Vaccine Passports are Poised to Serve Private Sector Interests

This pandemic response may shape the future of digital identity

Vaccination credentialing may satisfy the interests of virtually limitless stakeholders, because vaccine credentials are predicated on creating a specific and verifiable identity across space and time.

In typical American fashion, the US government is relegating the creation of digital vaccination certifications (i.e. proof of one’s vaccination status) to the private sector. Working groups to create vaccine passports are now forming to unite public entities and privacy corporations with individuals working in healthcare information technology, information security, and digital identity software engineering . According to the Covid Credentials Initiative, a vaccination credentials initiative created by the Linux Foundation, many of their collaborators come from early-stage verifiable credentials start-ups. Conversely, the Vaccination Credentials Initiative, tasked with developing a single Smart Health Card, involves big tech companies such as Oracle and Microsoft, and health IT companies like Mayo Clinic.

The unification of large and small entities working on vaccine passports is designed to make verifiable credentials applicable and accessible across sectors. Unfortunately, creating this infrastructure paves the way for increased reliance on digital identities in the U.S. Ultimately, corporate collaborations on vaccine credentials are presenting techno-solutionist answers to a complex public health problem, while simultaneously using the COVID-19 pandemic to further private sector goals.

Credentialed digital identification will likely become easier across sectors. The 2019 W3C Verifiable Credentials Use Case document identifies retail, education, finance, and healthcare as potential domains where verifiable credentials can be used. The rapid innovation and interoperability established for vaccine credentials may trickle down to different products and industries, with unintended consequences. Those public and private entities that have a lot to gain from full integration will be the main driver of policy recommendations on new uses, as these seep into the mundanity of everyday life.

While these working groups look to ensure security and privacy throughout the vaccine credentials architecture, the corporate choice to be involved in the development of COVID-19 credentials implies financial incentives for building this infrastructure, as well as the potential to use it in other ways. As scholar Ruha Benjamin explains, a more complete view of the impact of technologies begins far before a project has materialized and functions as discriminatory. Therefore, it is necessary to pay equal attention to the “social inputs that make some inventions appear inevitable and desirable,” in order to understand the underlying assumptions that working-groups members have agreed upon.

Private-sector working groups effectively redirect trust from an individual’s declaration of their vaccination status, to digital vaccine credentials and, by proxy, verifiable credentials architecture, the vaccination site, and the recipient of the verification. If the recipient site is an airline, school, hospital, or entity covered by a legal privacy standard, the likelihood of data protection is presumably adequate. However, if the credential recipient — the person asking you to provide your vaccination status to gain access to a particular place — is your local bar, fitness studio, or baseball stadium, then data protection protocols are not so clear. Without specifications on who can request this information and its scope of use, digital collaboration cannot negotiate holistic privacy and security.

Without specifications on who can request this information and its scope of use, digital collaboration cannot negotiate holistic privacy and security.

Once the new digital identity verification infrastructure is established and standardized, corporations may be able to find applications for verifiable credentials that they could only fantasize about prior to the pandemic. And the more corporations that get involved, the more incentive there is for others to join as well, supercharging the working group’s mission to solve this particular social problem with technology––even though the problem may be best addressed without it. This pandemic mandate to develop interoperability standards mainly seeks to fortify the foundations for verifiable credentials. By gaining investment from distributed stakeholders, verifiable credentials may finally reach industries and applications which have historically failed to incorporate a digital identity system — cementing these, along with their assumptions, in our society.

Semi-centralized initiatives have positioned themselves as experts on vaccination credentials, and are therefore uniquely qualified to provide implementation guidance to relevant bodies, such as the World Health Organization, international airlines, multinational businesses, and governments. The Vaccine Credential Initiative’s website states that this coalition serves to “harmonize the standards and produce implementation guides needed to support the issuance of verifiable health credentials.” If a single corporation were to serve as the knowledgeable body to inform legislation on their own technology, there would be a clear conflict of interest.

Collaboration, however, makes this problem a little less clear. This type of coalition implies that this specific approach to vaccine passports is acceptable because it has been vetted by so many companies, organizations, and individuals. Ultimately, collaboration serves to legitimize and indicate transparency in presentation source (the working groups) to their end users: governments, multinational health organizations, and health care providers. It also positions the working group members to have outsized influence over policy related to the credential infrastructure they co-create. Collaborative working groups may also appear altruistic by making their products open-source. However, the idea that open-sourcing or distributed sharing is a ‘universal good’ is a fallacy when it comes to highly invasive tech.

However, the idea that open-sourcing or distributed sharing is a ‘universal good’ is a fallacy when it comes to highly invasive tech.

Amazon, for example, open-source licensed their Distance Assistant, a visual tool requiring only a camera and a computer to monitor social distancing. Distance Assistant, predicated on spatially tracking individual workers, is merely “lines of code” away from becoming a full-fledged worker surveillance tool that monitors and penalizes idle time. Open-source employs the logic that transparency and availability of code makes it more available for scrutiny, which it ultimately may not receive. The value in making Distance Assistant open source is part of a marketing ploy for Amazon Web Services to signal their ostensibly ethical, health-centric, and selfless innovation. Its potential adoption would functionally normalize this invasive technology as an industry standard.

Open-sourced surveillance increases access to highly digital, highly invasive citizen surveillance in which all businesses or environments have the opportunity to partake. Where Distance Assistant may largely impact surveillance of warehouse workers, with decreased reach in other industries, vaccination credentialing may satisfy the interests of virtually limitless stakeholders, because vaccine credentials are predicated on creating a specific and verifiable identity across space and time.

The structure of these vaccine credential working groups are directly in-line with the Improving Digital Identity Act of 2020, reintroduced last September. The bill identifies the private sector as the lead innovation site for digital identity systems and seeks to build collaboration between the public and private sector to develop privacy-centered innovation with confidence. This collaboration model may be efficient, but it is not sufficient for building a task force capable of compartmentalizing corporate and governmental interest to also consider the desires of the governed. The dependence on this particular technological solution to vaccination credentials prevents the working groups from morphing to address the underlying problems that helped propagate this pandemic: health inequality, misinformation, mistrust. For collaboration to act as a social good, it must unite the input of technically knowledgeable developers with those impacted by new technologies. Only then can they mobilize towards community-centered goals untethered to a particular solution, fueled by the desire to make substantive social change.

Iretiolu Akinrinade is a research assistant on the Health & Data team at Data & Society.