The looming disaster of immunity passports and digital identity

A digital ID that proves immunity will raise serious human rights issues. And the failure of the digital ID industry to deal with the issues of exclusion, exploitation and discrimination puts the entire industry under question.

Key findings
  • 'Immunity passports' are a theoretical credential - most likely digital - that someone can prove that they have either had the virus and recovered, or have had a vaccination. 
  • Immunity passports are being hyped as a solution to ending lockdowns around the world by actors including the proponents of digital identity; the digital identity industry; think-tanks; and the travel industry.
  • Yet there is currently no scientific basis for these measures, as highlighted by the WHO. The nature of what information would be held on an immunity passport is currently unknown.
  • The social risks of immunity passports are great: it serves as a route to discrimination and exclusion, particularly if the powers to view these passports falls on people's employers, or the police.
  • The digital identity industry - pushing their own products as immunity passport solutions - is failing to protect against these harms: they are interested in building wider digital identity systems, based on their pre-existing models, rather than developing a genuine solution to the risks of these passports.
Long Read

Immunity Passports have become a much hyped tool to cope with this pandemic and the economic crisis. Essentially, with immunity passports those who are 'immune' to the virus would have some kind of certified document - whether physical or digital. This 'passport' would give them rights and privileges that other members of the community do not have.

This is yet another example of a crisis-response that depends on technology, as we saw with contact-tracing apps. And it is also yet another instance of trying to rapidly respond to complex problems, as governments did after 9/11, by reaching for identity systems.

Fundamentally, for identity system design form must follow function. Identity systems are complex systems that can alter the relationship between the individual, the state, and all the companies and agencies who are granted power in between.

Yet proponents of immunity passports do not yet know the extent of the problem they are solving. Companies selling their pre-existing digital identity solutions should be viewed with suspicion; this is not a problem that has been 'solved' as we have yet to define what the problem is.

In fact, the scientific validity/rationale of 'immunity' is still under question. It is premature to start designing a system without a better understanding of immunity. Crucial questions have to be answered first:

  • how and in what ways immunity to the virus is conveyed?
  • what a testing regime would look like? For example, is it home-based or does it require a lab? Is it something that can be rolled out at scale quickly to broad populations or is it only accessible to some?
  • how long does immunity last? and
  • what are the prospects for a vaccine, how long will it last, and how will that be deployed?

Without an understanding of these issues, it is not possible to design a system that both 'works' in terms of giving the information that's needed for public health reasons and for managing the next steps of measures to manage lockdowns including the associated economic and social strains associated, while at the same time protecting fundamental rights.

Once answered, then we will all know what problem the identity system is designed to solve. Without the knowledge of how immunity works, we cannot possibly yet say what the design should be.

And even if that is resolved, the risks to individuals and communities emerging from 'immunity passports' are severe. Below we explore all these issues.

Who is hyping the immunity passport 'solution'?

Travel firms and airports, governments, policy think-tanks, and the digital identity industry.

Here are some instances.

First, the proponents of digital identity as the solution to any problem you care to mention. The Executive Director of ID2020 in a paper entitled "Immunity Certificates: If We Must Have Them, We Must Do It Right", wrote: "With the deployment of immunity certificates systems becoming increasingly likely, we believe there is significant value to proactively exploring the concept and ensuring that adequate safeguards, both technical and regulatory, are implemented should such programs move forward." ID2020 is an alliance of organisations pushing for digital identity - including businesses like Microsoft and biometrics companies, as well as other actors like Accenture, the Rockefeller Foundation, and the vaccine alliance Gavi.

Second, the digital identity industry. The CEO of Yoti, a key digital identity market player, has made the claim that it is "technically simple" to move from their existing work in this area to providing immunity certificates. Yoti have released a 'Code of Practice' for the 'sharing of personal health credentials'. Unsurprisingly, Yoti's own existing app passes their own test with flying colours.

Third, the 'visionaries' are keen to get back into painting a world driven by identification. As Prime Minister of the Great Britain, Tony Blair spent years trying to institute a national identity register, only for it to fail and be destroyed. The Tony Blair Institute for Global Change has continued to push for this issue, taking one of the more extreme positions on immunity passports. They argue that a digital credential should be implemented prior to the development of accurate antibody testing, saying that a digital identity should be rolled-out immediately based on antigen testing, and be ready for if and when antibody testing becomes available. That would mean people could get a credential because they tested positive for the virus, rather than because they have some specific level of antibodies which could create an immune response.

