Maksim Kabakou - Fotolia

Security Think Tank: Vaccine passports must be secure by design

What are the security issues and challenges presented by vaccine passports, and how should they be designed and used with ethics and privacy in mind?

From the beginning of the Covid-19 vaccine roll-out, vaccination has been seen as the primary tool to escape lockdown, allow foreign travel and reopen large public events. There is also discussion about certain professions only being open to those who have immunity through vaccination.

This quickly led to proposals for vaccine passports, or vaccine certificates, so that people could prove they have been vaccinated and, in turn, to concerns about the privacy and ethical issues this would raise.

For example, what about those who cannot have the vaccine for medical reasons, such as allergic reactions, or patients who need immunosuppressant drugs, which make the vaccine ineffective? Should they be prevented from travelling, banned from some jobs, attending public events and going to a restaurant? These people must be considered and could be protected by the disability provisions within the Equality Act.

Also, how do we cater for people who don’t have smartphones? In 2020, only 84% of adults owned a smartphone and this fell to 77% of 60-65-year-olds and 53% of over-65s, so a significant proportion of people who will have had two shots of the vaccine by the start of summer don’t have smartphones.

The concept of a vaccine passport or certificate seems straightforward – simply something that proves a person has been vaccinated – but, as with most things, they become more complex when examined closely.

One near equivalent, the yellow fever vaccination certificate, reveals some of these potential issues. It includes the name, age, sex, nationality and signature of the holder, as well as the number of an identity document. Then there is space for several entries for the vaccination, each showing the date, signature of the vaccinating professional, the manufacturer and batch of the vaccine, the validity period of the vaccination and, finally, the official stamp of the vaccine administering centre.

This tells us that this is not a simple “yes, I’ve had the vaccine” question and reveals some of the things that need to be considered.

Knowing which vaccine was given and when matters, because of the possibility that some vaccines may not work against certain variants of the virus, and the length of time the vaccines are effective for is not yet known.

We also see some personal data, date of birth and signature of the holder. Any solution should also provide for those who have not been vaccinated, but who have recently tested negative, by also recording test information. This would cater for vaccine passports for travel, where a vaccination and a negative test are required and also allow the same system to be used where either a vaccination or a negative test is acceptable.

Data protection by design

The yellow fever certificate, updated in 2016, has been around for over 80 years and although today’s solutions may look very different, it tells us that there are three main parties involved – the “holder”, the “issuer” and the “verifier” – and that personal data is potentially involved.

This takes us to the first step in privacy by design, or as the Information Commissioner’s Office now has it, “data protection by design” – establishing the context in terms of the needs of the parties involved (at least three in this case) and then establishing a set of data protection/privacy principles:

  • First, the verifier needs to know that the holder of the certificate has a valid vaccination, or test that is still active and effective against variants, that the certificate is genuine and was issued by a trustworthy issuer. The validator does not necessarily need to know the identity of the holder.
  • Second, the holder wants to be able to prove that they have a vaccination and that it is still effective, or that they have a valid reason that they cannot be vaccinated. However, they don’t want to give away more personal data that is absolutely necessary and should be able to choose when and to whom they reveal their vaccination status and any supporting data.
  • Third, the issuer of the certificate wants to make sure that the certificate is only issued to the person who was vaccinated, that the information is correct and that the certificate cannot be copied, altered or forged. This is also important to the other parties, but is mainly a risk controlled by the issuer.

In the UK, vaccination data is held by the NHS, so other application providers could be seen as the issuer, with the NHS as a fourth party – the data provider – with similar requirements to the issuer. This adds to the security and data protection issues. Also, any scheme for travel abroad would need international agreement at government level to ensure interoperability and acceptance.

From this, we can identify some basic security principles, including: data at rest and in transit encryption; use of mutual authentication; data signature to ensure authenticity and integrity with the signing keys being strongly protected; and the minimisation of the storage and transmission of any personal data.

Finally, having up-to-date data is important, so the data provider must be able to push updated certificates out to the holder to allow for new test results and vaccination information, or recover from a compromise of signing keys.

This can then be augmented by more general principles, such as secure development principles (development environment, design, coding, and so on), vulnerability and incident disclosure processes, monitoring and reporting of anomalies and attempts to exploit or interfere with the system.

Vaccine passports and Covid-19 certificates

We also need to remember that the characteristics of a vaccine passport for international travel and a Covid-19 certificate for access to venues nationally will have different stakeholders with different motivations.

