Immunity passports user privacy

The COVID-19 infection has spread with great speed, infecting millions, causing untimely deaths and bringing economic activities to a near-halt. Most countries imposed tight restrictions on movement to curb the spread of the virus. With over 20 million confirmed cases and over 730,000 deaths globally, the world continues to battle the pandemic.

The devastating impact of the pandemic highlights the need for urgent action to cushion the health and economic consequences, protect vulnerable populations, and set the stage for a lasting recovery. One proposal that is being hyped by some countries, think-tanks, and identity industries as a solution to ending lockdowns around the world is what’s being called an immunity passport.  

What is an immunity passport?

An immunity passport, also known as an immunity certificate, is a document—physical or digital, granted by a testing authority attesting that its bearer is immune to the contagious coronavirus. Specifically, it demonstrates that the bearer has antibodies that make them immune to COVID-19. These antibodies can either be produced naturally by recovering from the disease, or triggered through vaccination. Individuals in possession of an immunity passport could be exempt from quarantine,  physical and social distancing restrictions, and could be permitted to return to work, school and normal daily life. 

It is crucial that policymakers around the world have the best possible data and understanding to inform any course of action. As brilliant as the immunity passport idea may sound, there is one key question we need to ask ourselves: does the current scientific understanding of the nature of immunity support the rollout of immunity passports? According to medical experts, the workability or success of the immunity passport is hinged on the satisfaction of all of the following conditions:

  • Recovered patients have protective immunity that prevents them from being reinfected
  • The protective immunity is long-lasting
  • The pathogen mutates sufficiently slowly for immunity to work against most strains
  • Immunity tests have low false-positive rates

Until those conditions are met, it will be premature to begin designing, implementing or deploying immunity passports. At the moment, it’s still uncertain if any of those conditions have been met. 

Immunity passport and digital identity solutions

The effectiveness of immunity passports has been questioned by leading health authorities. In a publication titled “Immunity passports’ in the context of COVID-19”, the World Health Organization (WHO) stated that “At this point in the pandemic, there is not enough evidence about the effectiveness of antibody-mediated immunity to guarantee the accuracy of an “immunity passport” or “risk-free certificate.”  CoviPass

But despite the lack of evidence to support the effectiveness of immunity passports, the digital identity industry is going ahead with the design and roll-out of digital immunity passport solutions. They are determined to repackage their pre-existing digital identity models and roll them out as immunity passport solutions. There are concerns they may be trying to take advantage of the pandemic to position themselves as key players in the promotion of digital identity as the ‘solution’ to containing the spread of the virus and possibly seize the opportunity to gradually expand their mission beyond the “immunity passport” scope. 

According to Privacy International, “The ‘visionaries’ are keen to get back into painting a world driven by identification.” Already, several identity firms such as OnFido, ID2020, IDNow, Yoti, Circle Pass Enterprises (CPE) and VST Enterprises are racing to develop immunity passport solutions.  Likewise, several countries including Chile, Italy, Estonia, France, Germany, India, U.S, and the U.K, have all expressed interest in so-called immunity passports.

CPE and VST Enterprises for instance have teamed up to create a blockchain technology-based immunity passport known as COVI-PASS, to be supplied to 15 countries including the US, Canada, Sweden, India, UAE, South Africa, among others. In West Africa, a digital identity firm Trust Stamp in partnership with Mastercard and GAVI is quietly developing what they call “Wellness Pass” for people who receive vaccinations, including COVID-19 vaccine—when it becomes available. It enables individuals to be digitally tied to their medical and financial records. This is an unprecedented attempt to link biometric digital identity systems, health records, and a payment system into a single unified platform. 

How it works

COVI-PASS is a contactless permission-based digital health wallet that contains COVID-19 immunity status or test results and other health records. The COVI-Pass app, currently in testing, will be made available for download in the iOS or Android store once it’s ready. Once downloaded, you can set up a password to gain access to your digital wallet.

When you need to prove your COVID-19 immunity status, or show your test results or any other health information, you open up your digital wallet on your smartphone and present a hash code that can be automatically read from two-meter distance to validate your health status. COVI-PASS also has solutions for businesses that want to issue COVID-19 tests to employees.

Similarly, the Wellness Pass scheme supposedly aims to provide smartcards that hold digital vaccination records of each participating individual including children. Health officials will issue the card to citizens after receiving vaccinations, including COVID-19 vaccine—when it becomes available. A new hash is created with updated information each time a vaccination is received.

wellness pass copy The cards carry scrambled biometric identity (fingerprint, palmprint or face) of users created with Trust Stamp’s Evergreen Hash technology. The smartcards use contactless technology that can be read over a short distance, and comply with EMV (Europay, Mastercard, Visa) standards, which means it can be used to make purchases and payments without physical interactions. For business customers and merchants, the program is bundled with a new AI powered click-to-pay checkout system that replaces the typical card number entry checkout systems.

Ideally, the development of these COVID-19 response technologies should be seen or considered a public good—especially when motivated by public health concerns. However, it is not certain how much those initiatives are motivated by public health concerns as opposed to commercial considerations. Indeed, these are mostly for-profit organizations whose business model and mission are market-focused. 

Ethical and privacy concerns

Even if the above scientific conditions are met or satisfied, the deployment of immunity passports raises a number of ethical and privacy concerns. 

