Maksim Kabakou - Fotolia
Security Think Tank: Vaccine passports cannot be taken lightly
What are the security issues and challenges presented by vaccine passports, and how should they be designed and used with ethics and privacy in mind?
The roll-out of the Covid-19 vaccine has – in the main – been welcomed with open arms, offering as it does a route out of lockdown and an eventual return to ‘normal’ life.
But, as with the pandemic itself, it raises some complex questions with the issue of vaccine passports being a hotly debated topic.
Compliance
Vaccine passports, which by their nature, rely on the use of sensitive medical information present a major data privacy risk. Specifically in the European Union (EU), General Data Protection Regulation (GDPR) compliance will be the main concern and, since the UK Information Commissioners Office (ICO) will be keen to ensure equivalence with EU law in the long term, GDPR broadly applies in the UK.
This places a significant compliance burden on the structure of the solution. Anything that risks an individual being identified (name, date of birth, email, NHS number, etc) must be anonymised, while controls will be required to ensure the collection, storage, transmission and eventual deletion of this data is compliant.
The risk and complexity is exacerbated by the need to disclose highly personal medical records to third parties, whether that is the government, an outsourced supplier or another provider. There is no guarantee that these teams will have the processes and technology in place that will ensure this data is handled appropriately.
Security
The most likely scenario is that vaccine passports will be deployed via smartphones. Convenient for users, the inherent biometric security controls in modern devices will provide additional data protection, while keeping data ownership and accessibility with the individual – a key consideration from a privacy perspective.
But while this would appear to be a straightforward solution, there is a valid argument that it introduces discrimination – figures show that approximately 16% of the UK population doesn’t own a smart phone.
Leveraging blockchain technology could be an alternative option, as it would allow secure central storage of data, over which the user has control. Individuals could authorise access to their vaccination status to a variety of applications from various different endpoints. However, the reality is that the nascence of the technology counts against it, at least for the first wave of passports.
Phishing risks
The social engineering risks that a vaccine passport will introduce are a real and present threat. Phishing attacks by bad actors posing as legitimate NHS or government requests are likely to proliferate, encouraging users to part with personal information as well as valuable data such as passwords that they might use elsewhere in their online lives. Attacks of this kind have already been witnessed in countries where identity cards are mandatory.
False identities
The benefits that any identification document affords the user make them targets for falsification – and vaccine passports are no exception.
Foreign travel has been high on ‘after-lockdown’ wish lists (to the extent that some people would consider incorporating the cost of a fine imposed for breaching travel restrictions into the cost of a holiday). This creates demand, easily filled by nefarious groups waiting to take advantage, for fake immunisation records.
Vaccine passports must therefore be difficult to falsify, following the lead of regular passports by linking directly to their rightful ‘owner’ via secure mechanisms (such as biometrics).
Ethics
But the practical risk and security considerations are only part of the discussion; ethical issues are an equally critical element.
With vaccine passports currently being mooted as a requirement for entry to a pub, for example (supported by 56% of Brits, according to a YouGov poll), the question arises of where the line lies between unfair discrimination and sensible health and safety precautions to protect staff and customers.
And this is only one situation, with others including whether employers should request a vaccine certificate for people returning to the office, or applying for a job.
Israel’s vaccine deployment offers an interesting case study on the topic. Facilities such as bars, gyms and cinemas have broadly taken the stance that a Green Pass vaccine passport is required for entry to the venue.
The majority view seems to be that if an individual chooses not to receive a vaccine, this preference is synonymous with their choice not to engage in the aspects of society that require it. However, as the pass can also be obtained through presumed immunity (such as a recent test), it does not force citizens to be vaccinated.
There is also the thorny issue that operating a democratic passport-style process requires everyone to meet the eligibility criteria for the vaccine and have access to it. But the former depends on the age and vulnerability status of the individual, neither of which are within their control, while the ongoing problems of vaccine supply and subsequent government policies are a well-documented.
Personal privacy
Vaccination passport information would need to be stored and accessed by organisations, governments and other bodies. The concern is that a precedent would be set, making it acceptable to share sensitive (and previously private) data if it was deemed to be in peoples’ best interests.
As well as the high risk of a data breach, this raises the question of whether it would contribute to the slow erosion of the right to privacy. Next steps could introduce potentially invasive requirements such as the need for physical and mental health conditions to be disclosed or obtained in a range of situations in the name of ‘reducing risk’.
In a year that has consistently delivered previously inconceivable scenarios, whether vaccine passports will be deemed an effective, fair and practical solution for helping to control the pandemic remains to be seen – at the time of writing, there is no obvious conclusion. What is clear, however, is that introducing them is not a decision to be taken lightly.