Where are we now?
Covid vaccination certificate preparation was kicked into overdrive when EU Commission published on 17:th March the Digital Green Certificate proposal Coronavirus: Commission proposes a Digital Green Certificate (europa.eu). The aim of Commission was to create a harmonized EU-wide proof, with which the countries could return towards normal travel and tourism in summer 2021.
Most countries should raise the ambition level from vaccination certificate to Covid passport. Covid passport is a mobile phone app. With strong authentication the user can display information that he or she has been vaccinated, recovered from Covid with antibodies verified or has recently taken a negative test. With right technical, commercial and regulatory choices the passport can developed and taken into wide use during this summer across multiple areas of society.
In addition to travel, Covid passport has much wider impact on the opening of economies. Summer is high season for many events from concerts to sports and culture. Secure return of customers to stores, museums and offices helps economy rebound. Most workplaces and employees are looking forward to physical presence after a year of remote work. People want to meet each other.
In selected countries Covid passport projects are well advanced. Suppliers have been chosen, use-cases defined, and technical planning is in final stretches or piloting has already started. I have participated in planning discussions of Covid passports in three countries. The furthest along within EU might be Denmark.
Opening of society should not be delayed until last vaccinations
When the high-risk groups have been vaccinated, the infection rates and especially life-threatening cases are quickly reduced. When the vaccination coverage increases in working age population, societies can take determined steps towards normality by using Covid passport as one health protection tool. It also provides the means to prepare for possible setbacks that might be caused by virus variations and faster than expected weakening of vaccination protection.
One of the thorniest ethical questions is that Covid passport creates inequality between people. Vaccinated get privileges that non-vaccinated are lacking and governments have decided on vaccination priorities. This temporary inequality should and must be tolerated – in travelling as well as other areas of society. The thought that nobody can return to normality before everyone has been vaccinated is not defensible ethically. The liberties of some do not take away from others, though annoyance and even envy is unavoidable. Hopefully only few people and even fewer respectable politicians succumb to such selfish reasoning.
Regulatory decisions and healthcare IT-system developments are in urgent need
Vaccination passport requires the aggregation of complex healthcare data about vaccinations, recovered diseases and covid testing. In most countries this data is not easily available in a centralized usable database but rather distributed in a large volume of separate IT-systems. The integration work is very much the critical path for passport launch.
Covid passport needs to fulfill three critical requirements to be widely and easily usable, well functioning and secure for purpose. First is fast and easy display of results. This can be achieved with a mobile phone application, where the strong authentication of the user is done. When user opens application, authenticates and receives the result on screen, he or she can display it to whomever needs to inspect it. The result is a clear green or red response and includes a QR-code, with which the result can be verified from back-end systems. This enables the fast verification and passthrough of large groups of people – even automated where needed.
The second requirement is the wide usability of Covid passport i.e. federation. There needs to be clear rules on who can issue valid vaccination certificates or covid passports that can be trusted by relying parties. In EU Commission proposal federation is provided by EU, probably building on existing digital identity eIDAS regulations and federation structures. Within a country, government decrees are enough to provide regulatory framework for the data quality and validity of Covid passports.
Third requirement is security, data protection and privacy. Covid passport utilizes highly personal health information, so the application security needs to be high. Strong authentication secures that only rightful owner can use the mobile Covid passport. By displaying the result from mobile screen, the owner can decide to whom and when to display the results whilst simultaneously granting a consent to verify the result if needed. The inspector can read the QR-code with normal reader-device and as a response get the result and necessary minimum information, like first and last name from back-end systems. QR code validity should be limited to 3 minutes, so that it can be pulled on screen in time before control-point. Short expiration time protects from unauthorized verification attempts at other times. The verification possibility protects against fake mobile screenshots. The application itself is protected and the data transport is strongly encrypted in appropriate high-quality security technologies.
Technically Covid passport is a mobile banking app
In front-running countries Covid passport is a high-security mobile application. The functionality and security requirements are the same as what we are used to in mobile banking apps and payments. User is authenticated with biometric credentials and/or with PIN-code. Compared to mobile banking apps, the functionality is very simple and for example QR-codes are already widely used for fast and easy payment authorization in advanced solutions.
Digitally developed countries have a large advantage in issuing Covid passports, if they have a wide existing base of strong digital identities which can be used to securely identify the user during enrolment.
Covid passport functionality and safety can be built into a new application or be brought to an existing app with an automated app update. The benefit of using an existing app is that users do not need to download a new app. But in most cases, it is better to start from a clean slate with a new app. It makes development faster as prior mobile banking app experience can be leveraged and all focus can be on high usability and security of core functionality in first version.
Economically Covid passport could be among the all-time best public investments
In most countries we are discussing a project with Capex and first year Opex in the region of EUR 3-5 million. The fastest route to everyday use is through a government funded project with a consortium of companies that has implemented similar mobile banking projects. Necessary parties in the project are, in addition to government, app developer company, systems integrator, service hosting and licensor of appropriate authentication and security technology.
The biggest challenge to the launch timeline and overall budget is the development and integration of back-end systems – collection of vaccination, disease and test data and development of necessary data interfaces. Passport application can be developed in roughly a month, if the team is experienced in integrating the security technology into mobile banking apps already. Testing and publishing the app takes a few weeks, but with high prioritization probably not more. Wide roll-out happens quickly through Apple and Google app-stores. Identity verification at enrolment can be done either with identity switching from existing digital identities or through electronic ID verification process on mobile app.
The costs are minimal compared to the benefits of faster opening of society, increased tax revenues and improved well being. Economically Covid passport could be the best public investment ever – in addition to vaccinations.
What if you look further afield and raise the bar of ambition?
Covid passport has a wide range of use-cases outside of travel in domestic and foreign services. In cultural and sport events part of the stands can be filled to normal density with Covid passport green lane. Other parts are kept at safety distances for non-vaccinated people. Same principle could be applied in restaurants, hobbies and most other activities that have been subject to Covid limitations.
Return to work in factories and offices is another natural use-case. Vaccinated employees could have f2f meetings at office while the rest are participating remotely through teleconferencing. All these use-cases are enabled with a mobile phone app that combines strong digital identity, easy authentication, high security and back-end integration with health-data IT systems.
In future the same Covid passport app can be expanded with updates to include new functionality like electronic social security card, drivers license or other government digital certificates. Some day, when cross-border cooperation and standardization advances enough, even real passport information could be issued in the same mobile application.
Vaccinations are the primary route out of Covid crisis, but mobile phone passport could support the faster normalization of society. The technology, know-how and experience of this type of mobile apps is well established within selected companies – now we just need to move fast. Only that allows us to lift everyone – individuals, the economy and society – up from the current pothole.
The author is a digital identity multiplayer that has participated in designing, selling and implementing some of some of the most advanced authentication solutions globally.