Once the vaccination effort in the United States picked up steam, with it came the promise of a return to normalcy, a reopening of society. People would be able to safely congregate again, go to concerts, sporting events, restaurants, travel, even go back to work. The ticket? A vaccine passport, proof of inoculation or the presence of antibodies.
But with this promise comes many questions, especially in a country where there is no centralized identification system, where a myriad of public, private and non-profit institutions are involved in the vaccine effort, where many people do not have ID, and even if they did, in many cases they were not asked for it when they went to get vaccinated. Moreover, according to a recent industry panel I attended on the subject, only about half of the US states have health systems that would enable the verification of identity and the maintenance of verifiable digital health records.
So where does that leave us from a security and privacy standpoint? A recent New York Post headline warns, “Fake COVID Vaccination Cards Are Spreading Like a Virus Online,” the problem reaching epidemic proportions as airlines and event venues state that they will require vaccination cards for entry and as of this writing at least, only 28% of the population fully vaccinated.
On the one hand, we are in the middle of a crisis and the rush to get people vaccinated may trump all else. On the other hand, we had almost a year to think about how to manage ourselves once the vaccines were available and the fact that things were not thought through leaves us in a privacy and security quagmire.
First, how do we know that the people who are holding these vaccination cards are really who they claim to be? Second, how do we know the people presenting them are the ones who actually got vaccinated? In a scathing LinkedIn post, Brett Johnson points out that for $50 on the dark web, anyone can have access to fake documents, so for those that say the requirement is to show an ID with the vaccination card, I say, rubbish.
For me, the issue of vaccination passports is actually exposing the underbelly of the privacy and identity debate in the United States at the expense of public health and public safety. This is no longer a matter of whether people are collecting benefits to which they are not entitled, or whether an ID is needed to vote. The issue of vaccination passports and the lack of a national identity strategy in the United States is now literally a matter of life and death.
At the risk of being dramatic, I recall that my daughter’s school was ground zero for the pandemic breakout in New York City. A father in the school was the first confirmed case in the region and within a matter of days the city was in lockdown mode. Noone wants to go back to that. If we want to open society safely, we must consider public safety. Opening prematurely without understanding the risk can actually prolong the crisis and exacerbate public mistrust.
Of course, there is the other side of the equation - that of privacy. And this too is a complicated one. First, the question of who has access to these troves of health records that are now spread throughout different systems that have been proven time and time again to be vulnerable to breach. Even with the most sophisticated of these vaccine passports being rolled out on the blockchain as a decentralized, verifiable credential, questions remain. One, what happens when a person gets a new device or for whatever reason needs to have their credential renewed or replaced? How do you reissue the credential to the right person? How to secure the backend database so these health records do not get stolen or accessed by the wrong person?
Important questions that need to be thought about from a system design perspective. I am not even talking about the paper passports. Zeroing in on some of the digital initiatives, the back end systems must be secured. That means using biometrics to invoke the credential, which ensures that it cannot be presented by anyone it was not issued to. That means the backend system should also be decentralized so that if a nefarious actor tries to break in, there will be nothing to find and nothing to steal. That means that if someone loses their device or for some reason needs to be reissued a digital vaccine passport, that it is given to the person that actually received the vaccine. This last bit can also be done with a biometric that can be decentralized and linked to the record.
Lastly is the policy question, to what extent these vaccine passports are even to be required and under what conditions can someone be denied entry. I imagine this is an issue that the courts will one day decide. There is precedent with airlines and border crossing, inoculations for children in schools, face coverings for driver licenses and other cases where the right to privacy and questions of public health and safety have already been addressed.
As security professionals, our ethical and moral professional responsibility is to promote system design that would support both privacy and security. If we wanted to do this right, people who get vaccinated would be enrolled into a decentralized system where their records would be held in a way that cannot be accessed by anyone except themselves or authorized individuals, with the persona’s identity bound to the vaccine record and to ensure that only the vaccinated people can invoke and present the valid credential.
These are tough times, and while we’re eager to reopen the economy, it’s important to consider the privacy implications so we don’t open ourselves up to more woes when the world has already gone through its fair share.