Fourth, the travel industry. The influential airline trade body International Air Transport Association (IATA), does not currently support immunity passports on the basis of the current uncertain medical evidence. However, in their guidance on "Restarting Aviation" they also say that "In principle, we believe that immunity passports could play an important role in further facilitating the restart of air travel... At such time as the medical evidence supports the possibility of an immunity passport, we believe it is essential that a recognised global standard be introduced, and that corresponding documents be made available electronically." The decisions made about the aviation industry affect people even outside of the travel context: for example, the spread of biometrics on identity documents. Any developments in the travel field have to be interrogated for how they will affect the rights of travellers at airports and beyond, as well as the broader societal implications.

Another digital solution to Covid-19?

Digital identity companies are keen to position themselves as key players in the promotion of digital identity to be the 'solution' to effectively managing the easing of lockdown measures and containing the spread of the virus.

There's a good reason they are trying to take advantage of the pandemic. Generally, industry identity solutions have been languishing because they only really prosper when governments mandate them, so we are forced to overlook their inequities and weaknesses.

On the face of it, there's a degree of plausibility for the industry's claims: the focus of much work on identity has been ways for people to show others "verified credentials" - for example, a driving license or university degree issued by a trusted provider. These technologies often allow you to share a single attribute about yourself, rather than a whole identity document; for example, to show you're over 18 without having to reveal your date of birth. In the case of immunity passports, it would - most likely - be a question of having a test result (or, eventually, a vaccination) from a verified lab or provider. Those looking to see the credential would be able to trust that the certificate of 'immunity' was from a trusted source.

These systems often set themselves apart from state systems - like the model of Aadhaar in India, with it's single giant biometric database of over a billion people. However, industry's digital identity solutions are not necessarily any more privacy protecting than government systems, as the case of immunity passports makes stark.

Also, the claim that a test was valid from a trusted source would depend on the deployment of covid immunity testing. The integrity of the testing depends on science, economics, and politics; and the availability of tests will affect public trust and economic and social rights.

So they're selling the idea before they even know how it works

There are significant questions that need to be answered before the any country will be able to safely adopt immunity passports.

What is the current scientific understanding of the nature of immunity? This will shape how immunity passports are designed, implemented and deployed. In turn, it will also inform the risks to individuals, communities and society. The key arising concern is whether the digital identity industry is in a position to mitigate those risks, or will their contributions realise the dangers associated with immunity passports.

The effectiveness of 'immunity passports' has been questioned by leading authorities in health. Indeed, the World Health Organisation (WHO) has been explicit about the current state of evidence: "[Some governments have suggested that the detection of antibodies to the SARS-CoV-2, the virus that causes COVID-19, could serve as the basis for an “immunity passport” or “risk-free certificate” that would enable individuals to travel or to return to work assuming that they are protected against re-infection. There is currently no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection."

Research from Imperial College London highlights the challenges in the testing of antibodies that would lead to 'immunity passports'. For instance, researchers identified that there are dangers present if non-immune people end up receiving a passport. They also noted that some presentations of the disease (for example, young people and those with mild symptoms) might not be able to qualify for a passport. They also reiterate the WHO's point that it remains unknown as to whether the presence of antibodies actually protects people from further infection.

It is also unknown as to how long any immunity actually lasts. Therefore any technical choice, such as immutable ledgers and blockchain would be inappropriate.

These uncertainties and variances makes immunity passports legally dubious. The conclusion of Matrix Chambers, a leading human rights firm in the UK, is that "we have seen no basis on which it could be said that profiling and immunity passports are strictly necessary, appropriate and proportionate to the objective of managing and monitoring the spread of COVID-19".

Even if we buy their hype, immunity passports are dangerous

Immunity passports brings together the worlds of identity and public health. While the goal may be to have an immunity passport system that is available to everyone, in practice this will likely be far from the case.

We've covered previously how patterns of historical exclusion are reflected in identity systems and the modern realities. It would be unprecedented for a combined system for identity and health system to not unfairly target or exclude people.

Health systems already exclude many people, or create unintentional hierarchies in society. Access to testing or a future vaccine will most likely follow the existing patterns of exclusion. Similarly, groups that look to avoid contact with the state will fear the uses to which their data may be put.

