Security and Privacy Challenges Threaten to Ground Vaccine Passports

Vaccine passports hold one of the keys to getting the travel industry up in the air again, but they are not without privacy and security challenges. Alex Meehan investigates

For as long as there has been technology, there have been competing standards, and it seems that when it comes to the issue of vaccine passports, not much has changed.

Last month, Transport Secretary Grant Shapps confirmed that the UK would be using the NHS phone app as its COVID-19 vaccine passport. “It will be the NHS app that is used for people when they book appointments with the NHS and so on, to be able to show you’ve had a vaccine or that you’ve had testing. I’m working internationally with partners across the world to make sure that system can be internationally recognized,” he told Sky News.

 A number of EU member states have said that they are hoping to welcome tourists back soon, with Portugal planning to allow British holidaymakers to visit from the middle of May, and Spain looking at a date in June.

To facilitate the reopening of travel in Europe, the EU is moving ahead with its Digital Green Certificate, which would show whether someone has been fully vaccinated, tested negative or recovered from COVID-19. It’s envisaged that this certificate will be available free of charge as both a digital and a paper certificate and will make use of QR codes.

While these measures sound like the news that consumers and the travel sector have been waiting for to help repair a devastated industry and restore confidence among tourists, commentators in the information security space have expressed concern at just how these steps are to be implemented.  The truth, they say, is that there are likely to be significant teething issues.

The Problem with QR Codes

“The problem is that there is no clear standard for a digital vaccine passport or app out there, and there are many contenders,” says Louis-James Davis, chief executive of V-Health Passport, a secure ID and contact tracing platform. “A lot of them have used off the shelf products and merged them together to try to create what is needed for the market. Their Achilles heel is their front-end, because most of them are based on QR codes.

“The problem with a QR code is that all the owner’s sensitive data is stored within it,” he continues. “Anyone who can read that code can access that data. At the same time there are interoperability issues, as one system doesn’t necessarily generate a QR code that’s read consistently everywhere.”

Someone with a UK-issued digital certificate could get off a plane in France or Japan or anywhere, and the local version of the app could scan their app and get the relevant data from the traveller’s national back-end databaseLouis-James Davis

Davis would like to see a system put in place that uses a consistent front end married to a back-end system which could be used to make the system work anywhere in the world. “QR codes don't talk to back-end systems, yet the main thing everyone is asking for is an interoperable solution that can communicate its data with other back-end systems,” he says.

V-Health Passport has worked with the NHS on its track and trace system. Davis said that the firm's V-code front-end system, if adopted by the NHS, would allow its app to talk to any other back-end system that adopts the standard.

“It means that someone with a UK-issued digital certificate could get off a plane in France or Japan or anywhere, and the local version of the app could scan their app and get the relevant data from the traveller’s national back-end database,” he says. “Someone travelling from France with a French-generated v-code could use their app to instruct a local system to fetch General Data Protection Regulation (GDPR) sensitive data about the holder without actually having to carry that data around stored in a QR format.”

Sensitive Data Requires Sensitive Handling

According to Dean Chapman, senior manager for information security for Virgin Atlantic Airways, when it comes to implementing any vaccine passport system, data privacy has to be a key concern.

“The data privacy aspect of this is obviously huge as we’re talking about sensitive health data. Whoever builds or uses any vaccine passport system has got to make sure that they secure that health data,” he says. “They’re going to have to get hold of two kinds of data, the first from some repository of identity data that allows them to verify people’s identities, and the second a source of health data to verify their health status. The question is, where is all that data going to come from?”

Building out a secure system that talks to centrally held sources of data, such as those held by the NHS for example, is "extremely challenging to do" in Chapman’s opinion. In addition, doing it in a way that respects the public’s data privacy would also be complex and therefore, a concern.

“The world of the GDPR is very complex. Since Brexit, strictly speaking, EU GDPR rules no longer apply in the UK but actually all its provisions were enacted into UK law, so for now we are all abiding by exactly the same rules and we still answer to the Information Commissioner’s Office,” Virgin Atlantic’s Champan continues. 

Privacy and security challenges associated with vaccine passports are threatening to ground attempts to get them off the ground
Privacy and security challenges associated with vaccine passports are threatening to ground attempts to get them off the ground

“If Virgin Atlantic has to ask its customers to use a vaccine passport service, then we would need to remember that we're not the owners of the data involved. We’d have to work with a third party, so the big question is how this system would securely establish and confirm identity, and how and where it would obtain the required health data?”

A further concern in this area is how such a system could be protected from fraud. It seems likely that large numbers of people will want to travel once it becomes feasible to do so, and it’s possible some of them will try to game the system. 

“Everybody is going to want to travel, and everybody is going to want to show up at check-in with the tick on their smartphone or whatever it is that proves they're okay to travel, just like a passport. So how is that digital certificate verified in real time from anywhere in the world?” says Chapman.

These are all difficult questions, but they will have to be answered because the travel industry needs all the help it can get to recover from the COVID-19 pandemic. Simon Press is exhibition director of the Travel Forward travel technology show, scheduled to take place alongside World Travel Market in London from November 1 to 3.

“It’s hugely important that a sense of confidence returns to the travel industry. It’s had zero to negligible opportunity over the last year and while internal tourism is strong, a lot of the industry is focussed on international travel out of the UK,” he says.

Press said that vaccine passports represent only one part of rebuilding consumer confidence in the travel sector.

“They will, undoubtedly, be helpful. Vaccine Passports will mean that there is a digital asset that confirms the holder has had the vaccine or a negative test prior to travelling and that builds confidence for the airline, the cruise company or the train line, and also for the destination you might be going to as well," Press says. "But it’s part of an overall offering. It's linked with COVID-19 testing, with social distancing, and the ‘track and trace’ ability of the destination country you’re going to. There is no silver bullet.”


For more information on the Travel Forward travel technology show, scheduled to take place alongside World Travel Market in London from November 1 to 3, please visit the event website. 


What’s Hot on Infosecurity Magazine?