The Dangers of Blockchain-Enabled “Immunity Passports” for COVID-19
By Elizabeth M. Renieris, Dr. Sherri Bucher, and Christian Smith
Despite limited backing from civil society or public health experts, as well as warnings from historians and bioethicists, technologists are racing ahead to build and deploy digital certificates that would allegedly let individuals “prove” whether they have recovered from the novel coronavirus disease (COVID-19), have tested positive for antibodies, or have received a vaccination, should one become available. One such initiative is based on a combination of an emerging W3C standard for Verifiable Credentials (VCs), non-standard decentralized identifiers (DIDs), and distributed ledger technology (DLT) or “blockchain.”¹
In this article, we examine why such proposed technological interventions lack sufficient supporting scientific and public health evidence or legitimacy. As a result, we believe such interventions, if adopted or implemented by public authorities, would pose an unjustified interference with, and serious threat to, our fundamental human rights and civil liberties, in violation of the principles of legality, necessity, and proportionality. In this article, we outline our concerns from a legal, public health-based, and technical perspective.
A Legal Perspective
Blockchain-enabled “immunity certificates” or “immunity passports” for COVID-19, if implemented by public authorities, would have serious consequences for our fundamental human rights and civil liberties. The introduction of these artifacts could interfere with our right to privacy; freedoms of association, assembly, and movement; our rights to work and education; and otherwise seriously limit our freedom and autonomy, even where not compulsory. For example, while not expressly mandated by law, individuals in post-lockdown China must be able to produce a “green” QR code of health status on their mobile device in order to access public transportation, enter workplaces or residences, and more, and have virtually no way of challenging the automated determinations of status.
While drastic measures that interfere with fundamental rights may be justified in extraordinary circumstances, such as a pandemic, under most international human rights and civil liberties laws, they must first satisfy a three-part test. The interference must be: (1) in accordance with or prescribed by, law (i.e. the legality principle), (2) necessary to achieve a certain aim (i.e. the necessity principle), and (3) proportionate to the aim pursued (i.e. the proportionality principle). These principles have specifically been reaffirmed in jurisdictions around the world in the context of COVID-19, including by the Israeli Supreme Court (that a measure is unconstitutional unless it is prescribed by law) and the European Data Protection Supervisor (that a measure must be necessary and proportionate).
In addition, as related to initiatives that have a strong public health component, the science underlying any extraordinary claims in regard to an alleged need to suspend human rights and civil liberties must be data-driven and evidence-based. That is to say, the efficacy of a proposed intervention is closely linked to its necessity — it’s hard to argue something is necessary without any evidence that it would work or do what it purports to do. This principle was recently reaffirmed by the French data protection regulator CNIL, which observed that a mobile contact tracing app known as “StopCovid” could only be deployed if its usefulness for managing the crisis is sufficiently proven and if certain guarantees to its efficacy are provided.
The legality principle does not necessarily require a specific law authorizing the interference in question. However, in the absence of a bespoke legislative measure, there must be some other existing legal framework that provides sufficiently clear and precise rules to govern the use of the technology — a framework that is adequate to ensure individuals have advanced notice of and can foresee its application.
At this time, we know of no specific or general legal frameworks which would provide individuals with sufficient clarity and precision as to how any data processed in connection with such blockchain-enabled immunity credentials would be governed or processed, or that could provide individuals with sufficient safeguards or protections in respect of their use. To the contrary, blockchain raises a host of critical, open questions about privacy, data protection, liability, and accountability, among others, which remain wholly unanswered at this stage. Thus, it is hard to argue that the proposed interference would be in accordance with, or prescribed by, law.
Even if the proposed immunity credentials could satisfy the legality test, it is hard to argue they are necessary or proportionate interventions, as further outlined below.
A Public Health Perspective
There are at least three reasons why, from a public health perspective, immunity passports are an unwise option to pursue: (1) current SARS-CoV-19 antibody tests are highly unreliable and the immune response to COVID-19 is poorly understood; (2) a COVID-19 vaccine is a long way off; and (3) while some have suggested that the International Certificate of Vaccination for Yellow Fever serves as an example of “immunity certification” that is nearly identical, or similar to, that proposed for COVID-19, there are crucial differences in the public health context for yellow fever vs. COVID-19, discouraging immunity passports for the latter.
