As COVID-19 vaccine rollouts have accelerated and life inches back to some sense of normality, the call for digital vaccine certificates has grown. Governments, airlines, hotels, gyms, and sports and entertainment venues are all looking for ways to quickly and efficiently authenticate those who have been vaccinated.
In Israel, individuals who are fully vaccinated can already use an app that displays a “green pass.” This recently allowed people to attend a concert in Tel Aviv amid a continuing lockdown. Airlines and others have begun developing apps as well. But it’s not all good news. “There’s no standard system for authenticating people who have been vaccinated,” observes Alasdair Anderson, General Manager EMEA for Protegrity.
Indeed, different standards and data-collection methods translate into data risk—particularly when data is shared and pooled across organizations. While there’s growing pressure on businesses to adopt some type of digital system to reopen and speed lines, “There are serious concerns about data sharing and, in some cases, there are operational and regulatory risks,” Anderson notes.
THE SHOT HEARD ROUND THE WORLD
Nevertheless, it’s nearly certain that no single standard will emerge for digital vaccination authentication. With numerous industries, companies and groups attempting to address the problem quickly, there’s insufficient time to cobble together a unified global framework. There are also numerous governments and jurisdictions to deal with, and different industries have different needs and requirements.
For example, the International Air Transport Association (IATA) is currently developing a Travel Pass app; British Airways, American Airlines, and others are already testing a mobile health app called VeriFLY; and the World Economic Forum and Commons Project Foundation are working on an app called CommonPass. Meanwhile, the European Union (EU) is developing a “green pass” app that will verify those who have received a vaccination. Yet, these apps probably won’t work together or be accepted by all companies or countries, thus necessitating citizens to use multiple apps.
Yet, even if a standard would somehow emerge, or even a group of standards within, say, the airline industry or entertainment sector, serious risks and concerns remain. “Companies often share data in clear text and, depending on what data is sent and the data-rotection framework in place, it could pose security and privacy risks,” Anderson notes. Another problem is how apps handle data. It’s important to ensure that only the necessary data is displayed at the point where it’s needed. “Including unnecessary information increases the risks,” warns Anderson.
An app could conceivably display a person’s name, physical address, account information, or passport or Social Security number or the equivalent. In today’s API-centric world, it’s difficult to track all the directions sensitive and personally identifiable information (PII) travels. As a result, even the most stringent protections can result in a failure.
RX FOR GREATER PROTECTION
Ultimately, there’s no simple answer to this problem. In fact, there’s essentially no way to tackle the entire problem. But there are ways to build apps and data-protection frameworks that minimize the risks—and keep PII data secure. What’s more, they extend beyond digital vaccine certificates. This includes:
- Sharing and displaying only the data that’s relevant and essential. An app should never be designed to provide any more than the essential baseline of data required for authentication or a transaction.
- The use of encryption at rest and in motion. The use of this technology must extend across APIs and partners.
- The use of data tokenization and other methods to mask or anonymize data, including k-anonymity.
- When possible, the use of homomorphic encryption, which makes it possible to analyze, process and use data without encrypting it—and thus revealing the source data.
- Keeping an eye on data regulations and staying vigilant about minimizing the risk of a violation.
Over the short-term, businesses are going to face a conflict: there’s pressure to open up but also pressure to protect people—and their data. The task, especially for airlines and others, will be to achieve the right balance between moving people through lines quickly and protecting their data. As digital vaccine apps take hold, it’s up to government agencies and businesses to do their best to build data protection to apps.