- Vaccine passports are not yet safe and secure enough to be widely distributed.
- Many of the options available today present security risks for sensitive personal information.
- To successfully implement vaccine passports, data-tracking guidelines, government policies, and online behavior must change.
- Mary Writz has 19 years’ experience in the field of cyber security and is the vice president of product at ForgeRock.
- This is an opinion column. The thoughts expressed are those of the author.
- See more stories on Insider’s business page.
I am a former ethical hacker, and because of my more than 20 years of experience in security, my friends and family often come to me with cyber security questions. On their minds lately is the question of whether digital COVID vaccine passports are safe.
The short answer is not yet. While I believe it is possible to build a safe and secure digital vaccine passport, there are serious hurdles that make it difficult to deliver an app that can stand up to the security and privacy rigors that would meet my, or my peers’, standards.
Anyone considering downloading one of the existing applications should proceed with caution — some of the options today present too great a risk to people’s identity. Many of these hastily-created applications can expose sensitive personal and health information, which can be sold and used in malicious ways. Tech companies need to keep working to create a safe digital vaccine passport.
A digital passport even a hacker could trust
Before we can debate the possibilities a vaccine passport can unlock, we need to address safety and it’s clear a new approach to vaccine verification is needed. Currently, the technology community does not have the right solution in front of them — it is more of a buffet of options, some riskier than others.
Ideally, companies should aim to create a single, universally-accepted physical or digital passport recognized by all governments and businesses while preserving our privacy and securing our health information. Think of it as the ultimate passport to life that speeds our return to normal when the next global health crisis emerges.
A universal passport could also include verification data for other documents we carry separately today, like driver’s licenses, passports, social security cards, membership cards, and credit card information. But we cannot place big bets on improving access to the digitally-connected world without also investing in security solutions first.
Technical challenges and public buy-in
Technically speaking, the challenge will be to get a bunch of technologists to agree on a standard approach to vaccine tracking. A universal standard will require alignment on what constitutes evidence of vaccination or how data should be collected and stored from the start — without leaking users’ personal information.
Without a widely-adopted set of standards, people will be downloading myriad, potentially dangerous mobile apps to do things we all desperately miss doing now like going to a movie or a concert.
The problem with a fragmented approach is most people do not know how to spot a good app from a less trustworthy option. We can count on Google and Apple to filter out a lot of the garbage for us, but without checks and balances, it’s virtually impossible to ensure the digital safety of these apps. As non-technical consumers, it would be even harder to avoid being tricked into downloading a copycat version or an app that was not developed securely.
Additionally, even if the technology is sound and secure, some folks may not feel comfortable with vaccine verification apps initially. The reason my friends and family come to me for my opinion on the security of technologies is because they feel unqualified to ascertain if these applications are safe. For widespread adoption to take hold, we need time to educate citizens and get their buy-in.
In the meantime, if someone needs to use a vaccine passport now, they should only use a link from an actual source like a government agency, employer, or mobile carrier. Scanning a random QR code or clicking a link from an unknown source can be dangerous.
Government policy around vaccine passports can help
A potential solution for the cultural friction that could surface would be to enforce a government policy around vaccine passports, but there are challenges here too. Governments across the world differ in their ability to enforce such policies, and currently the US government indicates a preference to leave it to the private sector. Even if that position changes — or a public-private partnership forms in our country, like European EID schemes — it would take time to determine specifics surrounding vaccine passport enforcement and the infrastructure needed to stand it up.
Historically, legislation has not kept up with the rapidly-shifting technology landscape. In the case of approving COVID-19 vaccines, we have seen the government move quickly and partner with the private sector to help bring a life-saving solution to market fast. That same rule-breaking approach in developing new protocols that sidesteps traditional processes could go a long way in helping to deliver a universal vaccination passport. For example, the US could fund and steer a task force aimed at delivering a solution that encompasses thinking across policy, security, and user experience.
And it can be done. The tech community has solved hard problems before, like securing the internet with SSL, and they can do it again. But it does not happen overnight — it takes time, resources, and a mindset shift to find the right solution. If tech and government agencies work together, we can be ready to help society get back to the things we love faster, with more confidence in its safety and security.
Mary Writz is the Vice President of Product at ForgeRock. Mary has 19 years’ experience in the field of cyber security. Prior to ForgeRock, Mary held product and leadership positions at Hewlett Packard and IBM in domains such as threat detection, machine learning, penetration testing, security intelligence, distributed denial of service, and targeted attack protection. Mary holds two patents and a Master of Engineering degree in telecommunications.