We can, but should we?


Use Case, Misuse Case, Abuse Case

Immunity certificates and its implementation using privacy-respecting decentralized technology is currently being proposed as an urgently needed capability. Have we fully explored the implications?

Before we go any further, let me separate the ongoing discussions’ regarding smartphone app based automated contact tracing from this discussion which goes by many names including “immunity passports”, “immunity certificates” and the like. Separating the discussions is helpful to dive a bit deeper into the latter.

In general, I attribute no malice or profiteering to these proposals, but instead see them as the technical community wanting to do their part to help in this time of shared troubles by applying their talents for the greater good. Many of the people involved are smart, thoughtful colleagues of long standing and in some cases friends.

Use case

To start, this high level overview of the various technical considerations in developing and deploying a privacy preserving approach to sharing COVID-19 test status speaks to the need for integration with existing processes to enable identity onboarding, gathering COVID-19 test results, and presenting the test results while making the process “individual driven” and “compliant to current privacy, consent laws and regulations.”

There are many variations of this approach under development using a variety of technologies and standards, but in many ways the referenced high-level overview is a good distillation of all of them in how one can go about presenting testing results.

Misuse case

And there’s the rub.

The entire approach is predicated on whether or not the test results actually convey useful information that can improve public health. For that you don’t have to look beyond the guidance being offered by the World Health Organization (WHO) on “Immunity passports” in the context of COVID-19:

  • “As of 24 April 2020, no study has evaluated whether the presence of antibodies to SARS-CoV-2 confers immunity to subsequent infection by this virus in humans.”
  • “People who assume that they are immune to a second infection because they have received a positive test result may ignore public health advice. The use of such certificates may therefore increase the risks of continued transmission.”
  • “These tests also need to accurately distinguish between past infections from SARS-CoV-2 and those caused by the known set of six human coronaviruses. Four of these viruses cause the common cold and circulate widely. The remaining two are the viruses that cause Middle East Respiratory Syndrome and Severe Acute Respiratory Syndrome. People infected by any one of these viruses may produce antibodies that cross-react with antibodies produced in response to infection with SARS-CoV-2.”

Needless to say, it does not matter how much the technical implementations consider the dignity and privacy of the individual if what it ultimately conveys is useless information. Garbage in, Garbage out!

Abuse case

Finally, we come to the part that technologists rarely consider, which is the unintended or unexpected human consequences of the technologies they build. For that, and because I live in the USA, let me start by sharing some stunning data from the Centers for Disease Control and Prevention (CDC) on COVID-19 in Racial and Ethnic Minority Groups:

  • “Among COVID-19 deaths for which race and ethnicity data were available, New York City identified death rates among Black/African American persons (92.3 deaths per 100,000 population) and Hispanic/Latino persons (74.3) that were substantially higher than that of white (45.2) or Asian (34.5) persons.”
  • “Health differences between racial and ethnic groups are often due to economic and social conditions that are more common among some racial and ethnic minorities than whites. In public health emergencies, these conditions can also isolate people from the resources they need to prepare for and respond to outbreaks.”
  • “The risk of infection may be greater for workers in essential industries who continue to work outside the home despite outbreaks in their communities, including some people who may need to continue working in these jobs because of their economic circumstances.”

The CDC report clearly paints the picture of a disease that is particularly destructive to racial and ethnic minority groups due to existing economic and social conditions. It also notes that the same population is overrepresented in work environments classified as critical or essential where they do not have the luxury of working from home to put food on the table for them and their families due to economic circumstances.

An immunity certificate will further disenfranchise this population by establishing a two-tier credentialing system in which they have to participate in due to economic conditions, but which from a scientific and medical perspective, serves no useful function (as of today 9 May, 2020) other than providing an illusion of safety!

This. Is. A. Bad. Idea.

A way forward

My suggestion at this time is to focus on one or two hard things now when everyone is engaged and, if addressed now, will solve two or three things downstream.

  • Digital Vaccination Certificates - This is almost entirely paper based now and it needs to be digital and globally interoperable. Put in the hard work now to come to agreement on how to represent them as Verifiable Credentials. Engage public health authorities to get their buy in now, so that when we have a COVID-19 vaccine (We will!), we are ready! In the interim, we get to use this now for our existing vaccination records!

  • Digital Airline Medical Clearance Forms - This is the paper based “Doctor’s Note” that is given to an airline if you are traveling with a medical condition which is implemented differently by each airline. We know that airline travel will be significantly different in the new world and changes that will ease the new flaming hoops we will have to jump thru will be much appreciated. Can we digitize and standardize this? Get buy-in from air carriers to integrate it into the existing Passenger Name Record (PNR) process? This is another thing that people can start using immediately to simplify their lives that will continue to be needed later.

And, lastly, can we just stop with the immunity certificates, please?

cyberforge: random and relevant

 Tweet  Share  Email

Get the best cybersecurity research, resources and insights to help secure and safeguard the digital world.
No Charge. No Spam. Unsubscribe Anytime.