The idea of vaccine passports or health passports has stirred opposition on both sides of the political spectrum. Recently, we published a piece by ID2020 explaining how such a passport would help to reopen travel. 

However, privacy activists worry about the possibility of a slippery slope. BRINK spoke to Alexis Hancock, director of engineering of the Electronic Frontier Foundation.

HANCOCK: The word “vaccine” and the word “passport” carry a certain type of significance that isn’t exactly what these various apps were proposing themselves to be. A lot of people correlate having a vaccine passport with what they have now, like a yellow fever card from the WHO for international travel.

The problem is that some of this technology was presented early, and it gave people the sense that they had some sort of immunity from the virus and could carry that sort of status in society. Last year, we weren’t sure whether these vaccinations would be effective against transmission. The science was still out, and the science is still developing on these vaccinations. So that was one problem: that they carried a risk, because the sense of safety wasn’t there yet.

Can We Trust the Data Storage Companies?

I understand that people want to get back to normal life. But a lot of these so-called vaccine passports being offered by different private companies are filled with issues that haven’t been fully addressed. 

BRINK: Why do you feel that the models that are so far on the market are not sufficiently private for users?

HANCOCK: The biggest privacy risk is having databases from different companies storing private medical information about people. We do not have a federal data privacy law protecting us in the U.S., so we just have to trust these companies that they are managing our medical information in a way that is ethical. 

And so far, from what I’ve seen, the policies and the transparency around certain technologies are unclear. With New York and its Excelsior Passport, they rolled out a passport supported by the government, yet it is still not clear what they plan to do with all that medical data. 

If you are going to build a system like vaccine passports, you have to start with transparency, you have to start with privacy in mind.

The Risk of Mission Creep

The second problem is the mission creep that occurs with these applications and companies. I’m nervous that frequent presentations of vaccination status could lead to more exposure of someone’s data, and the fact is that presenting your vaccination status will expand with these passports. 

So right now, you may present it for international travel or for an educational institution, but it’s also being suggested that you can present your vaccination status anywhere, at bars, sports arenas, grocery stores, etc.

For example, in New York, the companies want to expand the Excelsior pass to hold people’s digital identification, like driver’s licenses, and other types of health information. To me, that means the technologists that were building it in the first place weren’t being transparent. Before the pandemic, it wasn’t that often that you had to show that you were vaccinated for the flu, for example. But now, with these vaccination passports, the data could get bundled in with different medical information and possibly an expansion of digital identity. That’s what I mean by mission creep.

BRINK: What about if it was just used for international travel? Is there a way to ring fence this to make a solution that just allows people to cross borders and allow travel to open up?

HANCOCK: Well, we already have a system that can show if you’re vaccinated for international travel that is privacy-respecting, and that is by being able to upload your results via PDF, things of that nature. The WHO is also working on developing a more expanded status to different, vital vaccinations. We have existing bodies that are governing that process that have more experience with disease control and the contexts that are needed to present vaccination status. 

The Context Is the Problem

My concern is when it comes to these private companies, they aren’t necessarily working with the WHO. As a technologist, I have to say that with a lot of these technical solutions that I’ve seen, it’s not necessarily about the security mechanisms that they put in place. It’s the context that they’re being put in. 

A lot of people are using buzzwords like “blockchain” to circumvent any questions about security and privacy and data security. The whole issue should have been worked through properly with public health officials, rather than having private companies present to different governments and different airlines that they have the silver bullet.

If you are going to build a system like this, you have to start with transparency, you have to start with privacy in mind.

I probably would have built technology and tools for resources that help people get vaccinated, that builds health equity, and to help get to a place where they can move past this really devastating event, rather than having vaccination passports, which don’t necessarily solve the problems that they claim to solve. That’s where I would’ve left it; I wouldn’t have built this application at all as a technologist, if I’m being completely honest.