Vaccine passports: necessary safety measure or unacceptable privacy risk?
Securing the trust of citizens is often harder than it is to secure digital apps.
As Covid vaccines have begun their gradual and somewhat uneven rollout around the world, all gazes have landed upon Israel as they soar ahead. Indeed, so proficient has the country been in vaccinating its population that at the start of March society began to open in earnest.
At the heart of the policy was the app developed by the government to prove that someone had received the jab.
The so-called "Green Pass" has been mired in controversy, not least because of the security issues associated with it.
Within weeks of its release users began complaining about the poor usability of the app, with it proving to be a significant consumer of the device's memory.
The development of the app was also done using closed source code, and critics argue that there was a significant lack of involvement from cryptographers and security experts. Indeed, when experts looked under the hood at the code, they found numerous problems that they believe cast significant doubts about the ability of the app to reliably verify someone's vaccination status.
Israeli security researchers Dr Eyal Ronen and Prof. Orr Dunkelman found a number of issues with the code, not least in the fact that the developers didn't appear to use cryptographic algorithms in the app.
What's more, the verification method behind the QR code used by the app was found not to match the specifications published by the Israeli Health Ministry, which meant that the code was bloated and unduly complicated.
The pair also found that the app had the possibility of an information leak due to flaws in the process used to allow users to contact the Health Ministry. They found that when users send a message via the contact page, it's sent to a private Gmail account rather than an official government email. Worryingly, they found that the passwords connected to the account had already been leaked and were available online.
While it's feasible that the account, which belongs to a ministry official, has updated its password since it was leaked, the Health Ministry amazingly says that there's no way of proving this as the account is private and not under state oversight.
Last, but not least, the developers utilized the SpongyCastle library of cryptographic programs, despite the library not being maintained for over three years and largely reliant upon a single developer.
Of course, the Israeli effort is by no means the only effort being made into vaccine passports. For instance, Air New Zealand is testing digital vaccine passports on flights to Australia, with the aim being to allow officials to quickly ensure that travellers have received the appropriate vaccinations.
The Air New Zealand passport is the International Air Transport Association (IATA)‘s digital Travel Pass app, which has also been adopted by Qatar Airways, Qantas, Singapore Airlines, and Malaysia Airlines, among others. For such a system to be effective, however, would require it to be able to not only comply with the regulations in different countries but also be impossible to tamper with and modify.
The IATA passports require all vaccine-related information to be transferred to the IATA software where it is then verified by a suitably authorized third party. Digital cross-checking is then performed to ensure that the travel requirements from each government are applied to all travellers coming into or leaving that country.
It’s likely that the system will require an international network of vaccine providers that have been approved by IATA, but such a network doesn’t exist at the time of writing. Each approved provider would be given access to the software to enable each vaccination to be recorded.
This vaccination log would be connected to the patient’s identity record, which could be their passport number so it could then be used for travelling. It would obviously also need an easy means of transferring the millions of people who have already received vaccinations onto the system.
The idea is that once you’ve been vaccinated, a log is created and securely sent to the app’s software on your device in an encrypted format, with it only being retrieved by an approved official, such as a border official (with your consent).
Advocates of the vaccination log approach believe that it’s pretty robust and creates an unbreakable connection between your vaccination status and your personal ID.
As such, even if your phone was stolen, the data could only ever be used in conjunction with your passport.
Security features built into devices, such as Apple’s “secure enclave” provide further security against your information being moved to another device without your permission. Android has similar tools that have been designed to be used with smart wallets. With each border crossing only requiring vaccine information and identification details to be shared, the developers also believe that it minimizes the amount of information that can go astray.
Of course, that might not stop governments from sticking their noses in. For instance, there has already been evidence in Singapore of their contact tracing app giving data access to law enforcement agencies, despite pledging not to do so.
China has long had a history of using location data in compulsory health apps to determine whether the user has the right to enter certain places or to travel. This data also appears to be shared with law enforcement agencies.
As we’ve seen with the vaccines themselves, securing the trust of citizens is often harder than it is to secure the digital apps they’re provided to help prove their health status. It will be interesting to see how the early mishaps made by Israel with their app affects usage, or whether such is the pent up desire to return to normal life that people are happy to suffer what many believe will be a short-term inconvenience to regain that semblance of normality.