Editorial

What could Digital Vaccine Passports mean for the future of digital identity

DigiCert’s Stephen Davidson looks to the rest of the world to see what a vaccine passport may look like

Posted 19 May 2021 by Christine Horton


As Europeans hope that summer will herald the end of the pandemic, everyone is anxious to plan a well-earned holiday and enjoy a reprieve from the drawn out health crisis.

At the start of the pandemic, there were a flurry of creative approaches until norms could be established, first at the national and regional levels and then internationally. The same pattern occurred for vaccination, and is now underway for the portable immunisation records which will help restore our old social and travel freedoms.

The idea of electronic “Vaccine Passes” is quickly gaining both traction allowing citizens the ability to prove either their vaccination status, the results of recent COVID testing, or recovery from the disease. 

We see many examples being trialed for different reasons. For example, New York State’s Excelsior Pass is intended to safely enable large crowd gatherings such as sporting events or nightlife. Other groups such as the International Air Transport Association TravelPass and the International Chamber of Commerce AOKPass are also trying apps and credentials tailored to their respective communities’ needs.

A variety of countries are also testing these credentials. Israel has introduced the Green Pass app, China leveraged the social media service WeChat, and France is trialing their own vaccine pass with the French territories of Guadeloupe and Martinique.

Perhaps the most hotly anticipated project is the EU’s Covid-19 Certificate proposed by Ursula Von Der Leyen which is aimed at restoring the “right of free movement” of EU citizens that was curtailed during the pandemic with measures such as closed borders, quarantines, and mandatory testing.

Work started at the beginning of March, with experts working to release the EU Covid-19 Certificate in the next few months. The project requires both the ability to roll out at speed to large populations and to be relied upon by a wide array of endpoints. European leaders have repeatedly stressed the need for a common approach, the need to resist the variety of proprietary standards that have come forward for fear of fracturing the process, and the necessity to protect personal privacy.

What kind of identity?

The very concept of a vaccine pass is worrying for some people who may be suspicious of credentials being used to restrict their activity. While the reality is that vaccine registries have existed for years, the advent of new technology and apps add new possibilities for data to be used or even abused.

Above all, the creators of vaccine passes must earn the trust of users by being transparent about how the credential works, what it contains, and who may rely upon it.  Vaccine passes should be voluntary, under the control of the user, and feature strong protections for personal data and privacy.

In addition, the vaccine passes must contain nothing more than what is needed for their task. The temptation may exist to “overdo” identity, with developers inventing new identity regimes or inappropriately correlating other data with immunisation status. Pursuing these paths, however, may confuse undermine stakeholder trust and impair progress.

Digital Jaune Carte

It is important to remember that vaccine passes are not new; the cutting edge is the World Health Organisation (WHO) “Carte Jaune” or Yellow Card which has been used since the 1930s. Standardised internationally, the Yellow Card is a booklet that your doctor can sign whenever you have a vaccination. It’s simple, contains just the required information, and is under the control of the individual to show to relevant authorities such as border control. Many commentators believe the best course is to find a way to update the Carte Jaune with modern protections against counterfeiting.

EU Covid-19 Certificate

Indeed this is the approach being taken by the EU’s Covid-19 Certificate. Under that plan, the 27 EU national health authorities would be enabled to issue the electronic credentials; this makes sense as they are already the custodians of the immunisation information. Citizens can store the credential on a mobile device (with or without an app), or even request a paper version. Both will feature a QR code containing essential information about the holder and their immunisation status that can be visually scanned by many mobile devices.

The system will rely upon well-established Public Key Infrastructure (PKI) concepts that are already well proven in similar circumstances such as for e-passports, and in many IoT deployments that require fast authentication of users, protection of data integrity and privacy, and acceptance/validation by diverse relying parties.

In this case, the QR code will include an electronically signature that asserts the legitimacy or origin of the credential and the fact that the data has not been tampered with.

Using PKI, the European Commission will build a single gateway that relying parties may use to verify the QR codes’ signatures no matter which country issued the passport. The personal data encoded in the certificate does not pass through the gateway, as this is not necessary to verify the signature. The Commission will also help Member States to develop software that authorities can use to check the QR codes.

Europe and Beyond

The return of international travel is something holidaymakers, the travel industry and the global economy are eagerly awaiting. The EU’s Covid-19 Certificate may offer a template to unlock not just European travel, but global travel too. In addition, Europe often serves as a standard setter for international data protection. The General Data Protection Regulation has served as a reference point for regulations around the world since it came into force a few years ago.

However, before those possibilities can be realised the digital identities that hold them up have to be carefully considered and weighed. The return of international travel depends on it. 

Stephen Davidson, senior manager in DigiCert’s global Governance, Risk and Compliance