Current SARS-CoV-2 antibody tests are highly unreliable
There is currently more unknown than known, in regard to COVID-19. This is due, in large part, to the fact that the COVID-19 pandemic is being fueled by a novel pathogen, SARS-CoV-2, which only recently emerged within the human population. There has simply not been time for the scientific community to characterize the human immune response to SARS-CoV-2, or to generate sufficient evidence in regard to the sensitivity and specificity of antibody tests. We currently lack accurate, population-based estimates of prevalence and incidence of COVID-19 due to severe constraints in the ecosystem for the provision of widespread diagnostic testing. This, in turn, results in an inability to calculate the predictive values for COVID-19 antibody tests. Without a reliable estimate of predictive validity, COVID-19 antibody test results cannot be trusted.
The most troubling problem, currently, in regard to COVID-19 antibody tests is an inability to determine the rates of “true positive” and “true negative” results. In particular, although hundreds of COVID-19 antibody tests have been developed, the reliability of these tests, to accurately detect SARS-CoV-2 antibodies, even within the blood samples of persons who have been previously diagnosed with COVID-19, via nasal swab diagnostic testing, is unreliable, and highly capricious. If COVID-19 immunity certificates were currently available, and issuance of these immunity credentials was dependent, in large part, on existing COVID-19 antibody test results, then an undetermined number of individuals with “false negative” results would be unjustly denied immunity certification. The opposite problem occurs with “false positive” results, in which persons who have never been infected with SARS-CoV-2 might mistakenly be issued immunity certification when, in fact, they have not previously suffered from COVID-19, and are still vulnerable to exposure, themselves, as well as spreading the disease to others.
No one knows if, or how, exposure to SARS-CoV-2 confers subsequent immunity
Even if a highly sensitive and specific SARS-CoV-2 antibody test, with high predictive validity, eventually emerges, pinning immunity certification efforts on an individual’s antibody test results is problematic, for other key reasons. For example, it is unknown, at this point in time, whether infection with SARS-CoV-2 confers subsequent immunity. Fundamentally, this means that, even if SARS-CoV-2 antibodies are detected in a person’s blood sample, it is currently unclear if this indicates that the person is actually “immune” to SARS-CoV-2, and/or protected from future COVID-19 illness.
Most likely, as is typical for exposure to similar pathogens, some immunity is conferred as a result of infection with SARS-CoV-2. However, many additional questions remain with regard to: a) how COVID-19 disease severity and progression is related to the development of immunity; b) the manner by which individual demographic or contextual determinants (e.g., gender; race; ethnicity; socioeconomic status) may, or may not, mediate the human immune response for the development of detectable SARS-CoV-2 antibodies; and c) if, in fact, immunity does develop after infection, how long it lasts. In order to find the answers to these critical questions, the scientific evidence-base regarding the human immune response to SARS-CoV-2 exposure must be much better characterized, preferably via data gathered from a series of large, representative (e.g., across gender; racial, and ethnic groups), population-based studies. This has not yet been accomplished.
The long, winding, and uncertain road to a COVID-19 vaccine
In addition to natural exposure to a pathogen, immunity to infectious diseases can also be conferred via vaccination. There are a tremendous number of infectious diseases for which there is a broad and deep evidence-base in regard to the course of the illness, diagnosis, and treatments, as well as good characterization of both disease-related and/or vaccine-initiated immune responses. As a result, there are also a vast number of virulent infectious diseases for which safe and effective vaccines have been developed. COVID-19, however, is not one of these.
There are myriad scientific challenges presented by the development of a safe and effective SARS-CoV-2 vaccine, and numerous technical hurdles to be surmounted prior to global distribution. While several vaccine development and testing initiatives are underway around the world, none has generated sufficient peer-reviewed data with regard to safety or efficacy. Vaccine development is a notoriously laborious process with very high rates of failure, and coronaviruses are particularly tricky in this regard. At best, it is highly unlikely that we will have a safe and effective COVID-19 vaccine available for widespread global distribution prior to 2022 and even then, it would have to be delivered in an almost unprecedented global immunization campaign due to the pandemic nature of the crisis.
