What is New
After a long fight with the COVID-19 virus, we seem to be slowly emerging from the long winter of our discontent. Governments are slowly working to approve, distribute, and administer vaccines while reducing restrictions imposed on citizens. Along with this, there are a growing number of proposals for digital vaccine certificates. Often these proposals link the vaccination status of an individual with a government-provided digital identifier to record and authenticate an individual’s vaccination status.
As digital vaccine certificates emerge, governments and private organisations will restrict access to services and shared spaces based on an individual’s status, excluding those who have not received the vaccine. These initiatives will require large-scale data collection and processing of sensitive health data creating the infrastructure for new forms of surveillance.
Public health authorities have a history of issuing vaccine certificates and maintaining vaccine records. Yellow fever vaccination certificates are used in international travel under International Health Regulations and administered by the World Health Organization. Beyond serving as proof of an individual’s vaccine status, it also contributes to avoiding duplicate vaccinations and facilitating proper administration of multiple doses. Similar systems are widely used around the world. When access to travel or public services is made contingent on having a vaccine, clear legal policies ensure equitable access to the required vaccines.
Proponents of digital vaccine certificates argue the need to prevent the creation of fraudulent records as well as making the certificates available to organisations ranging from custom and borders control to small business owners. These apps also offer a contact point for other services such as reminders about appointments, when the next dose is due, tracking side effects, and offering medical follow up.
What is different about COVID-19 is the digitised response. This ranged from the initial push to create contact tracing applications to developing systems for digital vaccine certificates that record and track individuals using information technology and digital records. Making access to places and services contingent on vaccine status raises concerns about exclusion and discrimination while the digitised response raises corresponding risks associated with mass data collection like data breaches while creating an infrastructure for the proliferation of centralised digital identity systems.
Risk of Exclusion and Discrimination
Digital certificate proposals raise concerns about discrimination towards those who have not received the vaccine for one reason or another. On the one hand, many people around the world are still waiting for access to COVID-19 vaccines. Some governments lack the resources for first access to the vaccines while others face challenges related to distribution. This often means that marginalised and vulnerable populations will be the last to receive vaccines, if they get them at all.
If the primary use of digital certificates is to grant or deny access to travel, work, social services, and public places, these programs may push those already facing exclusion and discrimination further to the margins of society. If digital vaccine certificates are mandatory for travel, this would severely restrict individuals crossing borders out of necessity like refugees and migrants.
And what happens for individuals who have other health-imposed restrictions or lack access to the internet and internet-connected devices and cannot make an appointment? Even if they do have the vaccine, how would they share that information digitally? Others in communities with access may be excluded from vaccinations because of existing medical conditions or religious objections. These individuals will then be systematically excluded from participating in a vaccinated society without access to services and public spaces.
Privacy and Security Concerns
The rollout of the vaccine and proposed vaccine passports also raises privacy concerns. Member States in the EU must take the General Data Protection Regulation (GDPR) into consideration when rolling out vaccine passports. What would be the legal basis for data collection and transfer? How long would the data be stored? A person’s agency to give consent is severely limited if a digital vaccine passport is the only way to participate fully in daily life. Other concerns relate to the mass collection of information by government and corresponding surveillance concerns while centralised data centres serve as a valuable target for cybercriminals.
Digital vaccine certificates would significantly expand the amount of data collected about vaccination status while generating ongoing data collection about where and when a digital vaccine certificate has been used. This creates inevitable concerns related to mistakes while creating a target for cyber-attacks. These concerns are exacerbated by the creation of a centralised digital identity system serving as a new health identity infrastructure.
In 2020, Jamaica released the JamCOVID app and website, a centralised platform showing information about the COVID status of individuals in the country with tools to self-report symptoms and obtain pre-approval to visit the country. Visitors upload their travel information and a negative test result to obtain approval. In February 2021, journalist Zack Whittaker broke the news that the cloud storage server containing travellers’ information had been left unprotected without a password. More than 70,000 negative COVID results, 425,000 immigration documents, travellers’ signatures, and more than 1.1 million check-in videos were open to exposure.
One of the most worrying aspects of digital identity systems is the interlinking of various aspects of a person’s life linking tax records, mobile numbers, health data, financial record, and other registrations under one centralised identity system. The collection and use of health data should be grounded in the principles of necessity and proportionality in accordance with prescribed laws. This would seek to avoid situations like in Singapore where law enforcement officials were able to access data gathered through the TraceTogether and SafeEntry contact tracing applications for criminal investigations. This is not what the data was supposed to be used for.
Centralised digital identity systems are susceptible to mission creep, growing far beyond the uses and limitations that were first envisioned. In India, the Aaroygya Setu contact tracing application was promoted as a one-stop solution for everything related to COVID-19 asking for personal information including habits and current symptoms. The government later used that data to create databases managed by different ministries. For the distribution of vaccines, the government of India rolled out the Co-WIN 2.0 platform using that information to populate the database for the Digital Health ID and forcing individuals to use a system used to populate India’s digital identity program.
Another lingering concern relates to retention periods and how long this sensitive data would be stored. Outside of Europe, many countries are only at the stage of proposing data protection legislation creating a worrying situation about misuses of health data. No one wants to create a situation where individuals would be forced to compromise their fundamental right to privacy to maintain or gain access to essential services and the freedom of movement.
A digital vaccine certificate will require the collection of sensitive personal data. The use and collection of this information should be bolstered by comprehensive data protection laws leveraging the GDPR and the protection of data subject rights including the right to access and correct data and, when the time comes, limiting collection and use of this personal data and eventually deleting the data.
Recommendations on the Use of Digital Vaccine Certificates from Access Now
Do What is Effective, Not What is Trending
Existing vaccine certificate systems work and do not carry dangers of expansive digital vaccine passport programs and infrastructure.
Prioritize Data Protection
Minimize data collection and retention following privacy-by-design principles
Be Transparent in both Design and Implementation
Keep in mind uncertainties about the landscape of vaccines and their long-term efficacy including unintended consequences of new digital vaccine passports.
Be Equitable and Inclusive
Access to digital vaccine certificates should be free, accessible, and paired with easily accessible paper-based forms as an interchangeable alternative.
Limit Use of Certificates
Digital vaccine certificates should not be treated as another tool for accelerating digital transformation and must not be used to advance adoption of centralised and mandatory digital identity systems.
Governments should include sunset clauses and strict data retention periods to avoid expanded surveillance, silencing dissent, and restricting freedoms of expression, assembly, and movement.
Don’t Create Division
Digital vaccine certificates should not be mandatory for exercising fundamental rights and freedoms. Systems that make digital vaccine certificates a requirement will divide and exclude.