Covid-19 vaccination certificates: WHO sets minimum demands, governments must do even better
We analysed the WHO's guidance on "Digital Documentation of COVID-19 Certificates: Vaccination Status" (DDCC:VS). Here is our take on it and what we will keep an eye out for as countries deploy their own digital Covid-19 vaccination certificates.
- The WHO clearly establishes that health emergencies don’t give governments a carte blanche and reminds them of their legal obligations to protect our data rights, and respect human rights and fundamental freedoms.
- The WHO recognises that deploying COVID-19 vaccination certificates will come with risks and may result in harm – which is why legal safeguards and human rights obligations should inform and shape IF and HOW Covid-19 vaccination certificates should be deployed.
- The WHO warns about the risks of mission creep, when the purposes for COVID-19 certificates expand despite lack of scientific evidence and lack of appropriate safeguards.
- The WHO presents data protection safeguards as pre-requisite for the deployment of digital vaccination certificates.
- Vaccination certificates and other digital health initiatives must not lead to the normalisation of the surveillance of health information.
On 6 August 2021, the World Health Organisation (WHO) published its technical specifications and implementation guidance for “Digital Documentation of COVID-19 Certificates: Vaccination Status” (DDCC:VS) following months of consultations. As governments around the world are deploying their own Covid-19 certificates, guidance from the global health agency was expected to set a global approach, and one that prioritises public health. As such, we would expect the WHO to identify what these certificates should entail, what data needs to be collected, and importantly what issues must be considered to ensure individuals are not adversely affected, and the right to health is respected, promoted and protected.
The guidance published today does meet some of these expectations. Nonetheless, it illustrates how governments should consider safeguards, protections, and consider the risks to using certificates.
But taking a step back before we analyse its content, we must point that that by its very existence the WHO guidance endorses the need for digital vaccination certificates and their deployment in an array of scenarios despite the limited scientific evidence the WHO itself maintains on the very specific role of vaccines to tackle the pandemic. Vaccines are essential to reducing the severity of disease, but are not guarantors of the prevention of transmission – whereas most deployments of certificates seem to hope otherwise. They do so despite the numerous risks in terms of discrimination, exclusion, and normalisation of processing and surveillance of health data in our societies.
Below we outline some key areas to constructively reflect on the WHO’s guidance and on minimum requirements and standards that Member States must apply to respect and protect the right to health and other human rights affected by the introduction of Covid-19 certificates, such as rights to equality, non-discrimination and privacy.
Is there a need for the WHO’s ‘guidance’?
We recognise efforts by the WHO to consider as many of the necessary safeguards, protections and risks in order to present the best way to implement digital vaccination certificates.
However, we remain sceptical of the rush towards ‘digital’ systems. The top priority should be vaccination in accordance with public health priorities; and providing for paper-based certificates for the purpose of continuity of care and proof of vaccination provides the fewest obstacles.
To build a truly digital and globally recognised system involves near-unprecedented complexity. The governance and infrastructure that would be required goes much further than is necessary and proportionate for the management of a global vaccination programme. Other vaccination programmes have never required the deployment of digital systems, and it is unclear why it is necessary in this context – considering the scale and emergency-nature of this intervention.
We are concerned that this will be used as an excuse to create vast new data and identity systems. Governments and the private sector – in particular, the digital identity and digital health sector – will likely seek to expand existing digital identity and digital health systems where they exist, or to create them - in haste, without appropriate scrutiny. Any decision-making around the design and deployment of such digital systems requires careful consideration and must be designed around peoples’ long-term health needs.
And the WHO acknowledges that there are concerns with developing a long-term solution when making decisions with short-term variables and factors. Therefore, it notes that there are two approaches to how governments will deploy certificates. That is, first there is the short-term solution that limits deployment of DDCC:VS and discontinues it when Covid-19 is longer considered a public health emergency; and second there is the long-term solution which means addressing the immediate needs whilst building for the future the foundation of digital vaccination certificates beyond COVID-19. Recognising the different concerns associated with each, WHO’s guidance cautions governments to decide now which approach they will choose as it should change their decision-making process. It echoes our demands that if the purpose is to build for the future it requires a different set of discussions on the consideration before deployment and how to design the system itself. Any proposal for digital vaccination certificates needs to be considered on its merit, questioning whether it is viable and assessing the potential negative effects on individuals and vulnerable groups. i.e. we should not pre-emptively expect that digital certificates are the way forward
We must be clear about what a vaccine, and a certificate, means (currently)
Based on currently available scientific evidence, the WHO continues to cautions against the use of a vaccination certificate as a “health pass”, and notes that doing so may even increase risks of spreading the virus if those vaccinated are given new freedoms and exemption from various public health restrictions such as social distancing, quarantine measures or wearing masks.
