Demystifying vaccine passes and the privacy challenge

IBM is one of the leading technology developers in the vaccine passes space. Prior to the pandemic, the technology company had been researching identity verification and had started developing the technology for their Excelsior Pass, now trialling in New York to provide businesses with digital proof of negative test results and vaccinations.

At the end of March it was announced by German press that a consortium led by IBM had secured a digital health pass contact, as well as blockchain cyber firm, Ubirch. Chancellor Angela Merkel has since stated that passes in Germany will be available before the summer.

Talking to Eric Piscini, VP of blockchain at IBM, it’s clear that widespread adoption of vaccine or health passes is underway, but it is still in its infancy and many logistical issues surrounding how it will be adopted remain. 

“Technology is a springboard and an enabler, but it’s not going to fix the issue,” says Piscini who will speak on the topic of digital transformation at PrivSec Global next month. Instead, he says it’s less about the technology itself and more about how the technology can and should be used that is important.

“Despite the fact that I’ve been in the blockchain space for eight years now, I feel like we shouldn’t talk too much about the technology underneath […] I think what we need to focus on is the way we’re going to use those platforms.”

He adds, “We already have the technology that we need today to deliver privacy protection, accessible, open and secure platforms for everybody who wants to participate in a credential solution to import medical data – not just vaccine data, but any kind of medical information onto my space, onto my phone, and be able to share that information with consent with the right third parties,” he says. 

He says blockchain is a great option for technology that delivers on privacy protection, which is currently used in IBM’s Digital Health Pass. But he adds, “I’m not looking at it from a technology point of view, as much as I’m looking at it from an adoption point of view.”

What’s missing, says Piscini, is basic education on why platforms such as vaccine pass apps are useful and meaningful, in which context, and to what extent they protect privacy.

As an example, he refers to the implementation of the vaccine pass in New York, which caused hesitation from its citizens. “More of the population said that they didn’t want the state to know whether they had been vaccinated or not because that’s ‘big brother’,” he said.

“We need the community around privacy and security to help us continue to improve the standards”

But what the people of New York didn’t know is that a regulation was passed 25 years ago that allowed for the collection of data on vaccinated people in the US. He says, “I think what’s interesting here is that people make assumptions because they don’t have the context and information.”

The biggest misconception, he says, is around how data is protected and stored in vaccine passes, and what’s different with the solution. “The answer to the question is, nothing changes,” he says.

“We actually don’t talk about passports because passports are the wrong connotation. You import your health information, so it’s a piece of health ground and you create a path that lets you engage with someone else.”

“Your data is today where it was before –  with your doctor and with your insurance company, with the organisation giving you the vaccine. The only difference now is that you can get this information and move it into your phone. And it’s only on your phone, accessible by you.” 

Additionally, he says, the data remains private from tech companies like IBM and Apple.

But other than misconceptions surrounding data privacy, legislation, particularly in the US, is fragmented when it comes to allowing or disallowing vaccine passes.

“You have governors saying passes are illegal, but then you have counties in the same states saying they are not illegal. […] Then an organisation says it will require people to demonstrate their vaccination status before they board the plane. How do we reconcile those three things that are sitting in the same jurisdiction? I don’t think we have an answer. That’s very, very fragmented.”

When asked about the accuracy of the implementation of vaccine passes in Europe before summer, Piscini says:

“You have to assume that’s what we hear as well. We are part of some of the distributions and we hear that in August, they should have what we call the EU gateway, up and running. That would be a mechanism where you will be able to interrogate the countries of the European Union, you will be able to interrogate a country to verify that someone has been actually vaccinated. 

“What we don’t know is how many countries are going to join that gateway and adopt that and expose their information to the gateway for everybody else to use. We don’t know how long it’s going to take to get there.”

Moving forward, Piscini has his own questions remaining, specifically, how do we make sure that these platforms are not just a flash in the pan and disappear at the end of the crisis? 

He says, “We need the community around privacy and security to help us continue to improve the standards, the technology behind it long term, it’s a long journey – it’s not a pandemic.