A vaccine passport needs international agreement to be used at border crossings where the holders will have separate identity documents and the focus will be on keeping non-compliant people out. On the other hand, a national Covid-19 certificate would need to allow rapid access to get people into a venue based on a simple yes or no answer.

The area I would focus on is minimising the use of personal data and putting the data that is needed under the control of the holder, underpinned by good security design practice. Traditionally, we have created central databases and pulled information from the centre on demand, keyed by a user’s identity.

However, unnecessary use of identity adds to security and privacy issues and there is a move towards sovereign identity, where users hold their own information and make their own decisions on when and with whom they want to share it. But there will often still be a need for a central trusted third party to independently verify the data.

In this case, the holder only needs to hold enough information to satisfy the verifier and have a means of proving that it relates to them. One approach would be for the holder to have a certificate holding their vaccine data (as with the yellow fever certificate) and the number of a photo identity document (such as passport or driving licence) signed by the data provider.

This could be displayed as a QR code and the verifier could ask to check the identity document if necessary and verify the signature on the certificate using the data provider’s public key. There is no need for the verifier to reach back to the data provider.

A slightly different approach, used in Israel, for instance, is to display a photograph of the holder alongside the QR code. However, this does have the challenge of binding the picture to the vaccine data in a certificate that can be checked by the verifier without revealing the photo data to the verifier to avoid privacy issues around facial recognition.

These approaches do lend themselves to the high-level verification methods used by the NHS app, which uses a photo ID and video of the user to match the user’s phone to the user and their photo ID. Also, this type of approach is transferable to a paper certificate comprising simply a QR code, or QR code and photo for those without a smartphone. It is also straightforward for the verifier, who would only need an appropriate QR code scanner, or even just a smartphone app.

The requirements for a vaccine certificate should therefore be straightforward to implement securely, without major privacy concerns, as long as it is approached in the right way – simply identifying the needs of the different parties and minimising use of personally identifiable information.

The certificate should be difficult to forge or copy and the holder of the certificate needs to be able to prove their vaccine status on demand – no more, no less. The holder does not need to prove their identity (name, address, and so on), just that they are the entitled to hold the certificate.

In terms of ethical issues, the main one is how to address those who cannot be vaccinated because of medical issues. Any certificate would simply need to state this and, ideally, would not be specific about their medical condition, but again be verifiable as coming from a medical authority. However, this is more a matter of ethics and policy rather than privacy and security.

Security and implementation

There will inevitably be those who attempt to copy a certificate, or borrow an elderly relative’s certificate, and others who try to forge certificates, or create copies and offer them for sale on the internet. The link between the person and the certificate must therefore be strong.

The link to a passport or ID card number may be a better option for international travel, while a simple photograph tied to the certificate would cater better for national venue access where some people may not carry ID documents.

As mentioned above, in the UK, vaccine and other health information is held by the NHS, and other countries have equivalent national organisations. Although these central health organisations could provide the data to application developers, this would almost certainly add to the risk of compromise and duplication.

There are several proposals for vaccine passport apps and you can find some in your smartphone’s app store. Most of them contain far more sensitive health and personal data that is necessary for a vaccine passport and it is not clear how they would get the verified vaccination data. In essence, they are just containers for certificates.

Also in the UK, there is the option to augment the original NHS app, but as there is likely to be strong demand for vaccine certificates if they are necessary to enter public events, the take-up may overwhelm the strong verification process if that service is not scaled up.

Alternatively, the NHS Covid-19 track-and-trace app could be used and the track-and-trace system would benefit from potential increased take-up. However, currently it is deliberately anonymous and does not have any identity verification, so adding this is more difficult and could have an adverse impact on its original function.

A rapidly changing picture

There is a lot of activity in this area, with the EU developing its own Green Certificate for use within the EU, and the US and others developing national systems. These are largely based on the use of a signed certificate displayed as a QR code, but they probably won’t be internationally interoperable.

On 28 January, World Health Organization officials said governments should “not introduce requirements of proof of vaccination or immunity for international travel as a condition of entry”, partly for ethical reasons, but also because of the risk that vaccine passports would create a false sense of security.

Also in January, UK prime minister Boris Johnson said vaccine certificates would not be introduced, but last month said Covid-19 status certificates were under consideration. More recently, health secretary Matt Hancock said certificates should not be introduced until everyone has been vaccinated and now it has been announced that Covid-19 status certificates are to be trialled, although exactly how they will be used is still unclear.

The only thing that is certain about Covid-19 is uncertainty, but it does now look like so-called vaccine passports/certificates are closer to becoming a reality in the UK.

Read more on Privacy and data protection