Some Technological Challenges, Solutions, and Implications of Vaccine Passports

Safe travels

You knew simply saying it would never be enough. After 18 months of lockdowns, work stoppages, and stay-at-home orders, you knew that sooner or later you’d actually have to prove that yes, you actually have been vaccinated against COVID-19.

Put aside for the moment the why or the whether of such a mandate—let’s talk about the how. As in: how exactly would we implement such a “vaccine passport” for billions of people? How could we co-ordinate or standardize such an effort across the globe? How could we ensure our medical information isn’t leaked or that various ne’er-do-wells don’t flood such a system with fakes and forgeries?

It’s easy enough to simply throw up your hands and declare it can’t be done. But that doesn’t seem to have stopped a lot of organizations—cities such as New York and San Francisco; big-tech names such as Microsoft and Google; a growing number of universities; the European Union—from giving it a go. Eventually, it’s likely that almost anywhere you would ever want to go will require some sort of proof that states the time, place, and type of vaccine you received before you get through the door.

In the developed world, efforts have focused squarely on making such documentation digital: a scannable QR code, for example, or perhaps a dedicated smartphone app that provides vaccine information (though Canada will have a paper option). In theory, such an approaches have a big advantage over old-school passbooks or paper documents: they’re always at hand, they’re portable, more durable than paper, can be easily amended or revised via a software update, and could be approved or even standardized across jurisdictions.

What about privacy, you ask? Good question: as most users have discovered by now, any information that can be put onto a phone, sent in an email, or uploaded to a so-called secure website can almost surely be hacked from one. Even more so if we’re asked to flash that sensitive information across semipublic networks multiple times a day—not only at the border, but at the gym, the coffee shop, the kids’ school, the office, or wherever else our travels take us. That’s a big reason many developers and industry groups are pushing for a bare bones,“dumb” technology that provides a minimum of information: name and vaccine status, for example. Such an approach would presumably reduce the potential value of the data, making it a less juicy target for hackers.

Another problem: outright forgery. Already, a thriving cottage industry has sprung up offering counterfeit QR codes, forged medical records, and fake vaccine credentials for anyone who would rather pay for a fictional vaccine than actually receive a free one. The going price for such credentials on the dark web is as little as $12 U.S.—low enough to tempt both the vaccine hesitant and the conspiracy theorists to pull the wool over the eyes of busy health officials.

More interesting still is the question of social implications. What happens to people without access to the technology—those who can’t afford the latest, greatest smartphone, citizens in developing countries who don’t have access to phone-based infrastructure? In our effort to use technology to overcome biology, will we end up creating a kind of techno-caste system, in which the “haves” of high tech enjoy freedom of movement, freedom of choice, freedom of contract, and (perhaps most importantly) freedom from stress, while the “have nots” muddle along as best they can? That may end up being the most lasting impact of COVID-19: the first pandemic in history in which you need a dose of technology to participate in life as it once was.