Covid/Vaccine Passports: Why is it so difficult?

by Jorge del Prado

You probably took breakfast this morning reading something about vaccine passports or maybe you saw it on the news or someone mentioned it in your morning zoom call. The topic is everywhere now and the average person probably is asking the same question, why is it so difficult to create a vaccine passport? I have some answers for you today:

1.    Test result or vaccine attestation. The first step in the Covid passports/credentials process is the effective event of testing and vaccinating. When you get a Covid test or you get a vaccine jab there is someone checking the result of the test or confirming the vaccine was provided properly. It is not a police officer checking the process is right, it is common sense, someone knows the test was negative and have enough information to communicate that to you as a patient/citizen. In the case of vaccines as they must happen in person there is a moment where attestation of this vaccination can happen and can be registered in a digital system. All this seems pretty obvious but this is the point where not having a trusted way to attest a test result or vaccine administration generates a door for fraud. Test results, in this case, is the most difficult one as they are managed by thousands of test labs that follow different standards and methods. Attestation must be done by someone trusted, someone meaning an organisation trusted with a process trusted not open to fraud. For example, attestation of vaccination in the UK is done by NHS workers using NHS systems so the source of truth will be the NHS. Labs' case is much more heterogeneous and therefore more difficult to manage.

2.    Identity binding. The second critical step is identity binding. This process must be clear and strict to avoid linking test results or vaccination to the wrong person. In both cases there is usually an identity declaration before both happen, someone requests a test or books vaccination linked to their name. What is not so clear is if identity verification is performed before the result or vaccine attestation is linked to the person. Assuming this is the case through a visual photo ID review, the test result or vaccine attestation that we trusted in the previous step will be linked to identity (name, surname and date of birth probably). This step is usually overseen in developed countries as they assume this is contextually protected, a combination of pre-validated identity (NHS knows where you live and the GP knows you personally) and goodwill meaning there is no reason to get vaccinated with a fake name or get a test with a different name, in both cases criminal offences if you try to do so. In summary, assuming goodwill from citizens the test result/vaccine attestation is linked to the right person in a trusted registry (for example, NHS databases).

3.    Verifiable proof. We are entering the most difficult part, providing the person with verifiable proof of the test or vaccination. At the moment, this is extremely heterogeneous: SMS, email, pdf, mobile apps, QR codes… And verification is usually visual, someone reads the content of the test result or vaccine attestation and probably verifies the identity through a photo ID document in person. This step is the one more open to fraud as the verification process is too weak. A cryptographically verifiable proof or a physical copy secured with visual features is required to increase trust and reduce fraud. The reality is that now, the proof is too easy to counterfeit or tamper with and there is already a market for fake negative Covid test results. 

4.    Interoperability. Interoperability means the proof can be understood by different entities, countries and scenarios. It is not only about the language but about the vocabulary used and the format. Physical passports follow an international standard so any airport in the world can understand any passport from any country. This took years to be defined and to be adopted. The same problem happens with Covid Credentials, even if they all follow the same standard, they need to provide common ways to verify and a common vocabulary. That means countries will need to agree and, as we know, this is always the most difficult part. There is also a debate about the right approach, giving the citizens all the power with a decentralised Covid Credentials distribution (that effectively means the credentials are only stored by the holder) or using a centralised approach where there is an accessible database with Covid related credentials. In both cases, interoperability must be considered so credential can be understood anywhere and in the same manner.

5.    Inclusivity. The last challenge and probably the major one is inclusivity. We are technically more than ready to create a digital credential for Covid but governments want to make sure no one is left behind in the process. That means you must consider people without a smartphone or without the skills to get their credential digitally. This is actually one of the biggest challenges as it only has 2 solutions: a hard copy of the credential with visual security features and a physical link to the digital credential, something you can achieve with bidimensional codes printed (QR codes), already being used in countries like Israel. 

Many companies, organisations and governments are trying to solve this massive puzzle but we don’t have yet a solution to it. In my opinion, tactical solutions will be predominant in specific contexts (Brits travelling to Greece or Spain with a bespoke vaccination credential) and in the short term. More strategic solutions will be put in place for good, it is quite likely a health visa or credential will also follow an ICAO standard so any airport in the world can read it and understand it. 

We use cookies and other similar technologies to improve your browsing experience and the functionality of our site. By clicking "Accept", you consent to the storing on your device of all the technologies described in our Cookie Policy. We urge you to read our Privacy Policy and Terms of Use to better understand how we maintain our site, and how we may collect and use visitor data.