Vaccination passports may facilitate the return to normalcy, but there are also concerns about what kinds of personal data they collect and how well they protect it. Here’s what you should know.
Technology has been front and center throughout the COVID-19 pandemic, but not without presenting a few issues and challenges. Proof of vaccination and test result validation apps are the latest in the long list of technologies that have come to the forefront of privacy and security concerns. The concept is very simple; provide a digital, verifiable, proof of identity and proof of either vaccination or a negative COVID-19 diagnostic test (or both).
As countries, states and cities reopen and allow mass gatherings and indoor events, many are requiring proof of vaccination or of a recent negative test result before entry is permitted. Where many authorities have avoided making what could be seen as an infringement of citizens’ rights by implementing vaccination requirements to conduct normal life – such as dining indoors at a restaurant or attending a concert or show – the Delta variant is causing them to rethink. The need for vaccination passports to prove inoculation status is growing and has two distinct elements, the first being the right to privacy and the second being how technology can be used to securely deliver the functionality required.
Declaring that you have received a vaccination may be seen as a potential infringement of an individual’s privacy as you are sharing personal medical data with the person and organization that need to verify your record. Before jumping on the privacy bandwagon and objecting, consider what vaccination status is already being shared – with reasonable certainty, 99% of the students you see going to school in the United States and many other countries have had at least one vaccination of some type, including those protecting against measles, mumps, and rubella (MMR), polio and diphtheria. There are some exemptions for those objecting under medical, religious, or philosophical reasons, but most students have been inoculated. The State of California, where I am based, requires all schools to check immunization records for all new students from kindergarten to 12th grade; the validation is for five different vaccinations.
There is another cohort of residents in the US that, with even more certainty, can be deemed to have received the same five vaccinations that California school students require: green card holders. In 1996, Congress provided in legislation that every immigrant seeking permanent residence show proof of vaccination, and without it your application may be denied. Anyone that has been through this process will attest that you will need to roll up your sleeve and have the shots; in my case all five were administered in one afternoon – I remember it well.
Mandatory vaccine requirements for children, and in some circumstances adults, are not unique to the United States; European countries such as France and Italy mandate numerous vaccines by age, whereas some other countries opt to allow freedom to choose. The principle behind the argument of not declaring COVID-19 or other vaccination status, based on it being personal medical data, is significantly weakened when you consider the requirements such as those discussed above.
Due to the Delta variant and the new surge in COVID-19 infections, New York City’s (NYC) Mayor Bill de Blasio recently announced that proof of vaccination will be required for workers and customers at indoor restaurants and gyms. NYC provides several options to prove vaccination status: the Centers for Disease Control and Prevention (CDC) vaccination record card, the Excelsior Pass app, or the NYC COVID SAFE app, the last being the option for visitors to NYC. It’s unusual, and likely confusing, for a single authority to adopt three different solutions. Each of these systems, or cards, offers differing levels of verification, but all are accepted to gain entry in NYC when required. Here are the differences:
- CDC vaccination record card – It’s a small paper card, slightly larger than a credit card, which includes first and last name, date of birth, and details of the vaccine type, including 1st and 2nd When I received my vaccine, they handed me the card with the dose field pre-filled, but the remainder of the card was blank for me to fill in myself. If this was not enough of an issue for those concerned about the correct identification of the card holder, doctors, bars and restaurants have been selling fake cards for as little as $20. A paper card with no validation of identity seems to be as much use as a chocolate teapot; the chocolate teapot may be more useful, as you could eat it.
- NYC COVID SAFE app – The app takes a picture of the CDC vaccination record or international equivalent and stores it as an image; this image then becomes your digital vaccine record. A digital chocolate teapot.
- Excelsior Pass – An IBM-developed, app-based solution being used by New York State, it uses blockchain and encryption technology to ensure personal data is kept private and secure. Users need to register using the data provided at the time of vaccination, name, date of birth, ZIP code and phone number. This grants access to the user’s vaccination status in the New York State vaccination database. The app then creates a scannable pass that can be stored in the pass wallet; it contains a QR code, name, and date of birth. The flaw here is that the pass does not identify the device holder as the individual who received the vaccination; for true verification, the verifier would need to see an official proof of identity that has a picture of the individual, such as a driver’s license or passport. This opens the app to fraud, either a copy of the QR code and details captured from another device or the user has connected with someone else’s vaccine record information. When entering a mass gathering sports event, will the pass just be scanned or will identity be verified? I suspect it will just be scanned.
