Privacy Concerns Plague Non-Blockchain ‘Health Passports’

American Airlines has become the first U.S. airline to introduce a health passport as a requirement for travel, in what could soon become a global policy. The VeriFLY mobile app will be made available for travelers departing for all international destinations, in support of a U.S. government mandate that all passengers test negative for COVID-19 within three calendar days of travel.

While the use of health passports has been debated since the dawn of the COVID-19 pandemic, the issue of ensuring users’ data privacy has proven a major obstacle to widespread acceptance. Indeed, proposals by companies and governments all over the world has caused considerable alarm for their potential to create an oppressive digital system and deliver sensitive medical information into the care of governments and employers.

The case for health passes

It’s certainly true that health passports are an innovative idea that is getting its big break during the ongoing coronavirus pandemic. Rather than a paper document, it refers to an app or similar digital infrastructure that can prove the vaccination status of an individual, the presence of COVID antibodies in their blood, and whether or not an individual has recently tested negative for coronavirus. As the global pandemic begins its second year, such a system could prove a welcome change to the anxiety and uncertainty of 2020. In the European Union, calls for a European health pass solution demanding the highest level of data protection in line with the GDPR have been getting louder and louder, and it’s only a matter of time until widespread adoption becomes a reality.

In practice, however, there are several questions that remain to be answered. The most pressing is that of data security, because a centralized system for individual health records is fraught with risk. While a government database tracking the vaccination status of residents may be the easiest to deliver, the risk to personal privacy is objectionable to many, including civil liberties groups: “Digital IDs would lead to sensitive records spanning medical, work, travel and biometric data about each and every one of us being held at the fingertips of authorities and state bureaucrats,” argues Silkie Carlo, head of Big Brother Watch, saying “this dangerous plan would [also]…create a honeypot for cybercriminals.”

Blockchain vs artificial intelligence

In an effort to tackle privacy concerns, the debate within the tech community has centered on the merits of a health passport built with artificial intelligence (AI) compared to one built with blockchain. The advantage of the latter is the fact that it avoids the centralization of private data. In fact, blockchain is specifically designed to circumvent the security issues of more traditional databases, facilitating the storage and transfer of data in a wholly decentralized network. Although the technology is lauded by enthusiasts as the future of verified credentials, blockchain technology has, ironically, been omitted from all airline announcements in recent weeks.

Indeed, a number of blockchain-based solutions for health passes exist regardless of industry oversight. One of the most prominent of these is the Certus system, developed by Swiss security solutions provider SICPA, which would see blockchain-supported QR codes attached to documents that facilitate the authentication and verification of an individual’s health credentials. The system – and the information contained therein – operates without a central database and anonymizes every user’s medical results.

CommonPass pitfalls

Despite the security advantages offered by blockchain, testing of AI-based systems is already well underway, with the UK racing into the initial live testing stage for a facial recognition-based health passport developed by technology providers iProov and Mvine. Meanwhile, another system developed by a group of organizations under the umbrella of the World Economic Forum is also entering the trial phase despite major privacy concerns: CommonPass.

The CommonPass app rapidly gained momentum last year thanks to wholesale adoption by the travel industry, with airlines United, JetBlue, American Airlines, and Lufthansa all announcing plans to introduce the same technology as a requirement for travel. However, the privacy protections of CommonPass have not yet been tested on a large scale, which has raised alarm bells across a range of industries. As Mark McCreary, co-chair of the privacy and data security practice at the law firm Fox Rothschild, explained: “I would be concerned with having all of that [health] information centralized with an organization that is not equipped to store healthcare information.”

While there is little doubt that a common, unified approach to a safe reopening of the global economy is desperately needed, the chances of such a rollout dwindles with every day that the World Health Organization (WHO) fails to lead the charge. As long as the WHO continues to rail against the use of health passes, governments will continue to pursue a hodgepodge of inadequate, and unsafe, systems. A return to normalcy, however strained, is no doubt on the minds of most people going into 2021, but at what cost?