The only precedent for such a Herculean global health effort is the eradication of smallpox, and more recently, attempts to eliminate polio, both of which required many years and billions of dollars in investment, as well as collective global mobilization toward a common goal. Thus, most consensus, within the scientific community, is that, despite vigorous on-going international efforts by a wide variety of partners to develop an effective vaccine to prevent COVID-19 illness, we are still a long way off. Linking COVID-19 immunity passport efforts, then, to either antibody testing or vaccination, is not supported by the existing evidence-base.
The Yellow Fever vaccination card is not a roadmap for COVID-19 immunity passports
A comparison of the public health landscapes for yellow fever vs. COVID-19 reveals that these two infectious diseases have much less in common, than one may initially believe, in terms of support for the concept of immunity passports. Among dozens of vaccine-preventable diseases, yellow fever is the only infectious disease for which the World Health Organization advocates for universal proof of vaccination (i.e. immunity), and only for the limited purpose of traveling to/from particular global regions. The International Certificate of Vaccination for Yellow Fever or “Yellow Card” (Carte Jaune), which verifies that a traveler has been vaccinated against the severe, mosquito-borne, viral illness, is required for entry to 40 countries/territories in sub-Saharan Africa and South America.
In contrast to yellow fever, COVID-19 has been confirmed in 185 countries/territories and every continent with the exception of Antarctica. Thus, with regard to global endemicity, and, perhaps contagiousness, COVID-19 is less comparable to yellow fever, and more comparable to the measles, prior to the availability of a safe and effective vaccine. Currently, however, even within the context of a well-characterized disease and decades-old effective measles vaccination, there is no requirement or calls for a “Measles Immunity Passport.”
Yellow fever is an extremely well-characterized tropical infectious disease, with a long history of scientific study and a deep repository of biomedical knowledge; the antibody response is also extremely well-characterized. A safe and effective vaccine for yellow fever has been available for 80 years. A single yellow fever vaccine confers lifelong immunity. Citizens are only required to receive the vaccination if they plan to travel to a yellow fever endemic country. In contrast, as previously noted, the human immune response for SARS-CoV-2 is very poorly understood, and currently, there is no safe or effective vaccine.
Yellow fever incidence and prevalence are tracked within a well-established and highly organized global surveillance system; diagnosis, treatment, and control strategies are supported by agreed-upon standards, guidelines, and lead partners such as the World Health Organization, whose recommendations and policies align with other national and regional affiliates such as the Centers for Disease Control. There are strong networks of laboratories, established diagnostic, preventative, treatment, and immunization protocols, and a robust supply chain for essential commodities related to yellow fever diagnosis, treatment, and vaccination.
Due to the swiftness of the COVID-19 pandemic, lack of an established repository of biomedical knowledge for the novel pathogen SARS-CoV-19, fear and anxiety kindled by its rapid global spread, and political machinations during this acute, first wave of the disease, stakeholders at the global, regional, national, and local levels have not coalesced around clear leadership in terms of developing established international standards and guidelines for COVID-19. Supply chains for essential commodities such as swabs and reagents for COVID-19 diagnostic testing, personal protective equipment, and medical equipment (e.g., mechanical ventilators and oxygen) are significantly strained. How could partners and stakeholders coalesce around a viable immunity certification process, whether paper-based, digital, or otherwise, amid such uncertainty, a lack of evidence, and paucity of tools like reliable diagnostic and antibody tests, or safe and effective vaccines on which to anchor immunity status?
Yellow fever and COVID-19 are both frightening infectious diseases with severe disease states resulting in extreme illness and significantly increased risk for mortality.² But there is a key difference with regard to the yellow fever virus vs. SARS-CoV-2 when it comes to the relative benefit of requiring immunity certification. The yellow fever virus is a mosquito-borne pathogen with a profound risk of spread from endemic to non-endemic regions in an era of rapid global travel and connections among international hubs.³ The primary function of the yellow fever international certification of vaccination is to prevent the spread of this disease into non-endemic settings. By contrast, COVID-19 is a viral respiratory illness already classified as a pandemic. Immunity passports will, in no way, put this particularly terrible genie back into the bottle.
