Security News

It's time to consider getting a Covid-19 vaccine passport for travel

David Strom, Jan 6, 2021 12:54:00 PM

These "passports" could prove to be a solution for travelers crossing borders, but they also come with their own set of challenges

As the number of people getting vaccinated against Covid-19 rises, it's time to review the ways that people can prove they have been inoculated when they want to cross international borders.

These so-called “vaccine passports” have been in development over the past year and are starting to go through various trials and beta tests. The passports would be used by travelers to supplement their actual national passport and other border-crossing documents as they clear customs and immigration barriers. The goal would be to have your vaccination documented in a way that it could be accepted and understood across different languages and national procedures.

As you might imagine, it's a tall order. Already, the Australian airline Qantas is talking about requiring proof of vaccination against Covid-19 for all of its passengers — both domestic and foreign— at some point in the future.

Part of the challenge is that the vaccine passports can take a variety of physical forms, such as a physical card or a mobile app. The proof could be indicated by either a QR code or a paper sticker (that would presumably be difficult to forge). I’ll focus on the digital passport forms for this post, which hopefully would be less likely to be lost and can be made part of passengers' existing travel records.

Issues to consider

There are several major issues around these passports:

  • Are the passports truly protecting data end-to-end? Obviously, encryption is a must. But how the encryption is applied and where it can be compromised are important details in the design and execution of these documents.

  • Where will the data be stored? The best solution is to not send any data anywhere, and store identity information on a user’s smartphone.

  • Can the passports be used for all vaccines that are being administered? Currently, there are more than 200 vaccines in development, and more than a handful that are being deployed in various countries. Vetting this information will certainly be a challenge to keep it accurate and secure and work across the many different systems that will consume this data.

  • Can these passports adapt to the changing health department and custom border crossing requirements? This can be the most vexing issue, as these requirements are being adjusted as new information about the virus and the vaccinations becomes available.

  • How would they connect to vaccination centers so they can securely send results and certify the public? The ideal application would be to issue a pass/fail grade for an individual, so there is no need to interpret the medical information by someone who isn’t a doctor.

  • Would they exist as a separate smartphone app or integrate into an existing contactless app (such as Apple Health for iOS) that can also manage other travel details (such as passport data) and health-related data (such as life-threatening conditions or other vaccines)? For those that don’t have smartphones, the idea is that these users will print a QR code with some embedded cryptography which can be scanned for vaccine verification.

Potential issues related to cyberattacks

One issue we should address in more depth is: what happens if something goes wrong? Let’s say you arrive at your destination country’s custom barrier and present your app to verify that you got vaccinated, but for some reason, your data shows that you are missing your vaccine. Whom do you call? How do you get this resolved? That certainly could happen, and the devil is in the details to be sure.

But we've already seen how the vaccine supply chain is a tempting target for cybercriminals. Six pharma companies in the US, UK and South Korea have been targeted by North Korean hackers. And logistics vendors who are moving the vaccines from the suppliers have also been receiving specialized phishing emails beginning in September. And earlier in December, the European Medicines Agency, which evaluates and approves drugs for EU distribution, was also the subject of a cyberattack.  

Who are the contenders?

Let’s look at the likely contenders for supplying the digital vaccine passport and what has happened with actual beta tests to date.

CommonPass

The most widespread program so far is one called CommonPass. It is an open-source project being co-sponsored by the World Economic Forum and the Rockefeller Foundation. It will connect to a wide variety of data sources and communicate a simple pass/fail based on entry requirements of the destination country. The passport is part of a wider Mitre project called the Vaccine Credential Initiative, which has a wide collection of partners, including both Walgreens and CVS drug stores along with Apple, Google, Microsoft and various other healthcare partners, such as the Mayo Clinic.

Their goal is to ensure that everyone who gets the vaccination will get a digital copy to prove it and have a trustworthy, traceable, verifiable and universally recognized digital record of immunization status. According to their website, users will consent to have their vaccination records made available without revealing any other medical or personal health data.

According to my conversation with Dr. Brian Anderson of Mitre, it will initially involve using one of a series of standalone smartphone apps that are currently in development. Anderson acknowledges the issues of scope and scale — he mentioned that the plan is to begin with US-based end users before moving to other parts of the world.

“We are also talking to entertainment venues and theme park operators, as well as the travel-related businesses,” said Anderson. “We are trying to help facilitate the opening of our economy, and to establish a common framework between consumers and the entities that will provide the vaccine verification.” An illustration of this framework is shown below:

 

In trials for CommonPass run in late October, volunteer passengers on two flights (a United Airlines flight from London to Newark and another Cathay Pacific flight between Hong Kong and Singapore) were tested for Covid-19 when they boarded, with the results available upon their arrival. If CommonPass becomes widely accepted, travelers would have a Covid-19 test shortly before departure from their home. According to Anderson this includes United Airlines, Cathay Pacific, Virgin Atlantic, Jet Blue, Lufthansa and Swiss who are rolling out CommonPass on some of the flights departing several cities, including New York City, Boston, London, and Hong Kong.

IATA Travel Pass

A second effort is being done through the auspices of the International Air Transport Association, called the IATA Travel Pass. It is expected to begin beta tests this quarter, and the aim is to include Covid-19 vaccination records as part of its previous efforts to digitize passport details, using IATA’s Timatic and Travel Pass applications. This has been in place for many years and was used during the Ebola outbreak by airlines to verify passenger travel documents and health requirements. Timatic has the advantage that it comes in various versions, including a smartphone app, an XML solution that can be integrated into various web apps, an Amadeus add-on for the airlines and travel agents using that system, as well as various mainframe apps. Here is the workflow for their solution:

 

AOKpass

A third effort, titled AOKpass, comes from the International Chamber of Commerce and International SOS, a private medical and securities provider. It is being built by two Singapore tech startups and will use blockchains to securely store information on individuals’ smartphones. The early users are limited to the International SOS staff based in Singapore. It was first put in place on a flight from Japan to Singapore late last month and is being deployed on other Singapore Airlines flights from Jakarta and Kuala Lumpur to Singapore. It also integrates with IATA’s Timatic, and the plan is to integrate with the full IATA Travel Pass app.

Lastly, there are private industry solutions, such as IBM’s Digital Health Pass and Daon’s VeriFLY.  Daon is a private software vendor who sells authentication and biometric platforms used by a variety of financial service companies. Neither solutions has been put into any beta testing for travelers as of yet.

Clearly, Covid-19 vaccine passports are still very much development projects. As they gradually roll out across the globe, they will remain subject to a lot of testing, adapting and shifts in functionality.