COVID-19 Vaccine Passports - between the Devil and the Deep Blue Sea
Vaccinations have been rolling out now in many countries. There is a real interest in how we can move out again with some sense of trust, and health.
The term COVID passports has emerged, creating a state of dystopian reality that’s discussed worldwide. Ethical and legal questions surfaced to discuss equity, privacy and security issues.
Are we going to be tracked?
Is it going to be sent from my immigration status?
Is it going to be linked to housing?
What about the people with health and religious exemptions?
Should we expect airlines to introduce vaccinated flights for customers who rather not travel with unvaccinated people?
And then perhaps “open flights”?
Would there be that type of distinction that might be coming our way?
No rush for vaccination, just get the certificate
Vampires can’t walk in the sun, but during the standards’ eclipse, they found Darknet an ideal place to survive.
The darknet or dark web is a network within the internet that can only be accessed with specific software. There are also multiple channels on Telegram, an encrypted messaging service, some of which have more than 1,000 subscribers. Researchers say they have seen a “sharp increase” in vaccine-related darknet adverts.
They detected about 20 dark web vendors by November last year, which grew to 600 in January and more than 1,200 by March.
Covid-19 vaccines, vaccine passports and faked negative test papers are being sold on the darknet. Prices range between $500 (£360) and $750 for doses of AstraZeneca, Sputnik, Sinopharm or Johnson & Johnson jabs.
Fake vaccination certificates
Fake vaccination certificates are also being sold by anonymous traders for as little as $150. Another advert on a hacking forum is offering fake negative tests and reads: “We do negative Covid tests, for travellers abroad, for getting a job etc. Buy two negative tests and get the third for free!”.
Sellers predominantly request payments in Bitcoin, with rare exceptions accepting another cryptocurrency. That makes the payments harder to track and protects the sellers’ anonymity.
After the UK ministers announced the return of overseas holidays, the travellers were required to show proof of negative tests and vaccine passports. The Independent said that More than 100 people a day are trying to enter the UK using fake Covid test certificates as individuals attempt to get around current entry requirements, which include tests before and after travel and can cost individuals hundreds of pounds.
Researchers found evidence of forgeries of vaccine cards by the NHS and the US Centers for Disease Control and Prevention (CDC) alongside fake test certificates, all available for sale on the dark web and through easy-to-access platforms including the messaging apps WhatsApp, Telegram and Jabber.
“Police in China and South Africa have seized thousands of doses of counterfeit Covid-19 vaccine and made dozens of arrests. In China, police made 80 arrests at a factory allegedly making fake vaccines, where at least 3,000 doses were found. Three Chinese nationals and a Zambian were detained at a warehouse in Gauteng, South Africa, where ampoules containing 2,400 doses were discovered,” The Interpol reported.
Oded Vanunu, the Head of Products Vulnerability Research at Check Point Software Technologies, added, “People proudly post images of themselves holding the cards on social media, unknowingly providing the source of the fakes. Without an official global database that records people’s vaccination status, the system will be open to fakes and forgeries”.
Initiatives meet ethics in Europe
The initiative started at the end of last year when European countries were about to start their vaccination campaign. They then organize meetings with all those member states to see if they can come to some sort of agreement on how to deal with cross border travel after the opening of the border. They had a wide variety of entry rules in the European Union where some Member States required one PCR test, and always required additional rapid tests. So they had quite some different entry rules for cross border travel within the EU. There was the fear that proof of vaccination would at some point be added to that equation. The European Commission and the EU countries construct a common roadmap for the uniform and interoperable proofs of vaccination (vaccination certificates). The Commission and the EU members have also worked together for efficient contact tracing and warning apps. In January, the whole set of guidelines laying out interoperability requirements of digital vaccination certificates were adopted, building on the discussion held between the Commission and the Member States in the eHealth Network since November 2020.
The Commissions’s Proposal
The Commission drafted a little legislative proposal for a regulation for digital green certificate adults published on March 17, 2021.
The proposal set the condition upon which all certificates need to comply with and the core of it, then the regulation ensures that there is reciprocal access acceptance of three types of certificates across the union, vaccination is one of them. Tests are the second and recovery certificates are the third proof of natural immunity.
So it’s all about preventing transmission of the virus based on either vaccination or having a recent negative test or having recovered from an episode of having COVID.
In April 2021, Member States’ representatives in the eHealth Network agreed on guidelines describing the main technical specifications for the implementation of the system. This was a crucial step for the establishment of the necessary infrastructure at the EU level.
The EU Digital COVID Certificate reached another important milestone in June 2021 with the go-live of the technical system at the EU level, which allows verification certificates in a secure and privacy-friendly way. The EU certificate was proposed by the Commission to resume safe travelling this summer. It will be free of charge, secure and accessible to all. Available in digital format or on paper, it will be proof that a person has been vaccinated against COVID-19, tested negative, or recovered from an infection.
