The idea of vaccine passports or health passports aroused opposition from both sides of the political spectrum. Recently we released a piece per ID2020 explaining how such a passport would help reopen travel.
However, privacy activists are worried about the possibility of a slippery slope. BRINK spoke with Alexis Hancock, director of engineering for Electronic Frontier Foundation.
HANCOCK: The word “vaccine” and the word “passport” have a certain type of meaning that is not exactly what these various applications purported to be. Many people associate having a vaccine passport with what they have now, such as a WHO yellow fever card for international travel.
The problem is, some of this technology was introduced early on, and it made people feel like they had some kind of immunity to the virus and could have that kind of status in society. Last year, we did not know if these vaccinations would be effective against transmission. The science was still pending, and science is still developing on these vaccinations. So it was a problem: that they carried a risk, because the feeling of security was not there yet.
Can we trust data storage companies?
I understand that people want to get back to normal life. But many of these so-called vaccine passports offered by different private companies are filled with problems that have not been fully resolved.
EDGE: Why do you think the models that are on the market so far are not private enough for users?
HANCOCK: The biggest risk to privacy is having databases from different companies that store private medical information about people. We don’t have a federal data privacy law that protects us in the United States, so we just need to trust these companies to handle our health information ethically.
And so far, from what I’ve seen, the policies and transparency around some technologies are unclear. With New York and its Excelsior passport, they’ve rolled out a government-backed passport, but it’s still unclear what they plan to do with all this medical data.
If you are going to build a system like vaccine passports, you have to start with transparency, you have to start with confidentiality in mind.
The risk of flight from the mission
The second problem is the mission drift that’s happening with these apps and businesses. I’m concerned that frequent presentations of immunization status may lead to greater exposure of someone’s data, and the point is that presentation of your immunization status will grow with these passports.
So at the moment you can present it for international travel or for educational institution, but it is also suggested that you can present your vaccination status anywhere, in bars, arenas, grocery stores, etc.
For example, in New York, companies want to expand the Excelsior pass to contain digital identification of people, like driver’s licenses and other types of health information. To me, that means the technologists who built it initially weren’t transparent. Before the pandemic, it wasn’t that often that you had to show that you had a flu shot, for example. But now, with these vaccination passports, the data could be bundled with different medical information and possibly an extension of digital identity. This is what I mean by mission creep.
EDGE: What if it was only used for international travel? Is there a way to close that off to create a solution that just allows people to cross borders and allow travel to open up?
HANCOCK: Well, we already have a system that can show if you’re vaccinated for international travel that respects privacy, and that is by being able to upload your results via PDF, things of that nature. WHO is also working on developing a more comprehensive statute for various life-saving vaccinations. We have existing bodies governing this process that have more experience in disease control and the contexts needed to present immunization status.
Context is the problem
What concerns me is that when it comes to these private companies, they don’t necessarily work with WHO. As a technologist, I have to say that with a lot of these technical solutions that I have seen, it is not necessarily about the security mechanisms that they put in place. This is the context in which they are placed.
Many people use buzzwords like “blockchain” to bypass any questions about security, privacy, and data security. The whole issue should have been dealt with properly with public health officials, rather than asking private companies to present to different governments and different airlines that they have the silver bullet.
If you are going to build a system like this you have to start with transparency, you have to start with privacy in mind.
I probably would have built technology and tools for resources that help people get immunized, that strengthen health equity and to help get to a place where they can get through this truly devastating event, rather than d ” have vaccination passports, which do not necessarily solve the problems they claim to solve. This is where I would have left him; I wouldn’t have built this app as a technologist at all, if I’m being completely honest.