As Brussels tables plans for vaccine certificates with the goal of opening up travel to and within the EU this summer, there are still unknowns and ethical considerations to address, particularly with regard to transmission risk. There is also a need to take stock of the changing nature of risks that may be less obvious in current debate.
Should such passports emerge, it is essential that people are not too quick to be driven by the potential advantages, but also anticipate potential risks to individuals and their privacy. It must be recognised, particularly, that they would be introduced at a time when digital systems and online services and resources are growing exponentially. COVID-19 has heightened this development, but digital capabilities have been reshaping how we live and work, and our willingness to share data for some time.
Talk of vaccine passports hasn’t been limited to the opening up of international travel, but rather society more generally, to facilitate dinner out at a restaurant, or entrance to events and attractions. Many people are accustomed to completing online forms when reserving at a restaurant. Could the vaccine passport be set to add a new dimension to the sort of private data being shared?
Vaccine passports would in effect be an identity document that confirms privileges and rights for people. As we embrace digital services, we have fuelled a growing reliance on digital verification of identity: Many organisations store and rely on identity data, much of it given voluntarily by the identity holder.
There has also been an explosion in services that verify identity, social media sites that allow people to use their log ins for other services, including storefronts for small businesses, being a prevalent example. The risks to people associated with failure or misuse, incentives to commit fraud, compromise privacy and the vulnerabilities to these risks are evolving with their use.
The restaurant reservation scenario highlights a need to consider new vulnerabilities and incentives for identity theft in an environment where many may lack the entitlements an individual may have. Vaccine passports put a spotlight on these challenges, and the need for strong debate around how we could or should move forward given our reliance on digital capabilities.
Governments around the world are also advancing plans to establish national digital identity schemes. Digital identity systems are effectively taking a place within a country’s infrastructure: Ambitions are broad and can include the ideal of a unified global system designed to underpin public and private organisations. Overall, these developments should also be grounded in understanding of how they may introduce risks to the individuals and communities they serve, including risks to individual privacy.
There is great opportunity to review conventions that drive current behaviour and elevate new thinking, while also advancing many practical solutions for the protection of privacy that have all too often eluded us in the transition to digital thus far. Data science is advancing new techniques for encryption and privacy-enhancing technologies, for example, that increasingly mean access to raw data isn’t necessary to confirm identity or analyse information to enhance services or manage a crisis like the pandemic.
Current conventions do not necessarily serve us well online. Typically, when a person buying alcohol is questioned about their age, they are asked to produce ID, their driving licence being a common example. The information shown includes their name, gender, date of birth, place of birth, address and driving level, licence number and more. That’s quite a lot of information for a simple transaction. All the vendor needs to know is whether the person is legally old enough to buy: They don’t even need to know the age.
In the physical presentation of the driving licence, the storekeeper is not likely to keep a record of any data that they see, while the identity holder is present and aware of when and how the information is used. These conditions are not replicated in a digital scenario, yet photos of such government issued documents are commonly collected and willingly offered to support trust criteria relied upon by organisations such as Airbnb that are driving online economies. These companies need reliable verification that an individual is who they claim to be or have access to the rights and privileges they claim, not the volumes of raw data that a driver’s licence reveals.
The time has come to consider approaches more fit for purpose given how society is evolving.