Some of these dynamics have already been raised in the tech responses to Covid-19. Concern over mission creep has already cropped up for, and other measures being deployed. In the context of contact-tracing apps, the World Health Organisation has warned that these measures should "not be used punitively or associated with security measures, immigration issues, or other concerns outside the realm of public health. Contact tracing activities should be available to all communities."

And again the chosen form of the identity system will have ramifications. As with contact tracing, some proposed immunity passport solutions are smartphone based, limiting access to only those who have these devices.

There's an increasingly rich body of work investigating the connection of health status to ID, and this urgently needs updating for public responses to Covid-19. For instance, in Kenya, a scheme to link HIV/AIDS treatment to biometrics was stopped by the affected populations out of fear of 'mission creep' - the data used for other purposes - as well as the risks surrounding data breaches. In India, there are reports that some stopped looking for treatment for HIV/AIDS after treatment was linked to the biometric identity system Aadhaar.

Diseases are stigmatising, and we've seen cases around the globe of hate-crime related to Covid-19. As the United National Special Rapporteur on contemporary forms of racism, racial discrimination, xenophobia and related intolerance said, "Political responses to the COVID-19 outbreak that stigmatise, exclude, and make certain populations more vulnerable to violence are inexcusable, unconscionable, and inconsistent with States’ international human rights law obligations."

Then there are the emerging problems once the immunity passport system is deployed. Many dangers arise from the contexts within which proof of immunity status may be demanded. Key questions include:

  • Will it be required prior to economic participation, such as to work or enter shops?
  • Will people be stopped from doing something unless they can show their credential because it is a symbol of economic viability, e.g. from renting or loans?
  • Will people need to show their valid status in order to emerge, and in that case will enforcement involve showing your status to police at checkpoints? And
  • Will it become necessary for travel or passing through borders, and if so, which credentials and claims will be acceptable across borders?

Previously when identity systems were identified as solutions, few proponents considered these questions; and often they were counter-balanced with fear of terrorism or migration. If we build this new infrastructure, the inequities that will arise will shape societies for some time to come.

For instance, the Tony Blair Institute for Global Change states that "private office buildings should have the right to require all staff to present a credential on entry". For those working in industries where it is not possible to 'work from home' - or those whose bosses don't offer that solution - then this is essentially saying that people would need an immunity passport in order to continue to be employed. Given that they also note "trains could operate at maximum capacity if these checks were in place", we are also talking about limiting the ability of people to travel to work - again, excluding people from employment.

The powers of the police, and the security services, in regard to this is an important area of concern. OnFido, an aspiring provide of immunity passports, has stated in internal documents that an immunity passport must be “recognisable to law enforcement and other agencies”. But the exact powers of the police in this need careful consideration: we already know that police enforcing the lockdown are far more likely to fine BAME people than white people. Immunity passports could give the police and security services more powers to not only know information about our health, but also to stop people and demand proof of immunity -- in certain situations.

Policies that require people to show their status have left many broken lives behind. Whether it is Kenyan ethnic minority populations, the Windrush generation in Britain, or migrants in Chile, the damage identity policies have done should teach us important lessons about what to avoid when turning our attention to immunity passports. For example, demanding people show proof of entitlement to healthcare primarily effects those people who 'look foreign' as reported by frontline organisations working on migrants' rights to public services. Access to employment, health, and even access to public space could all be restricted, deepening the exclusion of disadvantaged groups.

Are we building an unprecedentedly fair identity system for Covid?

There's a litany of failed or discriminatory government ID initiatives across the world. But the question remains: can the 'digital identity industry' - the commercial players, and the proponents - lead to systems that are 'fit for purpose'?

Looking at the proposed solutions from companies and organisations that include OnFido, ID2020, Yoti, self-sovereign identity solutions and others, as well as the state of the industry more generally: do they provide a genuine solution? Do they provide the technical basis of an immunity passport system that will mitigate the deep societal harms that they risk?

No. And, no.

Actually, the answer is worse than 'no': it is not only that digital identity systems are failing to mitigate the harms, they are themselves the mechanism by which these harms occur. And as we explore below, fixing these problems would require extraordinary measures.

  1. The perverse approach where the goal is the spread of digital identity

The digital identity components of an immunity passport is a means, not an end in itself. The goal of the immunity passport has to be its role in public health and the easing of restrictions surrounding the lockdown; its goal should not be the spread of 'digital identity'. That would be using the pandemic, and the deaths of hundreds of thousands of people across the world, to achieve an unrelated self-promotional goal.

