Europe’s rush for a COVID-19 ‘digital pass’ stirs concerns

More details have emerged today about the European Commission’s legislative proposal for a pan-EU ‘digital green pass’ to show verified COVID-19 status. The plan is controversial from a human rights and civil liberties perspective, given the clear risk of discrimination. But privacy and security experts are also raising concerns about the technology architecture that will underpin the system — which has yet to detailed in full.

“The proposal does not yet meet the requirements of data protection and protection against discrimination,” said German Pirate MEP Patrick Breyer in a statement today. “It does not ensure that the digital variant of the certificate is stored decentrally on devices of the person concerned and not in a central vaccination register.”

The European Union’s intention for COVID-19 vaccine passports — or rather what it’s branded a “digital green pass” or a “digital COVID-19 certificate” — will show whether the holder has been vaccinated against COVID-19 or had a recent negative test or if they have recovered from the disease and have antibodies, Commission president, Ursula von der Leyen, said today during a press briefing to give more details of its legislative proposal for the “common instrument”.

“The certificate will make sure that the results of what it shows — the minimum set of data — are mutually recognized in every Member State,” she also said, adding that the aim for the system is to help Member States reinstate freedom of movement “in a safe, responsible and trusted manner”.

Justice commissioner Didier Reynders said the intention is for every EU citizen to be able to receive the certificate free of charge and ask other Member States to accept it. He said the Commission will largely not be regulating use of the pass. Rather it will be up to Member States to set specific requirements related to the common instrument.

He gave the example of a European country being able to specify that they would accept a vaccination status of a person who has had a vaccine that’s not yet been approved for use in the EU, for example. But Reynders said the Commission will be obliging Member States to accept pass holders who have been vaccinated with an EMA approved vaccine.

The Commission wants the system to be ready to use “before the summer”, he also said. However that timeline looks incredibly ambitious for what is a complex technical project that involves sensitive personal data being used for a purpose which is inherently controversial, given the clear risk of COVID-19 status being used to discriminate or unfairly infringe on individuals’ civil liberties.

The digital certificates being ready means not only the Commission implementing/procuring any central components and ensuring Member States implement the necessary technical pieces at a national level for the system to work as intended but also getting the required legislation approved by the EU Council and Parliament — and doing all that “maybe” as early as June, per Reynders.

Asked during the press briefing if there was a ‘plan b’, given how ambitious the questioner suggested the Commission’s plan is, he said there is no other plan — as the only plan is to avoid fragmentation by implementing a common instrument to prevent Member States making unilateral choices over COVID-19 at their borders.

Still, the proposal currently leaves room for European countries to apply different rules, according to Breyer — who has also warned it could lead to discrimination by allowing freedom of travel to be linked purely to vaccination if Member States choose not allow negative tests to be accepted as an alternative, for example. “This needs to be improved,” the MEP suggested today.

“On the other hand, I welcome the fact that the retention of medical information after showing the certificate is excluded,” he added.

EU lawmakers avoided too much discussion of what Member States might do with the common tool but they confirmed the digital pass would be available in both a paper and digital form (although, again, Breyer expressed concern counties may choose not to implement the paper form, thereby discriminating against those who do not have access to a smartphone).

Reynders also confirmed the digital pass would incorporate a QR code to verify what’s on the certificate and check if it’s validated.

The Commission scheme shares at least one component with a system that was recently reported by Spiegel as under procurement in Germany — which it said involves QR codes but also blockchain technology (with IBM and a local company called Ubirch winning the tender) — and which is intended to be compatible with the EU’s digital pass requirements.

There was no mention of blockchain during today’s Commission press briefing. Internal market commissioner Thierry Breton said only that the technical solution “is also part of trust”.

“That’s why we have worked with Member States so that we are now all together on the same page. We share exactly the same technology,” he went on, adding: “We keep of course the GDPR at very high level. We will not exchange data and the good news is that all Member States have shared this view now. And this is extremely important because of course trust is also when you will move from one country to the other one that everybody will know just with a QR code you will know what is on your certificate and if it is validated.”