Advocates of immunity passports visualize a world where we can’t access services or participate in social activities until our health credentials are scanned and verified. It would be unethical to impose restrictions on who can and cannot participate in social, civic, and economic activities. How would you feel if certain biological conditions in your body dictated where you can go, where you can work, or what you can do? Is it okay to limit individual freedom on the basis of one’s “immunity” status, or lack of it? This might create an awkward incentive for people to intentionally infect themselves to acquire immunity certificates; and/or encourage a black market of forged immunity certificates.

The use of immunity passports would worsen the damage caused by COVID-19 on already overwhelmed and vulnerable populations, and increase the risk of discrimination. The result would be the emergence of a new class of citizens that the BBC calls “antibody elite.” The linking of health records to digital payment systems in the “Wellness Pass” scheme is an ominous way of compelling people to comply or face starvation. 

The pandemic seems to have created a breeding ground for all sorts of digital surveillance tools, and a golden opportunity to fast track global health into a new era of digital healthcare. Tech-based measures range from contact tracing and tracking apps to risk profiling apps and temperature-checking drones. Immunity passports may seem reasonable and necessary at the moment, but many of those solutions are rushed to the market with little or no consideration for user privacy and security. After all, as most people would say, “it’s a pandemic—emergency situations require emergency measures.” Our sensitive personal data such as facial expressions, movements, body temperature, breathing, pulse rate, and other vital signs, are brazenly harvested, stored and analyzed by tech companies and their digital health apps. Of course, our COVID-19 immunity status will soon be added to that list. And because of issues of transparency, lack of trust, and a history of similar practices by big tech and big government, there are fears that these measures would become the new normal. 

The potential for mission creep means that in the aftermath of the pandemic, the systems deployed during the crisis could form the basis for the spread of mass digital identity and bio-surveillance to monitor and track citizens. Long after the COVID-19 pandemic is over, we may continue to be affected by its residue of sophisticated bio-surveillance technologies. We have been through this path before. The 9/11 attacks for example opened the door for the normalization of digital surveillance in western democracies. As Foriegn Affairs magazine puts it, “one of the biggest long-term impacts of the September 11 attacks was expanded surveillance in the United States and other democracies, by both public and private sectors. Similarly, one of COVID-19’s most important long-term impacts will be the reshaping of digital surveillance across the globe, prompted by the public health need to more closely monitor citizens.”

For instance, the supposed “Wellness Pass” solution that digitally ties individuals to their health and financial records—usually confidential—further exposes them to potential digital surveillance and privacy risks. Moreover, according to the Electronic Frontier Foundation (EFF), “requiring people to store their medical test results in a digital format would expose private medical information to the danger of data breaches. Again, this is hardly new—we have seen exactly these types of breaches in the past when medical information has been digitized and collected.”  The recent leak of COVID-19 related personal data of 115,000 Argentine citizens is just the tip of the iceberg. 

Some industry actors are actively promoting the adoption of blockchain technologies for COVID-19 immunity passports, to mitigate risks associated with user privacy and security. But Elizabeth Renieris, a Harvard University based digital privacy and identity expert and a former adviser to ID2020 Alliance, opposed such moves. She highlighted the dangers of blockchain-enabled “Immunity Passports” for COVID-19, and the impact on user privacy and freedom. Renieris specifically questioned the exclusion of potentially suitable communication methods such as NFC and Bluetooth in the built-in APIs, and wondered why web connectivity protocols like HTTP and URLs were used instead. The use of HTTP and URLs generally depict online communication. If the primary need for immunity credentials is for safeguarding in-person interactions, why incorporate web connectivity protocols like HTTP? Or are there ulterior motives or extrinsic reasons beyond what is apparent? 

Renieris’ resignation from ID2020 Alliance demonstrates her lack of trust in the system. According to her “At this stage, I can no longer even describe what ID2020’s mission is with any confidence….All I can perceive is a desire to promote decentralized identity solutions at all costs.” 

There are concerns about how powerful corporations like Microsoft may influence the development of these systems—especially in light of their recent filling of a patent for a cryptocurrency system using body activity data such as brain wave, pulse rate or body heat radiation. We hope that we are not sleep-walking towards a unified universal identity system.

Conclusion and recommendations

Finally, we should learn from past mistakes, and avoid any likelihood of undermining privacy rights and individual freedoms through poorly conceived plans for “immunity passports” or related technologies.  Digital identity and immunity passports may seem like a natural fit at this time, but we have a duty to ensure that the underlying technology works to empower people, and not to expose them to new vulnerabilities. Moving forward, here are some key recommendations for policymakers to consider:

  • Any decision to roll out immunity passports must be dictated by proven science and backed by legislation to prevent it from being used for other purposes. Any solutions put forward by private sector actors must include significant public sector, civil society, and other stakeholder engagement. The process must be transparent and all-inclusive. 
  • Companies and alliances working on the development of COVID-19 vaccines should not also be promoters and sponsors of immunity passports and digital identities. Solution developers must commit to not seize the opportunity to intentionally expand their digital identity solutions and other COVID-19 tech measures beyond the original scope, to promote their own products and services.
  • The handling of personal data associated with immunity passports must comply with data protection best practices and other national and international obligations on privacy rights and data protection