Making the case for COVID-19 vaccine passports: A shift to data democracy
IBM explains how technology could be used to create a secure ‘passport’ for work, entertainment, and travel -- without compromising our privacy.
By Charlie Osborne*
IBM has outlined how a blockchain-based digital health "passport" could allow society to reopen without the need to expose our private medical data.
After a year of lockdowns, millions of cases worldwide, and both social and economic devastation,continues to make its presence known. Thanks to the efforts of scientists, vaccination programs are underway. For many, this has created a glimmer of hope that some form of "normality" will eventually resume.
In the interim, however, a balance has to be made between safety and the risk of reopening economies, permitting travel, and allowing employees to return to their workplaces.
If COVID-19 is to be brought down to a manageable and socially acceptable level, a multi-faceted approach is required. Vaccines will not be a silver bullet and for some time to come, we may expect social distancing rules, travel quarantine, strict controls on mass gatherings, self-isolation requirements, and the usage of contract-tracing apps.
What are vaccine or health passports?
An idea that has been discussed in recent months is vaccine or health passports, which would prove your medical status in return for permission to once again attend mass gatherings, go to the office, visit entertainment venues, attend sports events, or travel abroad.
IBM DIGITAL HEALTH PASS
In an interview with ZDNet, Mark Davies, chief medical officer for Europe at IBM, and Anthony Day, IBM blockchain partner for the UK and Ireland, described the firm's Digital Health Pass and overall efforts since March 2020 to expand the technology and utilize the blockchain to cater to demands caused by COVID-19, including the possible requirements of a health passport in the near future.
A health passport could take many forms including a paper record, a vaccine card, or an SMS message confirming a negative test result. However, it is one thing to have medical facilities manage our records locally and quite another to agree to share this information more widely with everyone from a festival organizer to an airline clerk abroad.
The idea of constantly exposing medical Personally identifiable information (PII) could be too much to ask in the future -- unless we are kept firmly in control of our data. According to Davies, a form of digital health passport is another "tool" we can use to "help us fight the fight" -- but the right approach from the start will keep private data in the hands of individuals.
"Our belief is if citizens take control of data that relates to their COVID status, either immunization status or infection status, or the absence thereof -- that's a very significant and powerful opportunity," said Davies.
The IBM Digital Health Pass is built on IBM Blockchain and is described as a way for "organizations to verify health credentials for employees, customers, and visitors entering their site based on criteria specified by the organization." This does not just apply to traditional offices, however.
The technology, if more widely adopted, could also apply to everything from sports venues to nightclubs and airports.
Blockchain technologies are digital ledgers that can be used to facilitate transactions, with information stored in multiple nodes that make it difficult to tamper with data. In IBM's solution, a form of blockchain is used to manage communication channels between a wallet holding health-related credentials, issuers, and verifiers.
Individuals own a wallet that facilitates access to their health-related credentials, which could include vaccination records, rapid test results, or other forms of PII.
Issuers -- including healthcare providers, vaccination centers, and organizations offering COVID-19 tests -- provide the credentials that are accessible via the secure wallet. Verifiers, described as those who "have a regulatory obligation to see that you have certain health credentials," then perform checks upon entry to a location.
The system provides a decentralized identity architecture that has been built using w3c open standards and does not rely on centralized databases to operate.
How would a vaccine or health passport work?
In real-world applications, should an individual go to a workplace, festival, or airport, they would open up a mobile app that has the IBM Digital Health Pass built in.
However, this is the important part: Healthcare PII is not stored centrally on the app or available to just anyone to view.
Instead, according to Day, a QR code could be displayed in the app which is then presented to a verifier. This QR code is then scanned to see if the person's credentials match the requirements of the verifier -- such as whether or not they have had a recent COVID-19 test or are vaccinated.
These records are held by the issuer, accessed via the wallet, but protected from outright exposure by the blockchain.
In simple terms, an app based on Digital Health Pass will give over no more information than the user allows -- and could simply show nothing more than a red or green alert to verify a COVID-19 status request.
"If I was a sports venue, for example, and I require citizens to have either: A COVID test, an antigen test proving negative within the past 48 hours, or the second stage of a two-stage vaccine, [it] returns green, good to go," said Day. "No personal data at that point is then being returned to the verifier. The verifier is only seeing someone presenting them with a QR code."
Are vaccine and health passports secure?
Blockchain architecture provides a suitable platform for protecting medical PII. If you imagine each party in the transaction -- the individual, issuer, and verifier -- connected together via a chain, blockchain can connect the dots but without needing to exposure PII, a concept the executives say is "critically important."
"We're looking to encrypt and secure orchestration of credentials, but not store data," Day noted. "Personal information is always held by the issuers -- they are the ones providing healthcare to you. [...] Blockchain is well designed for encryption and security, [and] to obfuscate information flow."
The executive added that, since the start of the project, the wallets have been designed with "baked-in" functionality to manage different forms of data. As a result, the solution could be used to manage various datasets, such as names or passport numbers at an airport gate.
However, at every stage of the process, the individual needs to provide consent for that information to be made available, thus encouraging what is called the "democratization" of data.
"The intent is that in every case, the business rules are set by the verifier, but consent is always with the individual," Day said.
In times of a global pandemic, any form of digital health passport would also have to be designed with scalability in mind -- and would potentially have to deal with millions, or tens of millions, of records.
IBM's Blockchain has been scaled for platforms like TradeLens, which has managed to facilitate approximately 1.8 billion transactions made by shipping companies, customs agencies, and international ports, and is also used in cross-border finance transactions via we.trade.
"If you want to have 60 million people in the UK, or hundreds of millions of people across North America, Europe, Asia-Pacific, running interoperable credentials, you've got to have something that can work at that scale," Day said.
If lockdown and stay-at-home orders are in place, digital health passes will make no difference, However, Day noted that in "mission-critical" settings and essential services, an immutable record of health status could reduce the risk of outbreaks.
These forms of wallets, too, could wrestle control of data back to individuals as they are built on consent.
Is IBM the only player?
No, IBM is not working on the problem in isolation. There is a global community of tech developers across different industries now involved in the creation of international standards, cross-border, and technical interoperability for the management of healthcare credentials.
"COVID has pushed us all as citizens to take more responsibility for our own health and the health of those around us, both as individuals and as communities," Davies said "That participative model of healthcare -- which is less of healthcare organizations doing to you, but something that is done with you, and citizens having more control, is an inevitable consequence of the pandemic."
*Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London.