Digital vaccine passports: how blockchain and QR codes can revive international travel if regulation can catch up
- To jump-start travel after the pandemic, a number of digital health passes – sometimes called vaccine passports – are now emerging around the world
- Cryptographic technologies, such as digital signatures and blockchain, are being used to ensure that health records are authentic, secure and private
Before the Covid-19 pandemic forced countries to close their borders, Peggy Chung was a frequent traveller. The 52-year-old Hong Kong-based food merchant travelled within Asia regularly and sometimes to Europe and South America to meet clients.
While the pandemic has not had a seismic impact on her business, her life is not as exciting as it used to be. “[It has been] very boring,” Chung said. “I used to have fun meeting my clients, but now I’m just stuck at home.”
A number of digital health passes – sometimes called vaccine passports – are now emerging around the world to help people like Peggy Chung return to her days as a global trotter and bring the world closer to the pre-Covid-19 days when travel was regular and essential.
Worldwide, the UN World Tourism Organization called 2020 the “worst year in tourism history,” with international tourist arrivals dropping by 1 billion, representing an estimated loss in business of US$1.3 trillion.
Last year, Hong Kong recorded only 3.5 million visitor arrivals, a 94 per cent drop from two years ago in 2018, when the city received a record high of 65.1 million tourists, according to figures released by the Hong Kong Tourism Commission. In the first five months of 2020, the occupancy rate of hotels in Hong Kong was 38 per cent, 52 percentage points lower than the same period in 2019.
If the world economy is to get back into shape, it needs travel. But such a restart is challenging given a situation in which a multitude of government departments and organisations from different countries are issuing documents in different languages based on different standards on pieces of paper that are easily forged.
In April, when the Hong Kong government arranged two special flights to bring back residents stranded in the UK, it took six to seven hours to process each of the 300-passenger flights, according to Vivian Lo, general manager for customer experience and design at Cathay Pacific.
By using a QR code displayed on a mobile phone, the passes are designed to be quick and easy to use. They also utilise cryptographic technologies, such as digital signatures and blockchain, to ensure that a user’s health records are not only authentic, but also secure and private.
Whatever form a digital vaccine passport takes, it is “absolutely essential” that it can guarantee the validity of a person’s records, said Dimitris Papadopoulos, assistant professor at the Computer Science and Engineering Department of the Hong Kong University of Science and Technology.
“It must be impossible for some malicious actor to create fake vaccine records or test results that pass the verification requirements,” he said. “Thankfully, cryptography offers many solutions that can help to achieve this goal, such as digital certificates and cryptographic signatures.”
A digital vaccine passport that uses cryptographic signatures would allow local regulators to issue digital certificates to vaccination centres, hospitals and testing labs, explained professor Papadopoulos. Each certificate would have a corresponding secret cryptographic key that can be used to sign digital records produced by these authorised health institutions.
When a person is vaccinated or tested, the authorised health institution will then sign the individual’s result with the secret key, with the results then being translated into a digital record, he said. Finally, when individuals use the digital record to travel or to enter certain venues, checkpoints will have a list of the authorised health institutions and will be able to check the validity of an individual’s digital record.
“At its core, the process is not entirely unlike what has been used for several years now to secure our web browsing and online transactions,” Papadopoulos said. “The same digital signature technology that has long been used to protect our online banking transactions can be used to ensure the records in a digital vaccine passport are tamper-proof.”
The Hong Kong government, for example, is working towards adopting CommonPass, a digital vaccine passport solution developed by The Commons Project. CommonPass, an app that is available on both iOS and Android, will allow users to access their vaccination records or test results from their local testing and vaccination providers, and generate a QR code certificate that can be acknowledged by the destinations a user visits, without revealing any private health information.
While there is not a clear timeline yet for when Hong Kong people will be able to use CommonPass for international travel, the app is expected to be deployed for the Hong Kong Singapore travel bubble when it resumes. Travellers will then be able to pull in their vaccination and testing records from iAM Smart, a government app launched in December that currently allows residents access to a range of public services online.
The Medoxie Covid-19 Digital Health Passport, also known as a Covid-19 Data Wallet, serves as another example. Announced earlier this month by the Chinese University of Hong Kong (CUHK), along with its technology partner and US Ethereum blockchain development company ConsenSys, who built the platform, users can log into the app and store their Private Health Information (PHI) on the passport.
The user’s PHI involves Covid test results, validated proof of vaccination status, antibody blood test results and temperature checks. Other Medoxie members can only access this data by scanning a QR code – the user’s public key – provided only that the user has given their explicit consent on the app.
After scanning, the information disappears as soon as the other device is used for anything else, revoking user data and preserving privacy.
“What we’ve written into our blockchain solution is something called an open authorship, so it means that the person that actually validated and wrote the data onto the blockchain is also recorded at the same time,” said Dr. Mårten Erik Brelén, the research project’s principal investigator and associate professor in the Department of Ophthalmology and Visual Sciences at CUHK, citing doctors, nurses and lab technicians as examples of transparent authors.
Dr. Brelén said that the decentralised nature of blockchain technology enables the Medoxie Passport to use a peer-to-peer network, which reduces the possibility of hacking, since there is no central storage for hackers to target when the data are encrypted and stored in the passport’s nodes.
The Medoxie app has been in clinical trials and beta testing since early June at the CUHK Medical Centre with 30 patients already onboarded. Based on the speed of onboarding, Dr Brelén says that they could be ready to roll out Medoxie by the end of July, but he cautions that it is “by no means at all meant to replace the systems that have been put in place by the Department of Health”.
Meanwhile, many other digital vaccine passport providers are using blockchain to ensure that Covid-19 health records are secure, private and tamper-proof. IBM worked with the state of New York in the US to launch the state’s Excelsior Pass, based on the company’s Digital Health Pass. International Air Transport Association (IATA), the international airline trade association, is testing its TravelPass with select airlines.
The European Union’s version, named the EU Digital Covid Certificate, went live in seven European countries earlier this month. In March, the Chinese government launched an “International Travel Health Certificate” for citizens to use later for international travel, but it still needs to be recognised by other countries before it can be deployed.
While cryptographic technology makes it possible for digital vaccine passports to ensure security and privacy and to offer a friendly user experience, experts say that regulatory difficulties still lie ahead with policies and rules differing across countries.
“For example, consider an individual travelling between two countries with different laws and policies regarding what digital passports they accept,” Papadopoulos said. “Complex scenarios like this with problems that transcend national borders require careful proactive handling by governments and regulators and potential collaboration at an international level.”
“The reason countries had to shut down was due to exactly the same problem – there is no trust nor Covid-related data interoperability between countries,” said Jennifer Zhu Scott, executive chairman at The Commons Project, a global non-profit organisation supported by the Rockefeller Foundation.
Globally, CommonPass is in discussion or collaboration with more than 30 governments around the world, The Commons Project’s Zhu Scott told the Post. They are part of what the project calls their CommonTrust Network, which also includes testing service providers and vaccination providers from around the world, airlines, and technology firms that help participating health organisations issue digital certificates to users and comply with applicable standards.
However, regulatory hurdles remain a “minefield”, according to Dr. Brelén, due to “traditional central legacy storage solutions of private health information.”
“There’s very little guidance on how to implement blockchain technology to store sensitive data like PHI,” Dr. Brelén said.