Looking forward, even limited use of immunity credentials, such as among particular “high risk” or “essential” sub-groups (e.g., health care providers; factory workers; farm laborers), within a context of more reliable antibody testing, or an effective vaccine, is still troubling. Immunity passport efforts, as related to infectious diseases, come with a wide variety of potentially devastating moral and ethical consequences, as outlined in detail by historians and bioethicists. The historical precedence for “acclimation” to yellow fever, prior to the advent of a vaccine, was fraught with numerous ethical challenges and deleterious impacts, particularly for vulnerable populations–enslaved persons, the poor, migrants, and economic refugees.
A poorly executed immunity certification effort, particularly when not grounded in an established scientific and public health knowledge base, and when tied to the ability of people to economically support themselves and their families, is often rife with corruption, desperation, and perverse incentives, such as intentional self-infection with a potentially deadly disease. The risks of exclusion and stigmatization are only amplified where a public, immutable ledger is part of the solution. Thus, from a public health perspective, the relative utility of a COVID-19 immunity certificate as compared to the yellow fever vaccination card, is of little benefit and riddled with risks. On the contrary, the relative risks of a certificate or credential requiring the use of blockchain far exceed any potential benefits to public health.
A Technical Perspective
COVID-19 “immunity passports” based on a combination of Verifiable Credentials (VCs), decentralized identifiers (DIDs), and blockchain, would be an excessive and disproportionate technical means of achieving any limited public health outcomes. The technical architecture is arguably a product of premature standardization, speculative requirements, and highly experimental technologies, rather than the harmonization of existing, widely deployed, and battle-tested solutions. As a result, there is ample reason to question whether they are adequate to support credentials that would play a critical role in public safety.
First, VCs, DIDs, and related APIs are largely built on web technology such as HTTP and URLs, which generally presume internet connectivity and online use. In fact, the entire purpose of web protocols is online communication of documents and data. However, the primary need for immunity credentials would not be online but rather for safeguarding in-person interactions, where there is a risk of transmission. Credentials for in-person use would ideally be designed to work on mobile devices similar to contactless payments such as Apple Pay. However, the web standards on which VCs are based offer nothing to support this capability. Potentially suitable communication methods such as NFC and Bluetooth are not directly compatible with the internet protocols underlying the Web. Aside from being a poor fit for mobile devices, offline use of W3C VCs and DIDs is a non-trivial problem to solve, because the nature of both the Web and DIDs is to link to remote documents or data. Ensuring offline usability requires eliminating dependencies on remote resources, such as public keys linked to blockchains.
A second major gap in such an approach is the lack of a proven method of private key management for end users. Proponents of the VC/DID method do attempt to address public key management with blockchains. However, blockchain solutions have failed to provide credible methods of private key management. Without this, users are subject to elaborate inconveniences that also negate the security assurances expected from credentials. The use of a blockchain typically only addresses the management of public key material and, in doing so, creates additional obstacles to offline credential use and verification, while facilitating potential collusion, passive surveillance, and re-identification through data inference.
A third issue is the lack of well-defined security protocols. The scope of the W3C recommendations are currently quite limited — the VC specification merely provides a data model, not a complete protocol or end-to-end solution. Early versions of APIs in development for exchanging VCs currently leave important security features such as subject authentication optional. While not every use case for credentials requires this type of authentication, implementers have been inconsistent about using the feature correctly. Combined with the lack of viable private key management, this means there is currently no strong assurance that the presenter of a credential is its subject. Elaborate identity proofing measures are pointless if the means of conveying such proof are vulnerable and easy to exploit. Effectively, the door is wide open for improperly borrowing or stealing these credentials. Using a hypothetical immunity credential based on the VC standard, an infected person could feasibly impersonate a vaccinated person, creating a false sense of security while the virus is spread.
