As the UK wrestles with its ability to use technology to trace and track COVID-19 infections, will immunity passports become a reality? Will this technology be able to consider the potential risks and downsides – inclusion vs elitism, protecting vulnerable people, saving lives, privacy and security?
What could a post-COVID-19 world look like? According to guidance from WHO (World Health Organization), part of this new environment could be some form of ‘immunity passport’ or ‘risk-free certificate’ to enable citizens to prove they have some level of immunity against the virus. At the moment, though, there is no strong evidence that anyone with COVID-19 antibodies could not become re-infected.
News that the UK government is about to roll out widespread antibody testing fuels the path to a possible immunity passport, as the data on individual infections would be available. Beginning with healthcare staff, the tests may eventually be open to the broader public. Speaking to the BBC, Prof Martin Hibberd, of the London School of Hygiene and Tropical Medicine, said: “If used successfully, the data generated will be important surveillance information for understanding the effectiveness of control measures put in place.”
Each country could have a different approach: China is rapidly moving ahead and already uses contact tracing technologies and QR codes to control how its populations travel. With this level of personal technology in place, adding an immunity passport to a phone would be a natural step to take. The question remains whether that step should be taken at all. Estonia [https://www.immunitypassport.co/] is already testing a system that would be linked to the existing digital IDs that all Estonians must already have.
Writing in Nature Marcello Lenca and Effy Vayena (from the Department of Health Sciences & Technology, Swiss Federal Institute of Technology in Zurich, Zurich, Switzerland) concluded: “Reports from Taiwan show a promising way to leverage big-data analytics to respond to the COVID-19 crisis without fuelling public mistrust. Taiwanese authorities integrated their national health insurance database with travel-history data from customs databases to aid in case identification. Other technologies, such as QR code scanning and online reporting, were also used for containment purposes. These measures were combined with public communication strategies involving frequent health checks and encouragement for those under quarantine.”
And the Lancet is explicit, pointing to the potential discriminatory and security risk of immunity passports: “Like all such privileges administered by a government, immunity passports would be ripe for both corruption and implicit bias. Existing socio-economic, racial, and ethnic inequities might be reflected in the administration of such certification, governing who can access antibody testing, who is front of the queue for certification, and the burden of the application process. By replicating existing inequities, the use of immunity passports would exacerbate the harm inflicted by COVID-19 on already vulnerable populations.”
Speaking to Silicon UK, Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre) explained: “When looking at the concept of an “immunity passport” or “certificate” there are two distinct problem spaces to address: First there is the efficacy of a test which would conclusively indicate that a person had immunity to SARS-CoV-2 (aka COVID-19), and then that this data element was securely attached to some form of digital identity for that person.
“Ignoring the medical and epidemiological aspect of this discussion, the security implications are significant as they relate to a data supply chain with an ability for independent validation of attestation of immunity. Such a data supply chain would need to function within the political landscape of a given region. As we’ve seen with recent assertions of COVID coverups levelled against China and US statements targeting the WHO, trustworthy data management may not align with political objectives.”
Proving your immunity
Using mobile technology to fight the pandemic is a clear area of development. Already apps exist such as CoronaPass that can store the immunity status of an individual. Vottun adds the Blockchain to the technology mix with testing on-going in Spain, And in the UK, Onfido has secured funding to expand their existing identity tracking technology.
Husayn Kassai, CEO and Co-Founder of Onfido, told Silicon UK: “The idea of immunity certificates is not new. Children who get vaccinations for measles, polio and other diseases and often must show their immunity certificates to register at a new school. Given that we don’t know how long it may be before an effective vaccine is discovered and delivered, in our view, health passports could be a way to help reopen the economy and manage the new normal with a privacy-first approach.”
Kassai concluded: “Moreover, let’s assume that Group A has a presentable proof of immunity and Group B doesn’t. In a situation where there is a total lockdown again, such as no visitors to care homes, then those with a health passport (Group A) could then safely access care homes and help vulnerable people. Crucially, this wouldn’t make those who can’t access (Group B) any worse off, since, under lockdown, they wouldn’t ordinarily have access. It would be a safer way for care workers with a health passport to care for elderly and vulnerable people in a care home than not, so Group B would arguably be better off as well.”
