Got your covid shots? You might have to prove it.
Vaccine credentials are in the works in some places, but the technical and ethical complexities create big hurdles for developers and lawmakers.
As covid vaccines roll out in a handful of countries, the next question has become: How do people prove they’ve been inoculated? For months, this conversation—and the ethical questions any “vaccine passport” system would raise—has been theoretical, but over the last few weeks, efforts have become more concrete. Australian airline Qantas started running a trial in March, while New York launched the first state-level system in the US last week. And on April 5, the UK said it would conduct a pilot as part of its gradual easing of lockdown restrictions. The moves have prompted various reactions: some states in the US have endorsed the concept; others have banned it.
What is a vaccine passport?
When experts talk about turning proof of vaccination into a credential or passport, there are usually two very different reasons they’re put forward.
- Proof at international borders. You’d pull this out for immigration authorities when entering another country, mirroring how international vaccine records [pdf] have typically worked for decades—many nations already recommend vaccinations for entry, or require proof of immunizations for diseases such as yellow fever.
- Proof for around town. This kind of credential would get more day-to-day use, and it is the one most people are discussing when they talk about vaccine passports. Experts envision that you might show this to enter the building you work in, go to a cafe, or attend a private event such as a concert or wedding.
In either case, the pass might come in one of two forms. It might be stored on your smartphone, or you might carry a piece of paper that could be scanned or displayed. Systems would typically work with either proof of vaccination or a recent negative test. The UK’s early-stage pilot will reportedly also allow proof of recent infection, which would lend a person immunity.
Who’s developing products?
In most places, despite all the recent conversation, vaccine passports haven’t materialized, but many countries and private companies continue to forge ahead. Airlines are talking about an industry-wide solution, for example. As far as countries go, Israel’s version of a vaccine credential is one of the furthest along. Its “green pass” launched in February.
With so many players, software companies have been jockeying for months to become the go-to solution for vaccine credentials. Some are beginning to join up with each other to agree on some common standards. For instance, New York’s system, the Excelsior Pass, uses IBM’s Digital Health Pass. IBM is also a member of Linux Foundation Public Health, an organization that helps hundreds of developers share code and ideas.
But even with increased cooperation, there’s still a lot to sort out. A few big questions about vaccine passports are still on the table.
How will developers keep private health information secure?
New York’s app promises privacy but doesn’t explain how that’s accomplished, says security researcher Albert Fox Cahn, who directs the Surveillance Technology Oversight Project based in New York. He says, “We don’t even have the most rudimentary information about what data it captures, how that data is stored, or what security measures are being used.” Cahn says that he tried an “ethical hacking” exercise: he got permission to try activating a user’s pass simply by inputting details (like birth date) found on social media accounts. He says, “It took me 11 minutes before I had their blue Excelsior Pass.”
For Israel’s green pass, some security experts have already outlined concerns about the outdated encryption being used.
Paper, smartphone, or both?
Requiring people to use a smartphone would exclude significant portions of the population, including many older people and some who cannot afford or choose not to use high-end phones. New York’s pass system—currently in a pilot phase for selected big venues—says that a paper card would be acceptable proof, and that other states’ records or negative test results should also work. That sort of flexibility is part of other proposed systems, too. The PathCheck initiative, run by MIT associate professor Ramesh Raskar, is working on a system that uses paper cards with QR code stickers attached. Codes can be scanned by venues or anyone who wants to vet people entering a space. Other solutions, he says, are too heavy-handed. “People are trying to build business models on top of it,” he says. Instead, he says, “we need a mass-use solution right away, in the middle of a pandemic.”
How does immunization data get stored and shared?
In some countries with nationalized health systems, like the UK and Israel, immunization records can be made centrally accessible. In the US, however, a universal solution faces another major hurdle: the country’s fractured health-care system. Vaccine records are stored in a patchwork of databases that don’t normally work together.
“It’s a jumble,” says Jenny Wanger, who oversees covid-related initiatives for Linux Foundation Public Health. “This is all just a sign of how massively underfunded our public health infrastructure has been for so many years.”
The US’s disconnected system stands in stark contrast to countries like India, where data is much more centralized, says Anit Mukherjee, of the US think tank Center for Global Development. There, he says, “there is no way that we can manage a rollout of a vaccine for one billion people without having some form of centralized system.”