This last point — security — deserves special consideration with respect to the use of blockchains. It has long been recognized in the field of cryptography that haphazardly copying techniques from one protocol to another leads to security flaws. The idea of blockchain, however, takes the peril a step further by attempting to generalize an entire protocol designed to solve the very specific problem of electronic cash. It is wrongly believed that security characteristics of cryptocurrency are universally lent to any problem one might address with a distributed ledger. In practice, blockchains have turned out to share common vulnerabilities with run-of-the-mill IT infrastructure, while creating new and equally concerning problems for privacy and data protection.
The challenge posed by these gaps and the false generalization of blockchain cannot be overstated. Security protocols are notoriously difficult to design and prone to subtle, hard to detect flaws, while also being relatively easy to circumvent. Before entrusting any technology to protect people from the spread of infectious disease, it should be subjected to rigorous formal analysis and security review. At this stage, W3C VC, DIDs, and related technologies have not yet undergone sufficient scrutiny.
Even if the standards become more mature, this approach to any kind of immunity-related credentials will likely still be disproportionate and excessive. There are myriad other permutations of digital certificates, traditional public key infrastructure (PKI), and even other kinds of databases that don’t raise the same concerns as a distributed ledger. Moreover, it is unclear why you would ever need a global public registry of any kind in connection with immunity classifications or status, particularly in light of the risks outlined above. In fact, because ledgers are logically centralized and actually a single point of failure, any problems with the ledger, including collusion or malicious attacks, could compromise the ability of individuals to produce or manage their credentials. This could result in severe interferences with their fundamental rights, while offering limited recourse or accountability for parties involved in maintaining the ledger.
At this stage, based on the state of public health and scientific evidence surrounding COVID-19, we remain unconvinced that “immunity passports” or even immunity certificates are possible, let alone desirable. Should they become possible, we are also unconvinced of their necessity, given the limited precedent for such artifacts among other infectious diseases. And even if they should become possible and necessary, we believe the use of VCs, DIDs, and blockchain in connection with their issuance would be excessive. Finally, we would be skeptical of any solutions put forward by private sector actors, without significant public sector, civil society, and other stakeholder engagement.
The prospect of severely curtailing the fundamental rights and freedoms of individuals through ill-thought-out plans for “immunity passports” or similar certificates, particularly ones that would leverage premature standards and a highly experimental and potentially rights-infringing technology like blockchain, is beyond dystopian. We urge law and policymakers to think twice before entertaining such industry-driven, technology-first solutions to complex public health and humanitarian crises. Rather, we should pursue more ethical, scientifically sound, and human rights-preserving alternatives spearheaded by a diverse group of stakeholders, and which rely on tested and proven technologies that exist within a clearer legal framework. If ever there was a time to avoid moving fast and breaking things, this is it.
¹ CCI, self-described as “a direct response to the many calls for an ‘immunity passport,’” is led by for-profit companies eager for a use case for their as-yet unadopted technologies. Notably, participants do not include any public health experts.
² Among patients who suffer from severe yellow fever disease, there is a 30%-60% mortality rate. While the estimated overall mortality rate of COVID-19 and accurate mortality estimates for those who suffer from severe illness are still emerging, the prognosis is bleak among patients who require mechanical ventilation due to severe COVID-19 illness. In both diseases, survivors often face a long period of recovery with additional complications.
³ Non-immune humans infected with yellow fever in sub-Saharan Africa or South America who travel to Europe, North America, or Asia, and are subsequently bitten by an uninfected mosquito in the non-endemic country, can serve as vectors for rapid spread of the disease among in previously unaffected regions.
Elizabeth M. Renieris (@hackylawyer) is the founder & CEO of HACKYLAWYER, a privacy expert (CIPP/E, CIPP/US), fellow at the Berkman Klein Center for Internet & Society at Harvard University, and a Technology & Human Rights fellow at the Carr Center for Human Rights Policy at Harvard’s Kennedy School of Government.
Dr. Sherri Bucher is Associate Research Professor of Pediatrics at Indiana University School of Medicine, and Adjunct Associate Special Professional in maternal-newborn-child health at Eck Center for Global Health, University of Notre Dame.
Christian Smith is the CEO and co-founder of Stranger Labs. Previously, he led a research engineering team developing privacy enhancing technologies at MIT, and built open source software and implemented emerging identity standards and security protocols at Anvil Research.