It may be difficult to believe that an organisation would behave in this way, but there is precedent for some actors in the digital identity industry to see public health as a way of pushing for digital identities. For example, in September 2019 the ID2020 Alliance in Bangladesh explicitly tried to exploit vaccination programmes to advance their work: "Recognizing the opportunity for immunisation to serve as a platform for digital identity, this program leverages existing vaccination and birth registration operations to offer newborns a persistent and portable biometrically-linked digital identity." Leveraging essential public health work on vaccination to achieve the goal of taking the biometrics of people and rolling out digital identities is unacceptable. The resignation of one of ID2020's advisors, Elizabeth Renieris, has highlighted that this remains of deep concern at the time of Covid-19: as she wrote in her resignation letter: "“At this stage, I can no longer even describe what ID2020’s mission is with any confidence....All I can perceive is a desire to promote decentralized identity solutions at all costs.”

It is clear that this industry needs to be closely audited and monitored.

  1. The routes to exclusion based on digital identity are many.

The proposed solutions are failing to deal with the diverse issues surrounding exclusion. One of the options under consideration in the UK from OnFido reportedly involves a smartphone app, and requires the user to have an identity document (presumably, a passport or driving license.) This leads to multiple routes for exclusion. Not everyone has a passport, or a valid passport; and obtaining or renewing a passport in order to get an identity for a smartphone-based app identity seems like it is confounding many challenges.

Then there's the question of addressing those who don't have the right kind of phones. For example, ID2020 proposes a 'smartcard' for those who don't have a smartphone - essentially calling for an ID card for those without a smartphone.

Having what amounts to an ID card only for those who can't afford an expensive electronic device borders on the absurd. Firstly, it does nothing to solve other forms of exclusion - for example for those without access to other identity documents. Secondly, as we have argued for over twenty years, having a physical card is hardly a route to inclusion particularly when it is a stigmatising card for those who cannot afford a phone.

For this to work, dependencies on foundational documents couldn't be made to disadvantage people; and emerging identity infrastructure would have to be monitored and audited to ensure that exclusion doesn't arise. This type of work is unprecedented.

  1. Solutions based on consent are not appropriate for this purpose.

Many of the digital identity solutions (including from startups, those promoted by [ID2020] (https://id2020.org/uploads/files/Technical-Requirements.pdf); and 'self-sovereign identities') are based on the idea that you are enabled to share and capable of sharing specific pieces of information with who you like, when you like. For example, using digital identity solutions you may share the fact you're over 18 but not your date of birth. However, this ignores the reality - identity transactions often have a power asymmetry. Do you really have a choice about what data to hand over to who when your employer is demanding to see your immunity papers? When access to goods, services, employment, travel, or any other vital part of life, is predicated on handing over data who is in a position to say no?

The case of "immunity passports" highlights how consent-based approaches are limited, and do not protect the individual or society from the harms of inappropriate 'immunity passport' checks. When our entire economic life is hinging on immunity, being able to choose and consent is a wilting right, that will disappear the moment it becomes important and valuable.

For this to work, the laws and realities around immunity passports would have to be closely monitored and audited, across the world -- this is currently beyond the means of any set of actors.

  1. Exploitation of data and identities The other problem is what digital identity companies do with the data that they collect in the course of their business of providing identity services. For example, our work on one digital identity provider, Yoti, revealed how they are exploiting the images of people during their biometric enrolment, along with data from their uploaded identity documents. The opportunities for exploitation of user data in this way are huge, and potentially lucrative.

The industry is trying to show they are learning. For instance, Yoti's Code of Practice on the use of health data in a Yoti-like system prohibits the use of the data for advertising; but does not seem to prevent further abuses of the kind that Yoti have perpetrated in the past.

Data exploitation is common within smartphone apps. Even when we reviewed the UK government's Covid-19 contact-tracing app we found that it was leaking data to Microsoft. Our prior research found that many of the most popular apps were leaking data to Facebook.

For people to be protected, these apps in all the various settings would need to be audited and regularly monitored to ensure they aren't leaking data.

  1. Function creep: Sleepwalking into a permanent solution

Rather than meeting the specific needs of an immunity passport system - whatever they turn out to be - what the digital identity industry is offering instead are digital identity solutions that go far beyond these needs. For example, Yoti is presenting it's pre-existing app as the answer to these issues; similarly, ID2020 has its own pre-existing set of technical standards.

