Pilot tests of ‘digital health passports’ are already getting potential travelers’ hopes up. But things are not so simple …

With the hope of vaccines working as planned, the idea of clearing air passengers expediently if they hold a ‘vaccine passport’—actually a secure mobile app—sounds useful.

Instead of carrying printed certification of being immunized and certified COVID-19 negative, a passenger just has to download a particular app supported by the airport being used.

Some airports (Rome, Paris, Singapore) and airlines (JetBlue and United) and have been experimenting with such apps—also called digital health passports. Onsite testing facilities can certify anyone within 30 minutes, and the app will record the test results in a blockchain-protected QR code to be used for clearance at check-in and boarding. The app can also be used to certify vaccination status on top of a negative COVID-19 test result.

At the local level, such digital health certification apps can also be used to screen people attending concerts and events. Having such secure certifications, people can be processed more quickly, and depending on the rules of the destination country or event, be given self-quarantine or other exemptions.

How about data security?

The security implications of these digital health passport apps are similar to that of any healthcare app:  any medical data on a person is of prime value to an attacker. The reason medical data is so valuable stems from how personal it is. Even if the medical data is limited to a simple statement of vaccination, the nature of the pandemic makes even that data rather valuable.

Comments Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group: “For example, if there were a bug in the app or underlying service that caused it to display to someone that a vaccination protocol had not been completed when it had, then such an error could result in the traveler being denied entry or worse.”

According to Mackey, even though the data stored in such apps is protected by blockchain algorithms, “technology is far from foolproof. That is in part because there is no single solution to any problem, and often cool new technologies like ‘blockchain’ or encryption are applied without an understanding of how they might function under adverse conditions like those found during a cybersecurity attack.”

What is the solution?

Returning to a world where international travel and even air-travel is once again commonplace is something we all want, said Mackey, but it requires far more than an app to be solved.

“Significant coordination between international entities is required to ensure that the data recorded by the app is correct and complete. Once in the app, the data needs to be verifiably secure and stored in a tamper resistant form that itself cannot be modified. Building confidence around this process requires some of the transparency seen within open source software development where skilled practitioners are able to review the implementation and configuration of the proposed solution. Mis-steps along this path could easily tarnish the reputation of digital health passports and form a setback to the return to a pre-COVID-19 travel experience.”

Another issue is that there is no global standard definition of the term “vaccinated”. Outside of the Yellow Card, more formally known as the international certificate of vaccination for yellow fever, there is no internationally-accepted means to confirm if an individual has met a specific vaccination requirement. “Considering the Yellow Card is itself a paper document signed by a medical professional who supervised the actual vaccination, that model would be difficult to replicate given the scale of COVID-19 vaccination requirements,” noted security strategist.

Go or no go?

So it seems vaccine passports and digital health passports are still just an experimental idea whose time is yet to come globally. Numerous parties such as IBM and the World Economic Forum, are developing their own version of such apps, in the hope of hitting upon some formula that can be adopted if other apps fail to gain traction after launching in late February this year.

Given that the market for such apps (and the travel health testing and certification services linked to them) is worth around US$20bn, the technology could be a catalyst for resumption of world travel—assuming that vaccines will prove to be effective.

However, with innumerable other factors (here, here, here, here, here, here, here, here and here) that could slip through any stage of infection-control at any time in the future, let us all be wary of silver bullets and investing premature confidence in technology just to “get life back to normal” fast. This was what caused massive waves of deadly reinfections in so many countries in the first place.