Many governments across the world have adopted, or are expected to adopt, apps and solutions similar to those that NYC has opted for. I expect, and hope, most will use something similar to the Excelsior Pass where the user’s data is verified to create the pass and then only the QR code and minimum user data is stored: name, date of birth, date of vaccination is then stored within the vaccination passport record on the device. The Canadian Government has recently announced the use of a similar system; the proposal at present is to include the data mentioned and which vaccine the person received, which may serve a purpose when travelling internationally, but domestically I am unsure why this data point is required.
Trouble in the Golden State
Amusingly – I say this with sarcasm – California has adopted a hybrid approach where you can browse your vaccination status using the data provided at the time of receiving the shot. The system asks for a PIN and then sends an SMS link where you verify the PIN and download a vaccination record, a QR code and limited details are displayed, and they recommend screen capturing so that you have a record. There is no app, the QR code is only valid to those holding a Smart Health Scanner, and the image on the device is held in the photo library. How can one of the world’s largest economies and the home of Silicon Valley get this so wrong?
When event or establishment staff scan the QR code they receive verification from the official vaccination database associated with the QR code. Some apps then request validation from the holder of the pass, prompting them to allow access to their record; this then displays their image and verification of vaccination to the requester. The authentication of the request builds in a level of security and privacy and stops the QR code being copied, and the vaccination record being accessed without permission of the verified holder.
A malicious verifier could set their device to screen capture all the passes and identities of the people they scan – they would gain the minimum of personal data, which in most cases is already public information, such as name and date of birth. However, the vaccination status is not public record. What could vaccination status be used for? Maybe an elaborate spearphishing scam? There was no email address associated with the data so this would be difficult to create and would require additional data. As mentioned, in many countries, vaccinations are mandatory and as far as I know, there has been no mass abuse of this knowledge.
The event industry has been using QR codes to replace barcode or physical tickets for some time, such as SafeTix. These systems rely on the QR code being created and refreshed on a periodic basis, and the scanned code being validated in real-time. If this scenario were used for vaccine records, it would require both the holder and the verifier to be online. The holder opens the app and the QR code is created on demand using the preregistered details held by the app; the verifier scans the code and validates it against the central database in real time. If the app remains active, the QR code is refreshed on a periodic basis. This solution stops multiple people using the same QR code as others, removing the possibility of fraud. If this system added confirmation when a scan is taking place and the need for them to approve, as mentioned earlier, the likely scenario of copied or fake QR codes being used would be minimal or potentially non-existent. This does still leave the issue of identification of the holder, solved by checking a valid form of ID alongside the vaccination record.
Another flaw with this suggested solution is that there are people who do not have smartphones. This could be solved by allowing them to create a printed QR code on a daily or weekly basis, with the code having a fixed expiration date.
How to protect your data when choosing a vaccine passport app
Whatever solution your government, state, or health care provider offers, it needs to offer privacy and security by default, while still affording the person needing to verify status enough data to be certain that you are the person who received the vaccine or took the test. The key features I would suggest checking if you are contemplating using a digital vaccination passport app:
- The creation of the vaccination passport should verify the request against healthcare records.
- Only the minimum required data is used to create the passport: name, date of birth, and vaccination date. Enough to validate vaccination and if needed to validate identity against another source, such as a driver’s license.
- Communication and any data stored must be encrypted.
- No tracking of location or unnecessary collection of data, other than device data for the purposes of improving app experience as is normal.
- Confirmation by the pass holder when the passport is scanned for verification.
- Only download apps from an official source, such as the Apple App Store or Google Play Store.
In countries that have adopted GDPR or similar privacy legislation, such as CCPA, apps should be bound by the relevant privacy regulation to ensure the data subject, the individual, is afforded the privacy and security needed.
Looking back, what lessons should be learned from the pandemic in regard to technology preparedness? As regulators started approving vaccines, countries with centralized healthcare systems turned to existing patient data to deliver the shot in the arm; some had no centralized data and failed to get vaccines in arms quickly, as they needed to build systems to roll out mass vaccination programs. Did they not understand they would need this in the 9-12 months the world waited for the vaccines to be ready? Authorities are now building vaccine passport systems, post vaccine rollout. Was it not obvious to the decision makers that the world would need to know who had been vaccinated so normality could return? This was not rocket science, yet somehow we failed to be prepared.
written by Tony Anscombe, ESET We Live Security