As the first vaccines against COVID-19 roll out, governments and institutions across the world are scrambling to figure out how to provide proof that someone has been vaccinated. Paper certificates, PDFs, wristbands and mobile apps have all been suggested — and the former director of the Centers for Disease Control, Tom Frieden, and international human rights attorney Aaron Schwid urged the adoption of digital “immunity passports” as a way to reopen the world.
In theory, their idea is great. In practice, it’s terrible. Or, as the Daily Beast put it: “Vaccine Passports Are Big Tech’s Latest Dystopian Nightmare.”
As a solution to an urgent problem, immunity or vaccine passports sacrifice data privacy and security. There’s a price to pay for being able to prove you’re vaccinated and its permanent access to the rest of your data or compulsory enrollment in a health app. There are all sorts of unintended consequences. While Frieden and Schwid recognize this — and admit that these risks will deter some people from getting vaccinated — they don’t seem to have an answer to this problem other than to suggest that “trustworthy and consistent standards” will, somehow, ride in like the cavalry that saves the day.
This is infuriating — because there is a way to have proof of vaccination and personal data privacy and security. There’s an entire community devoted to building and advancing this technology, which is called decentralized identity. It’s a new consent-based mechanism for using verifiable credentials to prove who you are and things about you without anyone else — looking at you, Big Tech — managing, storing or selling your data.
Verifiable digital credentials on a decentralized network can be rapidly scaled to meet the challenge of proving people have received a COVID-19 vaccination and any necessary subsequent doses and providing them with the privacy and security they deserve.
This technology may be new to the public health community and policymakers. But organizations like the United Nations and Organisation for Economic Co-operation and Development see it as the future, and innovative global enterprises are building that future right now.
Just how bad are immunity passports? Very bad
Digital “passport” solutions rely on storing your data in a corporate silo. This is the centralized data model that we’ve been stuck with due to the absence of a reliable way to verify identity online. Someone else gives us an identity — an email account, a shopping account — and requires us to give them proof of who we are, where we live and so on.
Over time, these third parties — Amazon, Facebook, Google, etc. — have tracked our behavior to better design products and services. Sometimes, they sell that data so others can do the same. We consented but not in a meaningful way. Repeatedly, our data was taken; increasingly, it became clear that even when legally held, it was being used in ways that were exploitative and invasive.
At the same time, all but the most elaborate physical documents can be forged. In many areas of the world, paper cards, PDFs and printed emails are being accepted as valid proof of COVID-19 testing. Similar methods are being considered for vaccination proof, requiring just the recipient’s name, the type of vaccination, date, location and provider. How is this likely to turn out? Recently, a group was arrested for selling fake COVID-19 test results at Paris’ Charles de Gaulle Airport. Unless physical proofs of vaccination have the tamper proof qualities of actual passports, they will be forged.
There’s also a third problem: An “immunity passport” is a misnomer. It does not ensure immunity because our understanding of COVID immunity is incomplete. Scientists have found that having contracted and recovered from the disease in the past is not a guarantee of future immunity. For this reason, the World Health Organization has actively discouraged the use of “COVID passports.” Similarly, not all tests for COVID-19 are created or treated equally, leading some institutions to only recognize tests from pre-determined providers and locations. Governments have different mandates for when travelers are tested. A passport needs to be a living document that adapts to science and policy.
Verifiable credentials solve these problems
Verifiable credentials mitigate all these problems. A verifiable credential can be issued by a health provider to prove that you have been tested or vaccinated. The form of that credential is written to a distributed ledger — but not the content. So, if you are asked for proof of a COVID-19 test, the proof is the form of that credential and the specific cryptographic keys that show it has been issued to you. The content — all your personal data, including the outcome of the test — is held by you and you alone. You get to decide if you share that information or not. The form it is bundled in — the credential — is the only thing that needs to be verified as coming from an authentic source.
Decentralized identity means that people have control over their own private information instead of being required to relinquish it to some corporate database.
Additionally, because the form of the credential and proof of issuance are written to a distributed ledger, verifiable credentials are tamper-proof and cannot be forged. They can also be simply and quickly reissued to adapt to new medical information and government mandates.
We can have our privacy and our proof of vaccination
The COVID-19 pandemic has understandably led to much armchair epidemiology and immunology. It’s also understandable that public health and policymakers aren’t aware of next-generation technology when confronting the practical challenges of global vaccination. And while some may see decentralized identity as the solution, decentralized identity is the most transparent answer showing what it is and what it does. No personal identifying information gets posted anywhere. Sharing is by consent. This is a technology to give people control of their data, and it is designed at a foundational level to be private and secure.