This article originally appeared in a global white paper examining the issues around vaccination certificates and immunity passports, and released by Reconnaissance International during the Digital Documents Security virtual event.
As vaccination programmes gather momentum, attention is turning towards restoring individual freedoms and reviving economies. In realising these ambitions, so-called health passes (aka vaccine passports or certificates) are seen by many governments as a potentially powerful asset. To date, much of the focus has been on enabling international travel. Inevitably, establishing the global standards necessary for success here will take time. However, schemes that provide citizens with trusted proof of their vaccinated status, quarantine compliance, and the results of PCR (polymerase chain reaction) or antibody tests, can play a valuable role within national boundaries. While governments await international harmonisation, health passes deployed at the domestic level offer a means of reopening – or keeping open – a wide array of businesses, venues and events, without putting public health at undue risk. And the good news for governments is that successful rollout is more straightforward than it might initially appear.
Certainly, there are significant challenges. To make a worthwhile impact, deployment needs to be swift. At the same time, schemes must provide absolute trust in the authenticity of any information shared by the pass holder. Verifying documentation needs to be quick and easy, and accessible to a wide range of businesses and organisations. As with any personal medical data, maintaining privacy and security is paramount.
Leveraging the near ubiquity of the smartphone is an obvious response. But when it comes to developing apps to support Covid-related programmes, the record of governments to date has been mixed. In several cases, purpose-designed apps have fallen short of expectations in terms of protecting privacy and securing trust. To be fair and effective, any solution must also recognise that not everyone carries a smartphone. What’s more, some who do are unwilling to share personal data via a mobile device.
In fact, there’s no need to reinvent the wheel. All the necessary bricks are already supporting the latest generation of digital identity programmes. Thales is at the forefront of many of these initiatives, embracing not only smartphone-enabled solutions, but also the secure paper-based methodologies that are essential for any truly inclusive deployment.
Health passes, just like digital identity programmes, will invariably require a chain of trust to be built between issuing authorities, digital identity holders and the organisations that verify these credentials. For the mobile channel, a Digital Identity Wallet should stand at the heart of the ecosystem, providing a secure, fully interoperable and standards-based environment for encrypted credentials within the holder’s smartphone. Ideally suited to the demands of health passes, in contrast to a standalone app, it delivers an extra layer of protection for the information contained within it. A virtual wallet also ensures that credentials are inextricably linked to the holder’s identity.
To be universally accepted, health passes must provide reassurance they have been issued by the legitimate authority and presented by the genuine holder. Thales’ own Digital Identity Wallet, for example, is supported by a secure and interoperable platform, and incorporates the modularity necessary to extend to forthcoming standardised international health passports. Beyond that, it will also facilitate broader digital transformation initiatives. Crucially, the wallet can interface securely with a broad array of different health systems, guaranteeing the aforementioned chain of trust and secure issue of a digitalised version of the health pass, proof of vaccination and/or test results to the authenticated individual’s Digital ID Wallet. It also enables lifecycle management of these digital documents. In the current context, this is particularly significant. Understanding of the virus, and the on-going efficacy of vaccines, is evolving continuously; to maintain trust, passes must remain current.
Health passes will be checked by a wide array of stakeholders. A fast, accessible and intuitive verification process is therefore crucial to maximising adoption and compliance. It will also be essential for avoiding delays, particularly at mass spectator events. Once again, to ensure relevance, scheme rules will need to be updated over-the-air.
Thales’ proposal is built on standards defined by international standardisation bodies including ISO – International Organisation for Standardisation – and ICAO – International Civil Aviation Organisation. Thales’ certified mobile security technologies ensure that all the relevant vaccination, test, antibody or quarantine data is securely processed and stored. Whenever proof of this information is needed, users simply authenticate to open their mobile wallet, select the information they want to share, and generate a QR code to invite third party verifiers to engage with the wallet using ISO 18013-5 compliant mechanisms. Once consent is given, data is shared via Bluetooth Low Energy, Wi-Fi Aware or NFC. To optimise privacy, only the information required needs to be shared by the holder.
For citizens unable or unwilling to use a smartphone, QR codes can be distributed via a PDF as an ICAO Visible Digital Seal. Trust is ensured by embedding ID document information within the code. Verification is performed in exactly the same way as the mobile version, with the citizen presenting a physical document such as a passport or ID card to prove they are the genuine holder of the printed code.
As well as addressing all the technical considerations, governments also need to undertake a rigorous cost-benefit analysis. Will the returns on a domestic health pass justify the investment? In contrast to a proprietary app, developed exclusively to support a vaccination programme, a Digital ID Wallet is a truly future-proof solution. Above and beyond the requirements of the health pass, it provides a standards-based platform for on-going digitisation programmes, including any future, internationally harmonised vaccine passport. In addition to reigniting economic growth, and offering welcome relief to lockdown-weary citizens, health passes therefore represent a unique opportunity for governments to create a positive legacy that prevails long after the immediate challenges of the pandemic have passed.
Interested and want to learn more? Leave a comment below and follow us on Twitter at @ThalesDigiSec!