Asked after the briefing whether or not the pan-EU system will incorporate blockchain components a Commission spokesman sidestepped the question, saying only: “The gateway will link the national public key directories for the signature keys.”

“We cannot yet tell you who will implement this technically,” he added.

The spokesman went on to say that the “trust framework” (provided for by article 4 of the draft regulation) will be developed by the Commission “based on the outline on which Member States agreed in the eHealth Network on Friday” — referring to the voluntary network of Member State representatives which was established by EU directive in 2011 to facilitate cross-border data sharing for an e-health purpose.

On a related webpage the Commission also writes: “The eHealth Network has published an outline of the trust framework needed for [e]stablishing the Digital Green Certificate infrastructure, and continues to develop mechanisms for the mutual recognition and interoperability of vaccination, test and recovery certificates.”

“Further work is being conducted by the eHealth Network in collaboration with EU agencies, the Health Security Committee, the World Health Organization and other institutions,” it adds there.

The eHealth Network’s current outline for the “trust framework for the interoperability of health certificates” is available here — as a 16-page PDF (v.1.0, dating from March 12, 2021).

The document discusses some design choices and intended outcomes but does not provide details of the chosen technical solutions as decisions appear to have not yet been taken — despite the Commission’s goal of the whole thing being wrapped up and ready to run in a little over two months’ time.

Pressure from southern European nations worried about the impact of the coronavirus on heavily tourism-dependent economies is one driving force for the Commission to scramble to roll out a common approach for mutual recognition of vaccination documentation. Although fear of fragmentation of the bloc’s Single Market is likely the bigger accelerant for the Commission. (It’s notable, for instance, that other Member States, including France and Germany, have previously expressed concerns over linking the right to travel to a pass. So how ‘on the same page’ European countries are on this issue looks debatable.)

Also questionable is how trusted the technical underpinnings of the digital pass will be — as plenty of detail is still to be confirmed.

In the eHealth Network’s outline, a section on “data security by design and default”, for example, asserts that the trust framework “should by design and default ensure the security and the privacy of data in the compliant implementations of digital vaccination certificate systems, ensuring both security and privacy” — but it does not explain how this will be achieved.

“The design should prevent the collection of identifiers or other similar data which might be cross-referenced with other data and re-used for tracking (‘Unlinkability’),” it goes on before adding: “Further discussions are needed as to the technological aspects and timeline for the incorporation of these features in the trust framework.”

Another section offering an “overall description” notes that the EU trust framework is designed to be “largely decentralised”. However it confirms there will be “some centralised elements”: Namely “roots of trust” stored in a common directory/gateway (aka “EU Public Key Directory/Gateway”), and the “Governance model” — raising core questions of trust over those key elements. 

On the EU Public Key Directory the document envisages the gateway “shall be provided by a public sector body, such as the European Commission”. But evidently there’s still room for alternative bodies to take on that role.

Elsewhere, the outline confirms that offline verification will involve the use of 2D barcodes containing a digital signature used in conjunction with dedicated verification software that will periodically fetch verified public keys. While it states that online verification “will rely on the UVCI [Unique Vaccination Certificate/assertion Identifier] and it will be incorporated in the next version of the specifications (V2)”.

A section on presentation formats confirms that 2D barcodes will be used — but also raises the possibility of “W3C Verifiable Credentials” being utilized, stating only that a decision “will be made later”.

Harry Halpin, a CEO and research scientist (and formerly a staff member at the W3C) — who has been critical of the lack of openness around the technical design of the Commission’s digital green pass, and who presented a paper last year critiquing immunity passport schemes that involved what he describes as “a stack of little-known standards, such as Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) from the World Wide Web Consortium (W3C)” — is concerned the Commission is considering incorporating what his paper describes as “questionable use of blockchain technology” into the digital green pass.

He argues that use of W3C Verifiable Credentials in immunity passports would be dangerous to privacy and security.

“Technologically there’s ways to prove test results digitally without involving any global identity at all,” he told us. “If you really just want to prove with medical authenticity that I have ‘A attribute’ — where this attribute is I have negative COVID-19 test in the last 72 hours or I’ve been immunized with a vaccine in the last year, whatever it is that you want to prove, there’s another form of identity… called attribute-based credentials. Which is a perfectly fine way to do it. Attribute-based credentials just prove attributes without revealing identity. You don’t need a global identity for any of these use-cases.”

