1/ A few thoughts on Covid vaccine "passports." Starting with the use case, moving quickly to the tech and privacy.
2/ I'm not super optimistic that we'll hit herd immunity this year in the US. Too much vaccine hesitancy, not enough time to approve for and innoculate kids. So I suspect we'll still see small or medium outbreaks through end of this year.
3/ it seems thus pretty clear that businesses will seek some form of proof of vaccination, at least from employees, possibly from customers depending on the setting.
4/ we could debate ethics till the cows come home. My guess is it will happen regardless, and it's not unreasonable for organizations to want to protect their employees and customers -- cause remember no vaccine is 100% effective, so just being vaccinated yourself isn't enough.
5/ ok, so if it happens, then how should it happen? Let's assume we have reasonable source data from pharmacies, hospitals, and large vaccination sites.
We have to consider privacy and equity.
We have to consider privacy and equity.
6/ equity: it must be easy for anyone to get one. Requiring a smartphone feels like too high a bar, considering not just whether folks have them, but also whether they know how to install an app, load vaccine passport, etc. Just not ok to exclude those who can't do that.
7/ privacy: it would be a real shame if a vaccine passport system allowed the collection of surveillance type data on folks. So phoning home on every access is not okay.
8/ simplicity: no we really don't need blockchain. I can expand on this if you really want to, but trust me, you don't need blockchain.
9/ I kinda like the SMART health cards proposal (disclaimer: I was one of the original folks on the SMART health team a decade ago, but this latest work is not mine, I deserve no credit, and I have no stake in it).
smarthealth.cards
smarthealth.cards
10/ bottom line: the SMART health card vaccine passport is a QR code that contains a signed JSON data structure listing covid vaccination events tied to a name and date of birth. The issuer of this signed structure is identified by a URL, e.g. example-pharmacy.com
11/ the public key against which to verify the signed JSON is available at the URL, and of course there needs to be a trusted list of covid vaccine data issuers, it can't just be your personal website.
12/ the employer / business / whoever is checking the passport may want to match the name against an ID, like a driver's license. Some possible equity issues there, but probably necessary and acceptable.
13/ QR code means it can be printed and carried as a physical card by anyone, with or without a cell phone. Good for equity.
14/ static code will make some people nervous, because unique identifier that could be used for tracking. Some will want selective disclosure and fancy cryptography. I don't think that can be made equitable as it will require a smart phone. It's also pretty complex. So, no.
15/ on privacy, though, this is still pretty good: no phoning home for every access, can be done all offline if all public keys are pre-downloaded.
16/ if SMART health cards move forward, one recommendation I would make is to develop open-source iOS and Android apps for checking those QR codes without logging or exposing the full signature to the app, thus making it easy for businesses to do the right thing.
17/ I also think it might be necessary to shrink that QR code (it's pretty big right now), by shrinking the JSON payload. This sounds like a nit, but if we want this to fit on a business card, it may be necessary.
18/ anyhow, all in all, pretty impressed with the careful pragmatism of SMART health cards. I'd gladly carry one and use it. Right tradeoffs, can be deployed pretty quickly.
19/ oh one more thing: this won't be super foolproof, I can imagine a small number of folks getting vaccine passports they shouldn't have. As long as that's a relatively small number, that's okay. We're not looking for perfection, cause even vaccines aren't perfect.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
