An advocating view from the industry – by Geert Peeters, Zetes
We have reached a moment in the pandemic where there is light at the end of the tunnel. Nations worldwide are vaccinating their citizens at full speed. At present, shaping the “new normal” ” is sounding louder and louder. The socio-economic status of our entire world will also benefit from this. Everyone is longing to get together in a family circle, go out to a restaurant, concert or event together.
In addition, the demand to be able to move freely across national borders is becoming increasingly prominent. Not only for business trips but also for tourist excursions. The latter being extremely important for those economies who rely on tourism.
To help with the enablement of all this, a so-called Covid-19 health pass could become a highly effective solution. But this proposal also has its opponents
A non-discriminatory approach: displaying PCR test results as well as vaccination status
The main argument going against the implementation of a vaccination certificate is that it would be discriminatory, allowing only the individuals who have received the shot to circulate freely or get access to specific services. The right to travel and free movement of people should not be jeopardized.
The health pass as currently often presented in the media is inspired by the idea of our widely known WHO yellow vaccination booklet that is typically used for equatorial travel. Upon arrival, the traveller presents his or her booklet proving a valid vaccination. Covid-19 presents us with a challenge in this respect. We realize that the Covid-19 vaccination is a gradual and voluntary process and that not every traveller will be able or willing to receive the vaccine at the time of travel. It is therefore likely that Covid-19 testing will continue to be very much the practice and that a negative test prior to travel will be necessary.
This reality needs to be taken into account and the health pass has to be given a slightly broader meaning. It should be considered as a means to accommodate the traveller in order to meet the applicable health standards. Based on the information on this pass, national authorities could decide whether a traveller could be excluded from quarantine measures, or if additional controls need to be taken to prove a safe entry. Consequently, a Covid-19 health pass should not only display vaccination information, provided by the authorities organising the vaccination, but also health data submitted on voluntary basis as well as recent Covid-19 test results. With this approach, vaccination will not become an obligation or duty for a free passthrough on borders.
The fact that the Covid-19 health pass facilitates travel, which is valuable to society, means the system will by design be exposed to abuse. Some travellers might be tempted to make false or incorrect statements or use someone else’s health pass. This can be avoided by creating a link between the Covid-19 health pass and verifiable credentials, which allow a person to be uniquely and unambiguously identified. The unbreakable link between the health pass and the individual is important at every step of the verification process:
- is the person presenting the pass really the one who took the Covid-19 tests?
- is the person presenting the pass really the one who received the Covid-19 vaccination shot?
- is the person presenting the pass really the owner of this pass?
A Covid-19 health pass will therefore have to be linked to existing and internationally recognized governmental identification schemes, the so-called photo-IDs (passports, eID passs, driving licenses, ...). For wider use, a photo of the bearer could be added to the health pass.
Ensuring the highest levels of data protection
Although the link to the owner is extremely important, a guarantee of privacy for the personal data in a health pass is also paramount. Besides certain health data, the pass will also expose personally sensitive data of the bearer. It must be created in such a way that the traveller himself has control of the information that he or she wishes to release. It is him who decides which data need to be shared in any given situation. For example, at border controls, the aim is simply to verify that the person meets the applicable health standards without having to provide further detailed data (e.g. type of vaccine).
National or global approach?
Finally, the data from a Covid-19 health pass must be able to be read correctly and coherently by the recipient. The interoperability of the information on the health pass is particularly important when using the pass for international travel. From this point of view, an international standard should be promoted whereby test or vaccination data from a certain country can also be correctly interpreted in the area to which the traveller is going. In this setup, the vaccinating authorities could be in charge of issuing the Covid-19 health pass. The health pass becomes a service to the inhabitants of a country or state and can be used for international travel but also for reshaping the "new normal". The data on the health pass must be able to be read, interpreted and validated in the country of destination.
On the other hand, one could also argue for a system in which the country to which one travels imposes the standards or conditions with which the Covid-19 health pass must comply. This set-up is similar to the way in which a visa or ETA is handled.
Solutions and technologies are available and can be applied to the needs of the health pass
Although the challenges seem enormous, there are already existing technologies that form the perfect basis for the solution. The mobile enablement of most people allows us to easily and efficiently distribute a health pass (e.g. similar to boarding passes for air travel in a mobile phone wallet). To overcome the technology challenge and provide a fair and common tool for everyone, a health pass should also be usable in the form of a printable document.
Methods already exist to validate the integrity and authenticity of data on a document (both on-line and off-line). Adequate solutions via cryptography (cf. electronic signatures) are already wide-used. In addition, there are also internationally accepted techniques to be able to establish a person and his identity with a high degree of certainty. These solutions are already used by banks (online onboarding/KYC) or governments (mobile-ID) and documented international standards (e.g. mDL through the ISO18013-5 standard). Finally, interoperability for validation of traveller data has also been established by international organisations such as ICAO and technologically supported through solutions such as a N-PKD (National Public Key Directories).
The reason why the health pass is raising attention is because governments regard it as a key tool that will help them to recover from the pandemic. However, while reopening the borders is becoming more crucial by the day, the introduction of the new sesame needs to be well thought through and designed accordingly, in order to offer the best guarantees to the governments who want to put it in place, and the utmost protection to the individuals who will have to use it. Technical solutions can overcome major concerns and are within reach for whomever wants to make a step into the direction of a health pass concept.
The People ID division of Zetes provides secure solutions to accurately identify people, either in their quality of citizen or as customer, both in the physical and the digital worlds. Its portfolio of solutions covers all the aspects of the identification and authentication processes, from registration to identity check. The company has more than 15 years' experience in the implementation of sensitive projects for governments and supranational organisations, such as the emission of electronic national identity passes, passports, driving licenses, health passes and visa, as well as voter registration programmes and border control solutions. Our teams have a strong knowledge and know-how in the fields of biometrics, cryptography and data security.
The ZetesConfidens division of Zetes People ID is a QTSP as defined by the European Union’s eIDAS regulation. It focuses on the full life cycle of the digital identity, providing multi-platform and multi-modal solutions for securing e-transactions, electronic signing and digital authentication. With this particular product offering, Zetes also addresses private sectors, such as banking & insurance, as well as professional associations. But as digital identity is gaining steam around the world, governments remain a focus market also for ZetesConfidens.