Covid-19 immunity passports: how to protect health data
Immunity passports certifying that someone has already had Covid-19, and should therefore be immune from future infection, have been discussed by many governments as a way to ease lockdown restrictions imposed across the world. Allie Nawrat explores the concept of immunity passports and asks, how can we ensure patient data is secure?
ccording to forecasting by the Organisation for Economic Cooperation and Development (OECD), the Covid-19 pandemic has “triggered the most severe recession in nearly century and is causing enormous damage to people’s health, jobs and well-being”. World economic output is predicted to fall by 6% this year and climb by 3.8% if there is only one wave of the virus.
This situation worsens to a 7.6% decline in 2020 and a 2.8% increase next year if a second wave occurs. The OECD report found that economic challenges are primarily linked to the containment measures implemented by governments in an attempt to control the spread of the virus and limit the death rate.
As the number of cases are falling in large parts of the developed world, particularly in Europe, policymakers are seeking ways to ease the lockdowns they have imposed and jumpstart national, regional and global economies without cancelling out the progress already made in containing the viral disease.
One solution that is being considered by various governments across the world, including the US, the UK, Estonia, Germany and China, is immunity passports.
Building on the concept of vaccination books, immunity passports are documents that can be given to those who have recovered after being infected with Covid-19, as determined by an antibody test, and are now supposedly immune to the viral disease for a period of time.
This could allow those with an immunity passport to return to work and begin to travel once more, thereby safely opening-up the global economy while minimising the risk of triggering further waves of Covid-19.
Flaws of immunity passports
Unfortunately, the idea of immunity passports does not come without problems.
A major concern, which has been emphasised by the World Health Organization (WHO) is that “there is currently no evidence that people who have recovered from Covid-19 and have antibodies are protected from a second infection”, meaning the accuracy of an immunity passport could not be guaranteed.
This is not helped by the lack of reliability and specificity of tests that detect antibody response to infection with SARS-CoV-2, the virus that causes Covid-19. False positives and false negatives are both known to be common. The continuing inconclusive evidence of these antibody tests is the primary medical or epidemiological issue with immunity passports, according to Synopsys Cybersecurity Research Centre principal security strategist Tim Mackey.
There are also particular concerns that immunity passports could create two classes of citizens, leading to “high risks in terms of social cohesion, discrimination, exclusion and vulnerability”, according to a report by the Ada Lovelace Institute.
Those with immunity passports will be able to live their lives in a relatively normal way, while those without documented immunity would remain subject to health restrictions and lockdowns while awaiting a vaccine to be successfully developed.
The potential stigmatisation of those without immunity certification could led to strange, perverted incentives to get infected. Document verification company TrueProfile.io co-founder René Seifert explains that a young, healthy person at low risk of severe disease or death might see having an immunity passport as bringing preferential treatment and so purposefully expose themselves to Covid-19 infections. A major issue is, by doing this, you run the risk of infecting those more at risk, like parents or grandparents.
The final important issue facing implementing immunity passports is: “the security implications of having the data drawn from…tests [being] tied closely with some form of an individual’s digital identity,” explains Mackey.
Seifert notes these challenges around data privacy are only compounded by worries about who will have access to people’s private healthcare data through any immunity passport system.
Enter digital passports
A paper-based vaccination book works for diseases like rabies and yellow fever, but “for something as severe and contagious as Covid-19, that doesn't do the job,” explains Seifert. Instead, the Ada Lovelace Institute’s report argues digital versions would create “the secure means of certifying an attribute such as immunity, because of the protections they provide from fraud, theft, and abuse”.
Ultimately, “paper-based approaches are less likely to satisfy the stringent security and data protection protocols required to ensure health data is both protected and unalterable,” Seifert wrote in an explainer piece.
This is because paper versions are easier to falsify; “today, you can buy a fake medical certificate, including for fake negative Covid-19 infection test. As soon as immunity passports emerge, there will also be fake passports that you can buy, which would invalidate the whole idea. With Covid-19, [there] is too much at stake to be worrying about whether is true and reliable or not.”
Further to this, digital passports are superior to paper-based versions because they can be updated a as more evidence about quality of immunity conferred by Covid-19 infection comes to light and the specificity and reliability of antibody tests improves.
For instance, if it turns out, infection with Covid-19 only brings immunity for three months, rather than six months, then this can be adjusted easily on a digital platform, whereas paper-based versions would then be incorrect, creating dangers that some people cleared for six months might be able to re-catch and spread the viral disease.
Blockchain as the gold standard for security
Seifert argues that digital passports are most secure if they leverage blockchain. “A blockchain can be best defined as a shared, distributed database which records transactions,” he wrote in an explainer. “Each transaction is added as a block and is stored, decentralised in the chain.”
This means that the end-user, the owner of the immunity passport, has complete control over their health data and how it is used.
Seifert explains that a blockchain system would allow someone with an immunity passport to share a fingerprint in the form of a hash with anyone to prove their immunity from Covid-19. Importantly, this hash fingerprint on the blockchain only provides access to the PDF of the positive test from a trusted lab; no personal data contained in the immunity passport is revealed.
The receiver of the hash fingerprint, which could be an employer or authorities, can authenticate the PDF test against the blockchain to be satisfied it has been signed by a trusted party, such as the testing lab, explains Seifert. “As the Covid-19 test results [are] stored as a ‘fingerprint’, this offers a form of encryption and ensures that the digital certificate provided to the end-user is secure and tamper-proof by design”, which means the fingerprint is unalterably linked to the identity of who it in the first place.
Blockchain could, therefore, meet Mackey’s requirement that an immunity passport should “simply be a matter of securely accessing the data of the most recent test”. He notes that it essential to ensure data private that “only the necessary data should be retrieved and anything beyond that should not”.
To conclude, Seifert notes that although it is crucial that companies and governments start thinking now about how to introduce properly secure digital passports, their roll-out will not be possible until “the antibody test is proven to show that end-users cannot get infected again.” As ever, there is a need to follow the science and trusted, specific tests are “the first step of bringing this vaccination book into a digital format”.
Share this article