Building a Covid Travel Passport Is a Serious Tech Challenge
(Bloomberg Businessweek) -- When Philippe Srour and his wife, Laurence, took an Air France flight to Paris from San Francisco in mid-March, they were given a novel opportunity to escape some of the madness of pandemic-era travel. In exchange for the promise of less hassle at border and security checks, the couple agreed to use a mobile app to display their Covid-19 test results. The trial wasn’t a total success. Srour, an engineer by training, initially couldn’t get the app to work, because it wouldn’t accept his leap-year date of birth: Feb. 29. Although the airport verification steps ultimately went smoothly, the glitch showed that the AOKpass system from travel-security company International SOS “might need a little more attention,” Srour said after stepping off his flight in Paris.
While the Srours uncovered a relatively minor bug in the AOKpass, the incident highlights how the digital vaccination and testing apps being rushed to market remain works in progress. And new ones, from the European Union’s planned Digital Green Certificate to the International Air Transport Association’s Travel Pass or CommonPass, backed by the World Economic Forum, keep emerging.
In Israel, the country most advanced in vaccinating its population, users of the government’s “green pass” mobile app can enter theaters, sporting arenas, hotels, and gyms if they can show they’ve had their vaccine shots or recovered from the virus. But cryptographic experts have already found a number of security vulnerabilities with the app.
Orr Dunkelman, a computer science professor at the University of Haifa, says he and his colleagues found the app was based on outdated code. If users reported issues with the app, the information was sent back to a Ministry of Health employee’s personal email account instead of the ministry. And early generations of the QR codes displayed on the app were easily forged. “It was done in a hurry, and they didn’t think through everything,” Dunkelman says.
Sveta Morag, an official at Israel’s Ministry of Health who led the work on the green pass, said that the issues with the email address and the QR code pertained to a test version of the app that was published before public places started accepting the pass and that they’ve since been fixed. The app still uses more mature code to support older versions of Android, she said.
For the global travel industry, having systems that are able to securely talk to each other—regardless of who designed the apps—is critical. Also, using open source software standards, like the ones that already allow credentials to be verified securely over the web, is important. Otherwise, relying on proprietary systems raises the prospect that a company developing an app may have access to people’s data, inevitably raising national security concerns from foreign countries, according to Jenny Wanger, director of programs at Linux Foundation Public Health, which is urging the adoption of open source verification standards.
The EU’s initial guidance for its Green Certificate to enable quarantine-free travel, released on March 17, didn’t anoint a particular app. But it does lay out broad ground rules for developers, including that the certificates display secure QR codes, that they be available in both digital and paper formats, and that they can be verified by other member nations.
Carriers and border authorities want as much interoperability among the competing vaccine verification platforms as possible. “We hope that we get one standard that we can easily read with one app and can use it all over Europe,” says Emmanuelle Ferracci, who’s overseeing the AOKpass trial at Air France.
The IATA, Covid-19 Credentials Initiative, Vaccination Credential Initiative (which represents health-care organizations and tech companies like Microsoft Corp. and Salesforce.com Inc.), and other groups are basing their work on so-called open source verifiable credentials. Not only would the standards allow for compatibility among similar systems, proponents say, they could also allow people to present evidence of immunization without giving border agents access to broader personal data on central servers. Developers also hope the systems could yield dividends long after the pandemic is over, by logging other immunizations needed for certain travel, such as yellow fever shots, or even kids’ school registrations.
Some health credentialing systems, including AOKpass, IBM’s Digital Health Pass, and one developed by cybersecurity company Guardtime, are adding layers of security by incorporating blockchain technology. Dunkelman, who’s also a co-founder of the nongovernmental organization Privacy Israel, says those measures are “overkill.” Simple and safe technology already in widespread use with chip-embedded passports and government ID cards could be used for vaccine certificates, he says. Having authorities digitally sign vaccination information and link it to such an identity card would be enough to prevent forgeries and tampering. “It’s one of the few cases where a simple solution is sufficient,” he says.
Dunkelman’s fix would require vaccine certificates to be cross-checked with ID cards, an added step that could slow down the verification process, particularly in airports if travel were to return to pre-Covid levels, according to Anthony Day, who leads IBM’s efforts in Europe to develop blockchain solutions for clients. “The ability to verify digitally at scale is the challenge we’re facing here,” he says. Day also figures that for nontravel uses like gaining admission to a restaurant, many people may not want to share the personal information contained on their government IDs.
The World Health Organization remains wary of requiring Covid vaccine certificates to allow international travel, given the unknowns over whether vaccines can reduce transmission of the disease. “There is a huge hope to get out of this pandemic, and anything that sounds like a silver bullet is sort of embraced,” Roberta Andraghetti, WHO’s regional adviser for international health regulations, said on a webinar in March. “Unfortunately, we see more and more that there are no silver bullets.” —With Ivan Levingston
©2021 Bloomberg L.P.