The danger emerging from this is that, if we had a immunity passport system that is being used by a significant proportion of the population, after the crisis - it becomes a more general digital identity for people, by default and through inertia.

But that would be dangerous: the middle of a crisis is not the time for the necessary processes of deliberation and debate, policy and regulatory scrutiny, civil society and public participation, and careful establishment of system specifications and requirements.

In some countries, it can undermine the democratic processes for deciding the future of digital identity. In the UK, for instance, there is ongoing work by the Department of Digital, Media, Culture and Sport on what the future of digital identity will look like, with a consultation taking place last year. With the process on hold as many civil servants have been reassigned to the coronavirus response, it is vital that the process of debate and consultation continue. Otherwise, we risk sleep-walking into a solution that lacks the necessary checks and balances. We've seen this during Covid-19 with national, centralised identity projects: the Jamaican government, for instance, has expressed the need to roll-out their ID scheme as a matter of urgency, despite it being found to be unconstitutional in April last year.

For this to work fairly, immunity passport infrastructure would have to be dismantled as soon as its mission is complete, i.e. at the end of this pandemic. It would be practically unprecedented for an identity system to be dismantled. Instead, the tendency would be for it to be turned into a more general 'digital identity'.

Conclusion: Coronavirus and the future of digital identity

Digital identity and immunity passports seem like a natural fit, and part of a comprehensive response to this pandemic.

We are all unprepared to do what it takes to make this work, however, without extensive abuses arising. In fact, digital identity may actually extend the risks of societal harms that come along with immunity passports. The push for their pre-existing solutions reveals an industry interested in pushing their own agenda, rather than a solution to the crisis.

We should also take note of what this failure of the industry means for digital identity in the longer-term: it is, after all, not only immunity passports that can be misused. The issues of immunity passports reflect the issues with digital identity more generally. The failings on immunity passports are failings that run deep in our current digital identity landscape.

Moving forward, it is clear that - at the moment - immunity passports do not meet the necessary and proportionate test. As our understanding of the nature of immunity changes, this may change - but only for a very limited number of use-cases, and even these need careful consideration. It is a deeply challenging area, and it may very well become the case that there are no use-cases where the benefits outweigh the harms. These decisions have to be primarily made in the interests of the most vulnerable members of society: those who are worst-hit by the pandemic and who look likely to be worse-served by an immunity passport solution.

But we must also remember this moment when we look towards the future of digital identity more generally: we were let down. There needs to be a new approach going forward, one that emphasises how the harms caused by digital identity can be mitigated The most important message for the industry is, perhaps, that you don't have to provide a solution to every conceivable use-case for identity. This pandemic should form a check on the hubris of the digital identity industry.

Recommendations

Governments

  • Decision-making around immunity passports must follow and respect the current epidemiological evidence on immunity and the Coronavirus/Covid-19.
  • Immunity passports should be withdrawn and the policy and tech infrastructure removed after the pandemic.
  • Any decision to deploy immunity passports must clearly articulate the scope and purpose in primary legislation to ensure the process is subject to open, inclusive process.
  • The processing of personal data associated with immunity passports must align with national and international obligations on data protection and the right to privacy and uphold data protection principles of fairness, transparency and lawfulness, purpose specification, minimisation (necessity and proportionality), accuracy, storage limitation, and confidentiality and integrity.
  • Consideration must be given to other types of harms and threats including exclusion and discrimination as well as targeting and profiling, and meaningful safeguards, monitoring, and auditing are established.
  • The uses of immunity passports must be clearly articulated, and they must be firewalled from being used for other purposes.
  • The design and tendering process must be open and transparent to public scrutiny.
  • Measures must be taken to prevent immunity passports becoming the foundation for longer term digital identity systems.
  • To ensure against abuse, targeting, and exclusion, the use of foundation identity documents for immunity passports must be avoided.

Private sector

  • Industry must commit to not be leveraging an immunity passport to broader digital identity solutions, to promote their own services and products.
  • Industry must commit to not deploy any technological solution until it is supported by the epidemiological evidence.
  • The development of new models of digital identity must be separated from immunity passports.

International bodies, alliances and think-tanks

  • Organisations working on global health such as the WHO must continue to provide advice on the topic of immunity, as well as being conscious of the deep human rights impacts of these types of measures.
  • Organisations and alliances working on the essential work of vaccines should not also be proponents of digital identities.
  • More research is required on the exclusion and targeting of populations in public health and in identity systems and their overlaps.