The Information System underneath the Covid Pass
The EU gateway was set up by T-Systems and SAP and is hosted at the Commission’s data centre in Luxembourg. It allows users to verify the digital signatures contained in the QR codes of all certificates without the processing of personal data. The signature keys needed for this verification are stored on servers at the national level; through the gateway, these keys can be accessed by national verification apps or systems all across the EU.
If people couldn’t trust these apps, they wouldn’t use them. The reference software and apps for the issuance, storage and verification of certificates were developed by the commission to facilitate the roll-out at the national and international level.
The applications are published on GitHub in a fully open source license, you can find the source code on GitHub. The software is open-source, and being able to show what’s running underneath. There’s also an open governance model to how this software is built, that the conversations around design and such are happening on a very transparent basis, and taking into consideration the full range of different policies and ideas that span from Europe to Asia to positions in the US and elsewhere.
That will allow citizens to have their verified test certificates in a privacy friendly way on a mobile device or in a paper form to enter music festivals or, football matches, and museums. This solution prevents us from being tracked, the QR codes are changing every few minutes and it doesn’t fully identify you so that people cannot track your identity over and at the same time still being able to show it’s you who is negative.
Vaccination is voluntary, and it cannot be cursed, and there is a free choice to choose one of the three ways of proving you are not able to transmit the virus when crossing the borders. According to the roadmap, the EU digital COVID certificate enters into an application throughout the EU in July.
Without Standards There Can Be No Kaizen
Kaizen is a Japanese term meaning “change for the better” or “continuous improvement.” The philosophy of Kaizen sees improvement in productivity as a gradual and methodical process. Kaizen comes from standards that we miss today in most vaccine passports debates, causing a lot of confusion. People want to know that they will be banned. What are the red lines?
In the USA, the Biden administration said there will be no federal mandate in the United States requiring everyone to obtain a single vaccination credential. States like New York have already introduced a State pass that certifies that one is vaccinated and recently tested. But States like Florida and Texas, the Governors have said, you can’t do it since the Government prohibits the mandated vaccination, barring businesses from requiring the customer to show such credentials.
We have seen other States such as California, which is working right now on a policy that will say if you go to an indoor live event, such as a concert, you must have proof of a vaccine, or you must have proof of a negative COVID test within a certain amount of time (At a recent Bruce Springsteen concert AstraZeneca-vaccinated people were not allowed. Only those having received Pfizer and Moderna.).
Policymakers are overmighty in terms of what works for their State, what works for their population. The problem is to see some decisions become so politicized and people are concerned that this is going to create barriers or a caste system.
There is a real danger to ostracize the not vaccinated and elevate the vaccinated people if the entire process is not ethically standardized.
States are taking things into their own hands, and the US is a country with State rights, often proceeding, federal guidance (no federal ban on this). Last week, for instance, we saw 95 bills in 36 States prohibiting employers, or the Government from either mandating a vaccine or discriminating against vaccination status.
“When employers and workers see headlines about States with vaccine passport bans, they should understand that these directives are a lot more nuanced than a simple headline may convey,” said Brett Coburn, an attorney with Alston & Bird in Atlanta.
Brooke Schneider, an attorney with Withers in New York City, noted that asking employees whether or not they have received a vaccine is different from requiring a vaccine passport. “Inquiring about vaccination status will ultimately enable employers to better create or revise their return-to-work policies with an aim toward providing sufficient health and safety protections without being overly restrictive.”
Public health and ethics experts agreed that the Biden administration needed to strike a careful balance: Encourage shots and support the private-sector initiatives but don’t put too much federal emphasis on the looming passports.
“If it became a government mandate, it would go down a dark road very quickly. It becomes a credential. It becomes a ‘needing your papers,’ if you will. That could be dangerous — and it could turn off people,” said Brian Castrucci, who leads Bethesda, Md.-based de Beaumont Foundation.
“It has to be that everyone can get it, and it’s their choice, as it were. The one thing I am concerned about is that some people won’t be able to get vaccinated for a variety of reasons,” said Ezekiel Emanuel, a University of Pennsylvania bioethics expert who co-authored a Journal of the American Medical Association article last year about the ethics of immunity certificates and advised Biden’s transition team on the coronavirus.
Donald Rucker, who led the health IT office during the Trump administration, said. “Myriad technical issues await the rollout of vaccine credentials, including how they are tracked, whether they are enforced and who pulls together the initial records of which Americans have gotten shots.”
The lack of standards means more ambiguity and barriers and one unavoidable consequence of this is going to be less interoperable solutions between countries, making unethical and illegal markets appear.
Distinctions between EU and US passport regulations
I think the important distinction between the EU initiatives and the situation in the US is the various nation-state efforts on just opening up society, which might have a different track. In the US, there is an ongoing debate over the federal mandate and the private sector contribution.
