Feature Health News

Immunity certificates don’t have to give up our data privacy. Here’s why.

covid 19 immunity passport

This is a guest opinion post from Alex Walz, Director of Marketing at self sovereign identity firm Evernym.

It’s a sobering reality, but one we all have to face: Short of an unprecedented miracle, a coronavirus vaccine will not be widely available until mid-to-late 2021, if not later. Most vaccines take years or even decades to hit the market. Without a vaccine, a full return to normalcy is simply not in the cards.

At the same time, quarantine and self-isolation cannot continue indefinitely. In the near-term, countries around the world have begun looking toward “immunity passports” as a way of reestablishing some degree of normality. These documents would be given to individuals who show immunity to, or have recently tested negative for, the coronavirus, allowing them to enter workplaces and public buildings and return to their daily activities, with perhaps some limits in place.

These immunity certificates are not an entirely new concept. The WHO has issued cards known as Carta Jaunes for travelers to verify their yellow fever immunization status since the 1950s. While these yellow cards have offered a means of limiting the spread of disease, their paper-based construction makes them easy to counterfeit, as has happened in the past. Furthermore, issues regarding the scalability of printing physical documents – not to mention their potential to physically spread the virus as well – have amplified the need for a new solution to a 21st century disease.

We’ve already seen the crippling economic and social effects of remaining unprepared in a time of pandemic. Luckily, there is a way to ensure immunity verifications can be done in a secure, private way without sacrificing the larger goal of public health. Here’s how.

The Privacy Problem

As businesses and tourist attractions begin to reopen in Wuhan, China—the epicenter of the pandemic—locals and visiting foreigners alike are beginning to adapt to the new normal

To receive approval to travel within the country, citizens fill out a survey through messaging apps WeChat or Alipay, which then assigns them a color based on their predicted health status. A green ‘all clear’ allows them to travel and visit restaurants and businesses. A yellow status occurs when the user comes into contact with a suspected coronavirus carrier. Red means it’s time to go into self-quarantine. QR code scans are necessary at various checkpoints.

It remains unclear how these apps decide the color code status of the users, nor is the destination of this data transparent. A New York Times investigation found a line of code entitled “reportInfoAndLocationToPolice”, signaling that the information collected from users is not being kept strictly to healthcare organizations. China’s effort at contact tracing has a massive potential to undermine healthcare data privacy, sharing vital details of an individual’s health with the government, the police, and anyone else who has access to this uploaded information.

This effort at combating coronavirus’ spread highlights a key difficulty in pandemic response: How can governments and healthcare companies ensure citizen safety without overstepping in collecting vital data or creating centralized honeypots with potentially gargantuan implications to our national defense? 

The rollout so far has not been effective in tackling these issues, and there’s no reason to think the issues are limited to China. Previous US regulations like the PATRIOT Act offered the government unprecedented access to phone and email records, on the basis that these powers would be temporary. Nearly 20 years later, the same surveillance powers are largely still in effect, even as public trust in government hits an all-time low. To maintain the rights of citizens while providing public safety, a digital credentialing system must be implemented in a clear, understandable way.

Digital Credentials In A Post-Pandemic Age

The need for a verifiable credential to prove health status has been noted frequently in the past few months. In a March Ask Me Anything (AMA) on the Coronavirus subreddit, Bill Gates pointed specifically to the need for a digital certificate that would show who’s been tested for the virus and, later, who’s been vaccinated. More recently, digital credentials were highlighted as a key action item in a policy paper laid out by the Tony Blair Institute For Global Change.

Misinformation and misunderstandings unfortunately cloud conversations regarding this sort of verification. Yet citizens are allowed to be wary, as 45% report having their data accessed illegally in the past 5 years. A solution to the issue must make privacy a visible priority.

Self Sovereign Identity (SSI) would allow citizens to display a credential – likely on their smartphones or tablets – without giving up access to private information. The recently-adopted W3C framework explains in detail how this process works, which is built around the notion of privacy by both design and default. In contrast to contact tracing, which tracks and records an individual’s behavior, a verifiable immunity or vaccine certificate is designed around privacy, allowing the user to interact with healthcare workers and other citizens without fear of having their data accessed without consent. No information aside from the individual’s virus or vaccine status is shared in accessing the credential – private information remains just that. This tamper-proof immunity certificate cannot be forged, transferred, or sold, greatly limiting the potential for fraud or misuse.

With an SSI-backed immunity passport, the first group of immunized or vaccinated patients can return to normalcy, using their credentials to ensure safety in the places they visit. With a close eye on ICU admission rates, states and local governments can maintain social distancing when necessary while providing these SSI credentials to individuals who meet the standards for immunity. A full return to normality simply won’t happen without a vaccine, yet even here, SSI can ensure one’s vaccination status is proven, thereby limiting the spread of the virus while enhancing public trust, without giving up closely-guarded personal information.

The notion of revealing a credential in order to visit a supermarket, go to work, or visit a loved one at a nursing home may seem novel; but really, it’s merely the next step of verification in our connected society. We already show our driver’s licenses to buy alcohol or movie tickets, revealing our full name, address, height, weight, and blood type, when all the clerk needs is our name. A safe credential supporting selective disclosure of personal information reveals far less, and can’t be counterfeited the way a physical ID could. The technology – already available to the general public, and largely open source – can be deployed effectively once research on immunity reaches an actionable stage for antibody verification. 

It’s important to note that the presence of coronavirus antibodies is not yet proven to establish immunity to the virus. Yet the ability to quickly scale a feasible, privacy-based solution for providing credentials once the science is settled remains a priority. We have the framework in place – now, it’s time to create an actionable plan toward adoption to ensure we’re ready to take on the next coronavirus challenge without delay.