“Maybe the metaphysical angle is that because of corona all my previously private health data should now be public but then just come out and say that — don’t hide it behind some blockchain nonsense,” he added.

Discussing the eHealth Network’s outline, security and privacy researcher Dr Lukasz Olejnik — who has also written about the privacy risks and wider ramifications of vaccine passports — said the document raises some questions such as who will be the source of trust and whether there’s a risk of function creep related to the proposed design.

“This technical document confirms that the user’s ID will be bound to the certificate. This may mean that the passport would mediate a proof of ID,” he told TechCrunch. “Considering today’s proposal of a regulation it is pertinent to wonder whether a function-creep-like expansion couldn’t lead to these passports becoming actual proofs of identity in the future.

“Other than that, the eHealth document is descriptive but contains no details as to the future solution. The source of trust in this system will be the key problem of interest,” Olejnik added. “It seems that we will need to wait longer for the details.”

During today’s briefing Reynders raised the spectre of future expansion from another angle — saying that while the digital pass would be a “temporary” instrument, and the legislation would provide for the system to be “suspended” at the end of the pandemic, it would also bake in the possibility of re-activation at a later point if necessary, such as in the event of another pandemic.

“We have the possibility to suspend the certificate when the WHO declares the pandemic over. So this is dedicated to COVID-19,” he said. “I’m saying ‘suspend’ but through a delegated act and with the European Parliament we could use this instrument if there were another pandemic. But basically we’re talking about a temporary solution with the Member States and with the European Parliament.”

“We don’t want to prolong that,” he added. “When it will be possible for the World Health Organization to say that we are at the end of the pandemic we’ll stop with such an instrument. And of course we are just thinking about the possibility to reactivate the instrument later — but I’m not hoping that — if we have a new pandemic in the future. But that will be with a dedicated act — always with the Parliament involved in the process.”

On the issue of function creep, Reynders conceded that European countries might seek to use the digital pass for other purposes, i.e. outside the Commission’s target of facilitating the free movement of EU people.

But he suggested it’s no different to Member States requiring masks be worn or a rapid test taken as they may already do in certain situations — while emphasizing any such uses would need to comply with wider EU laws and fundamental rights.  

“If there are other uses well it’s already the case you can perhaps use other things like masks that are also imposed. There are also test, self tests which are used by people. But if we go into using the certificate in other ways we have to see if that use is necessary proportional and non discriminatory and also compatible with EU legislation,” he said.

“Of course we will examine the situation on a case by case basis but I don’t think we necessarily need to draw a distinction between the certificate and other measures for example rapid antigen tests, masks and so forth. These are other tools that have been used… We need to make sure that any further use is proportional and non-discriminatory and obviously in line with the rules on free movement.” 

The EU’s digital COVID-19 pass has been in the active mix since January when the Commission said it was pushing for “an appropriate trust framework” to be agreed upon by the end of the month “to allow member states’ certificates to be rapidly useable in health systems across the EU and beyond.”

It followed up earlier this month when it announced it was coming with a legislative plan for the pass, emphasizing its hopes of facilitating safe cross-border travel this summer. Albeit, those hopes look more fragile now — given the slow pace of the EU’s vaccine rollout in the first quarter.

The Commission president also warned today that some Member States are on the cusp of a third wave of COVID-19.

The EU executive’s plan to speed full-steam ahead with a digital pass to verify COVID-19 status remains controversial — not least in light of the still highly limited access to vaccinations across the bloc which only underlines the risks of the tool being unfairly applied.

Civil liberties concerns can’t be disconnected from ‘vaccine passports’. Nor will they be swept away by an anodyne rebranding to a ‘digital pass’. But there are now additional questions stacking up around the Commission’s technology choices for the common instrument — and whether the architecture of the system will live up to Von der Leyen’s tweeted promise that the EU digital green pass “will respect data protection, security and privacy”.

For EU citizens to trust in that claim full transparency is essential.