According to the European standards, however, there are three ways of showing your certificate. There is one, which is for domestic use, which doesn’t show any details. There is one that’s for cross border use that shows your identity and there is one for medical use that fully shows all your vaccination details. So there are a few use cases and all of them have different datasets.
Linux Foundation Public Health (LFPH) propose the Global COVID Certificate Network (GCCN)
Linux Foundation Public Health (LFPH) has been working on the COVID credential initiative along with public health authorities around the world on several different technologies suitable for fighting against the pandemic. They are working on the Global COVID Certificate Network (GCCN) to facilitate the safe and free movement during the COVID pandemic. GCCN will establish a global trust registry network that enables interoperable and trustworthy exchanges of COVID certificates among countries (EU, non EU, US).
The effort is initially supported by Affinidi, AOKPass, BlockchainLabs, Evernym, IBM, Indicio.Tech, LACChain, Lumedic, Proof Market and ThoughtWorks, who have implemented COVID certificate or pass systems for different governments and industries worldwide.
“We are interested to learn about how LFPH is taking bold steps in creating the Global COVID Certificate Network in order to facilitate trust building and interoperability for safe borders reopening in respect of the European charter for human rights and the regulation for privacy and personal data.”
Still, navigating different and sometimes conflicting State and local laws is tricky. Employers will continue to face enormous challenges as they relax their COVID-19 safety policies and reopen their worksites, said Dane Steffenson, an attorney with Littler in Atlanta.
“Workers read about lifted restrictions and may not understand that the guidelines might not apply to the workplace,” he said.
LFPH applied a new field of self-sovereign identity, which is kind of a new take on a distributed digital identity that has evolved over the last five years and is running in production in several different countries. That fundamentally moves us away from this idea of identity being something interesting about us. You could present the certificates in different places with no real-time check between for example the bouncer at a kind of concert or the ticket taker at a concert, and the issuer of that credential. Citizens only want a one-time pass or very limited time pass in which the amount of information in that is dramatically smaller than you would have in your proof of vaccination so the process is done very locally and it’s privacy-preserving. The public collaboration of the open-source community knows how to do well.
What has come out of this are some realizations, the first wave of apps that we’re seeing, whether it’s the Excelsior pass in New York, whether it’s things like the common pass system being used elsewhere, really don’t answer the true needs of privacy and don’t meet the expectations of citizens for what these digital versions would like to do.
“Understanding what a vaccine passport could be used for is a fundamental question – is it a passport to allow international travel or could it be used domestically to allow holders greater freedoms? The intended use will have significant implications across a wide range of legal and ethical issues that need to be fully explored and could inadvertently discriminate or exacerbate existing inequalities” Prof. Melinda Mills Professor of Sociology at Nuffield College explained
We need to first separate the idea of proof of vaccination, verification of vaccination or test results, or even a statement from a doctor that’s been recognized by an authority that says I am not able to get the vaccines that are available today, and we have to consider that from an equity point of view.
SET-C (Science in Emergencies Tasking: COVID-19) group published 12 criteria that should be satisfied to deliver an effective vaccine passport. The report (PDF) highlights key challenges such as the need for more information on the efficacy of vaccines in preventing infection and transmission by the currently circulating viruses, including genetic variants and the duration of protective immunity to establish how long a passport might be valid. Other issues highlighted include the technical opportunities and challenges of having systems that can work seamlessly with each other and the need to meet legal and ethical standards.
Finally, If we were to use these credentials in the wrong way, if we were to design the protocols in the wrong way, then that concert hall, the restaurant and the government authority would all be able to collude to build a picture of where you go and what you do and that would be a real, not only a shame, contributing to the surveillance dystopia.
My name is Ahmed Hemedan, I am a doctoral researcher at the bioinformatics core unit, LCSB at Luxembourg University. The research of my work covers a broad spectrum of applications of data science, bioinformatics and systems biology in the
life sciences. This includes the integration and interpretation of large omics datasets to the Disease Maps aiming to translate them into novel medical insights.
Furthermore, I use the revolutionary advances in artificial intelligence to develop machine learning-based paradigms to solve critical problems in medical research.
This resulted in a range of publications in peer-reviewed open access journals. Additionally, I use and extend the principles of the General Data Protection Regulation (GDPR) to make the research outcomes more personalized and FAIR.
I am advocating ethical approaches with all its facets (data, publications, source code of research software, etc) and I am active in communities promoting and implementing this for example The Carpentries community.
As a certified carpenters instructor, I try to empower biological researchers and librarians by teaching coding skills to work more efficiently and effectively with data, information and knowledge.
Contacts and links :
● Simply, send me a friendly email or If needed use my PGP key to encrypt the message. Find more crypto-goodness on keybase.
● ORCID identifier: 0000-0001-7403-181X further information/statistics regarding my publications can also be found on my Google Scholar.