal issues are addressed too.
Featured image by Unwicked.