Global ‘Vaccine Passports’ Raise Concerns Over Privacy and Inequity

By Aishwarya Jagani

As governments and airlines worldwide prepare to issue “vaccine passports” — digital details of a person’s COVID-19 immunization status — privacy advocates are concerned over the security and privacy risks the documents pose. 

“Any information shared digitally is at risk of being leaked,” Alexis Hancock, of the Electronic Frontier Foundation (EFF), told Digital Privacy News. 

“And without good digital-privacy law internationally, this information can become easily associated with the rest of a person’s data without their knowledge and informed consent.”

Critics expressed fears that these digital passes could put sensitive medical and health data in the hands of authorities and law enforcement, endangering the privacy of millions of citizens.

A centralized database containing information on the names, ages, vaccination status, biometric or facial data and more is at high risk of being breached, they argued. 

Other worries included mandates regarding storing and displaying such information on one’s phone without the option of paper variants, unlike traditional passports. 

“Any information shared digitally is at risk of being leaked.”

Alexis Hancock, Electronic Frontier Foundation.

“Our smartphones hold so much information about us — and in sensitive scenarios, you may not want to unlock your phone in order to enter a venue or travel,” Hancock said. 

She further noted that this data would not be covered under the federal Health Insurance Portability and Accountability Act (HIPAA), as vaccination data is not considered a medical record. 

Vaccine passports also raise issues of inequity, since not everyone may not have access to the COVID-19 vaccine.

‘Inadequate Privacy Policies’

Last October, Estonia was the first country to begin developing an International Certificate of Vaccination, in collaboration with the World Health Organization.

The e-vaccination certificate — or “smart yellow card” — would be a digital version of the yellow vaccine booklet required to enter many countries.

By February, Israel’s “Green Pass” and Bahrain’s “BeAware” app were among the first few vaccine passport variants to be launched.

Countries like Japan and the U.K. also are pondering similar digital passes to allow citizens to move around freely and revive their economies.

On Wednesday, the EU launched an effort to create a joint vaccine passport, expecting to have the “digital green certificates” ready by June, The Washington Post disclosed.

The passes, to be digital or paper, would allow travelers to prove that they have been vaccinated, that they had recovered from COVID or that they had recently tested negative, according to the report. 

In many cases, the passes could free travelers from quarantine restrictions. The EU has more than 440 million citizens and residents, the Post reported. 

In the United States, the Biden administration is under pressure from airlines and business groups to take the lead on developing a standardized digital pass.

The White House has not immediately commented in response to news reports on the issue.

Airports, restaurants, sporting events and workplaces could soon require individuals to flash a digital pass — proving they have been vaccinated, or recently have tested negative for COVID — in order to enter. 

“Is there a need to collect data?”

Saikiran Kannan, Capgemini firm.

But most of these digital passes have serious privacy and security flaws, according to a January report by Top10VPN, a U.K. security research company.

According to the company, 82% of the 65 apps surveyed had “inadequate privacy policies.”

Security Concerns Abound

EFF’s Hancock told Digital Privacy News: “Having such sensitive data stored alongside biometrics and other user info, with only a promise from companies that they will keep user data safe, is a security concern.”

Saikiran Kannan, a data expert and senior consultant at the Capgemini firm in Singapore, pointed out how these passports could help governments track people traveling outside their countries. 

Kannan also questioned the need to collect data at all — noting that governments already know if someone had been vaccinated, and combining this with travel data could infringe traveler privacy. 

“Different pieces of data, which are not personally identifiable information (PII) individually, become PII when combined,” he told Digital Privacy News.

“There’s always a problem when governments start collecting data, because there is so much data that’s already been collected.”

“My point is, is there a need to collect data?”

Other Solutions

But officials at two British companies, Mvine and iProov, said privacy fears were being overstated. The companies are jointly developing solutions to keep vaccine passport apps secure.

Andrew Bud, iProov’s CEO and founder, told Digital Privacy News that its solution would eliminate the need to collect unwarranted information about users.

“Our objective is neither to store, nor to share with certificate checkers, any identifying data.”

Andrew Bud, iProov.

“Our objective is neither to store, nor to share with certificate checkers, any identifying data such as name or address,” he said.

As for using of facial biometric data for identification, Bud added: “It eliminates the need to corroborate via redundant, privacy-compromising data such as name and date of birth.”

He added that the Mvine-iProov solution was less violative than the traditional yellow card, as it does not include coordinates of personal identity. 

Other Criticisms

Still, critics long have contended that a common database with biometric data, medical and health information —  along with other personal data — could create a “permanent health surveillance” system.

This also could perpetuate inequities, they said, such as discrimination against people who choose not to get vaccinated, or are unable to be vaccinated due to lack of access or because they are immunocompromised. 

Further, digital-only solutions are at risk of being inaccessible to people who do not use smartphones. 

With smartphone penetration at 81% in the U.S., 78% in the U.K. and an estimated 75% to 77% in the EU — according to Newzoo, a gaming research firm — a significant portion of the world’s population risks being sidelined in a global vaccine passport rollout, critics said.

Also in the Works

Other organizations also are developing vaccine passports.

The International Air Travel Association (IATA), the Montreal-based industry group, said it planned to introduce a secure, decentralized document — the “IATA Travel Pass” — by the end of the month.

Etihad Airways and Emirates Airlines plan to use the pass, said IATA’s Alan Murray Hayden.

“There is no central database,” he told Digital Privacy News. “All data is stored on the user’s own phone.

“Passengers have full control over their own data on their phone and can choose to share it with airlines and other parties.”

“It is more secure and efficient than current paper processes used to manage health requirements,” Hayden added, citing — for instance — the International Certificate of Vaccination or Prophylaxis, or the yellow card.

“There is no central database. All data is stored on the user’s own phone.”

Alan Murray Hayden, IATA.

Experts believe minimal data-collection is key to building a safe solution that respects privacy. 

“The ideal solution,” Capgemini’s Kannan said, “would be that you basically have to facilitate a situation where the passenger is only allowed to show proof of him or her having tested negative and nothing else.

“A solution where people’s personal details are not compromised, that would be the best way forward.”

Aishwarya Jagani is a writer based in India.

Digital or Paper?

Digital vaccine passports are becoming more common among governments, experts said, because they expedite the check-in process and are more efficient than paper ones.

“The need for digital proof of vaccination, it’s very similar to the need for digital passports,” Alan Murray Hayden of the International Air Travel Association told Digital Privacy News.

The association is expected to launch its digital “IATA Travel Pass” by the end of the month.

“If a passenger needs to prove either of these elements based on paper documents, then it requires manual intervention by agents at the airport,” Hayden said.

But paper documents have “huge capacity implications for airports, as agents are manually checking documents of all passengers,” he said.

Because of COVID, “airlines are carrying 10% of the normal passenger volumes, but have more check-in agents working at the airport than during the busiest day of the summer,” Hayden explained.

“If we’re going to return to carrying volumes of passengers, then we need an automatic way of verifying people’s identity and digital proof of test-vaccination.”

Alexis Hancock of the Electronic Frontier Foundation also noted the convenience of digital passports.

“I imagine the push for digital is that many people have a mobile device on their person most times, and (governments) want to create a more streamlined way to reach people,” she told Digital Privacy News.

“However, not all devices and data plans are made equal — and many people do not have a smartphone, still,” Hancock added. “There still should be paper options with any digital solution ‘they’ roll out.”

— Aishwarya Jagani