What about the ethics of requiring vaccine proof?
While the benefits to those who are able to use vaccine passports are clear—they will be able to return to something resembling normal life—there are legitimate concerns about the ways in which digitized data will be used, today and in the future. Points to keep an eye on:
- Access could be unfairly limited for some people. The vast majority of shots received so far—84%, according to the New York Times—have been given in wealthier countries. And even in those countries, certain groups of workers haven’t been prioritized—US nail salon technicians, for example, have been low priority despite facing high rates of infection. In Israel, distribution to Palestinians in the occupied territories remains slow. For those without a vaccination record, vaccine passports will require proof of a recent negative test, which could cost time or money to obtain.
- Laws and policies will need to spell out protections. Imogen Parker leads covid technology work at the Ada Lovelace Institute in London, which has been studying vaccine passports and surrounding ethical issues since May 2020. She says that when it comes to day-to-day use, “there has to be real clarity about how this interacts with equalities legislation, employment law ... Could this be used at protests? Could this be used at voting booths?” In the US, she says, that information could also pipe to insurance companies, unless such uses are specifically prohibited.
- Countries could use credentials as a way to keep people out. For border crossing, Parker says, the complication is that not all countries have vaccines yet: “Is this going to encourage [countries] to spread vaccines? Is travel and trade predicated on vaccine status?” Mukherjee, meanwhile, points out that not all vaccines are equal. For example, some studies suggest China’s CoronaVac has an efficacy of around 50%, lower than the rates of 90% and higher shown by the Pfizer-BioNTech and Moderna vaccines. Does this mean even those with the “wrong” vaccinations could end up being rejected?
What does the road ahead look like?
With so many questions still to be answered, the stakes for getting it right remain high. In a slide deck obtained by the Washington Post, federal officials worried that a botched rollout “could hamper our pandemic response by undercutting health safety measures, slowing economic recovery, and undermining public trust and confidence.” Since then, the Biden administration has said that it will not issue a nationwide mandate.
But despite the recent media coverage, political takes, and new app launches, it’s not clear what the long-term outlook for vaccine credentials might be. In the short run, they might become a sort of nudge for the hesitant, encouraging them to get their shots in order to open doors that would otherwise remain (literally) closed.
“Our intention is to open as many places as possible with the green pass,” said Israel’s health ministry’s director for health, Sharon Alroy-Preis, in an interview with the Israeli news website Ynet. “The goal is to create places that are safer, and to encourage vaccination.”
But after that? Experts don’t know yet—and even Israel is still figuring it out. The clearest answer isthat, for at least a brief window of time, in certain places, people may need to prove that they’re inoculated or free of covid. Whether or not these systems stick around, and how people will feel about that, is as hard to predict as the course of the pandemic.
Even if the future is murky, though, Parker says that having a sense of the long view is important: “You’re building a tool for health surveillance and normalizing a number of third parties requesting or requiring individuals to share data. There’s a really big question of how that could evolve.” On the other hand, she says, if this is temporary, “do we have the ability to dismantle it?”
Bioethicist Arthur Caplan, founding head of the Division of Medical Ethics at NYU School of Medicine, says that he’s seen how norms around vaccinations can change and evolve. He recalls his push to require health-care professionals to get flu shots and says that after initial debate, the controversy died down: “Some people said, I’m not doing it, I hate it. After about two years of that? Nobody cares. They just do it.”
And in any case, ending the pandemic relies on multiple factors, not just one kind of technology, says Julie Samuels, who helped launch New York’s exposure notification app last year. As with all tech related to the pandemic, she says, “it’s important to think of these things as just a layer of protection … Obviously the most important thing is to get as many people vaccinated as possible.”
This story is part of the Pandemic Technology Project, supported by the Rockefeller Foundation.
How Russia killed its tech industry
The invasion of Ukraine supercharged the decline of the country’s already struggling tech sector—and undercut its biggest success story, Yandex.
AI might not steal your job, but it could change it
AI is already being used in the legal field. Is it really ready to be a lawyer?
How to preserve your digital memories
Following recent announcements by Google and Twitter, more data deletion policies are coming.
Your digital life isn’t as permanent as you think it is
Google will delete accounts after two years of inactivity, and experts expect more data deletion policies to come
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.