Sidehide is a new app for the hotel sector. Initially developed before the pandemic, the app is now being connected with the technology from Onfido to create what could be the first practical example of an immunity passport. Being initially tested in a select group of hotels in Miami, visitors will be able to show a QR code on their phones when they check-in to prove their COVID status.
An even more startling development has been outlined by Covi-Pass which it’s claimed can scan a VCode at a distance of 100 metres, which could be used to limit access to the building and other public places to anyone that ‘flashes’ red if a person has tested positive for COVID-19, or has no antibodies to the virus. This geofencing is one potential aspect of a working immunity passport.
In this scenario, is the risk of ‘COVID stigma’ a clear and present danger?
René Seifert, co-founder of TrueProfile.io told Silicon UK: “We have luckily managed to take away the stigma of HIV from certain risk-groups for this virus and subsequently for everyone. Therefore, given the broad exposure to COVID-19 from Prime Minister Boris Johnson to healthcare workers to literally everyone, there will be no stigma for people who have successfully recovered from COVID-19 and thereby become immune. By contrast, they might even become some sort of COVID-19 heroes who will be carrying their immunity like a shield proudly in front of them and operate risk-free from COVID-19 in any environment.”
Using technology to support good health has been evolving for decades. Today, wearable technologies have become increasingly popular. Could we see smartwatches capable of tracking and proving our COVID-19 status? The risk is sleepwalking into surveillance, which may have begun with good intentions, but has personal data security risks.
Zac Cohen, COO, Trulioo says: “It looks like any immunity passport applications will be integrated into the much wider manual test and trace programme. Public Health England maintains that the two data sets will be kept separate, but if the app is intimately linked to – and a structurally integral piece of – the test and trace programme, it’s unclear how data obtained through the app and information obtained through the track and trace programme won’t functionally be combined. I understand the need for rapidity in delivering a solution but spinning up both programmes at the same time feels like letting all the fireworks off in one go.”
“Many industries use risk models to evaluate terms of an agreement or what level of due diligence is required throughout an interaction. This is commonplace across insurance, lending, financial services, and more. The determination of what information should be used for that analysis, however, requires oversight and analysis by the appropriate regulatory bodies, and end-user consent to provide it. Clearly, how private organizations would attempt to access information in an immunity passport should be added to any list of concerns needing to be resolved prior to advancing.”
Cohen concluded: “These are trying times, and we all want solutions that protect health and allow the ‘normal’ economic and social activity to return. However, society needs to keep our primary values, such as equality and privacy, at the forefront. Damaging our fundamental principles in the face of danger will not improve our long-term future.”
And The Ada Lovelace Institute also concluded: “An immunity certification regime established by the government for one end – for example, to enable monitoring of immunity to support public health interventions – could be adopted and used for a range of other ends. Employers could require employees to demonstrate immunity to return to work, food delivery services could require customers to establish protection before placing orders, or cafés could ask for immunity certification on entry. The government will need to contemplate these potential secondary uses of an immunity certification regime and ensure they are proportionate and provided for in the regulation.”
Edgar Whitley is an Associate Professor from the London School of Economics’ Department of Management and contributed to a review on how tech will be used by the government to transition out of lockdown also told Silicon UK:
“Tony Blair’s foundation released a report on this recently. It claimed that the crucial role of digital identity in combatting COVID019 had been lost in the debate. It mentions that mass testing and contact tracing only come into force after an infection which leaves many high-risk and close-proximity space, which should only be accessible to recovered or uninfected people, exposed. It then claims that this is the role for digital identity, which could involve, for example, border control or other gatekeepers scanning a secure QR code issued by a verified health authority rather than probing an individual’s entire medical history before letting them through.
“This, however, opens up a more significant set of questions. If the ID card, more likely now a digital identity, is to be rolled out, you need to be reasonably sure digital identities are not being used to create fraudulent identities as GOV.UK Verify and the Department for Work and Pensions has found, this is difficult to do well at scale, and at speed.”
Whether mass populations will need to prove their COVID-19 status remains to be seen. Some countries have already taken a significant step to implement such systems. For countries in the West, however, privacy and data protection may curtail more extensive uses of technology in the post-COVID-19 environment.