Public confidence is key, and people have shown over the course of the pandemic that they want to know how and why decisions are made. Governments must come clean and be transparent that being vaccinated and having a vaccination certificate to show for it does not mean someone is risk-free.
The ongoing position of the WHO which was updated on 2 July 2021 remains that “National authorities and conveyance operators should not require proof of vaccination as a condition of entry or exit, given the limited (although growing) evidence about the performance of vaccines in reducing transmission and persistent inequities in global vaccine supply.”
In the same guidance, the WHO continues to hold the position that vaccines will help to reduce severity of disease if a person becomes infected but the extent to which vaccines sufficiently reduce transmission, from a public health perspective, is still uncertain and requires further assessment. This point is important to clarify what elements of the pandemic the vaccine can help tackle. That is, is the vaccine’s public health purpose to reduce severity of disease and hence hospital admissions, which is supported by evidence; or is it to reduce the spreading of the virus, which is not yet supported by evidence.
We’ve seen in recent months with government announcements in France, Italy and many other EU countries that “vaccination passes” would be required for entry in restaurants, public transport, amongst others, as well as reporting by the media equating being fully vaccinated as being “immune” to the SARS-CoV-2, which is not the case.
Also, it seems that certificates’ use may be managed temporally. That is, their use could possibly be limited to certain stages of the pandemic, as our pandemic response evolves at national levels, regionally, and globally as part of other public health measures. There are already many countries that have re-opened their economies and societies without using certificates to manage access to private/public places or entry/exit including for international travel. Domestic and international travel has been on-going throughout the pandemic with the use of negative test results certificates. It’s interesting to see that some countries like Israel, which had them in place very early on then suspended their use due to high vaccination rates and low COVID-19 case numbers, but have now announced a partial reinstatement of vaccination passes along with other measures such as wearing of masks as a result of a rise in cases and concerns around the Delta variant.
So many questions remain as for the need for permanent use and enforcement of these vaccination certificates. How will the two use-case scenarios the WHO outlines ‘Continuity of care’ and ‘Proof of vaccination’ will be interpreted to mean. And not just for now, but also if they will be used in the future as the pandemic will evolve and new phases will occur and new, regular risks assessments will have to be undertaken at the national and international levels
The WHO guidance on DDCC:VS clearly states that “The digital record is not intended to serve as an immunity passport or provide a judgement or decision on what that vaccination means or permits.”
Yet, nonetheless, as the pandemic rages on and governments with limited resources try to respond, so much time, energy and money have gone into the development of these certificates and passes. Ultimately, if deployed they are going to be used to make decisions that will impact the lives of billions of people. Having a certificate is likely to have life-changing outcomes as it becomes a pre-requisite to return to elements of our earlier lives, from access to workplace to border crossings.
Some of the ways these certificates are used to regulate people’s lives are already being strongly contested with demonstration occurring in countries where such requirements have already been announced such as in Italy and France.
Want to understand more about vaccine efficacy, effectiveness and protection, we invite you to check out this very useful explanation by the WHO.
WHO is clear that health emergencies don’t give governments a carte blanche
The guidance from the WHO provides some welcome critical elements in terms of the ethical considerations and data protection principles. For instance, ‘data protection by design’ may help shape the design and use of vaccination certificates in a positive way, as we have seen with some positive deployments of contact tracing being informed by data protection standards and principles.
We are pleased to see the emphasis put on the need for Member States to undertake “an impact assessment of the ethical and privacy implications and potential risks that may arise with the implementation of a DDCC:VS”** before** introducing the system, and requirement “to establish the appropriate policies for appropriate use, data protection and governance of the DDCC:VS to reduce the potential harms.”
The guidance provides comprehensive data protection principles and helpfully articulates them as pre-requisites for the use scenarios of vaccination certificates. Such detailed guidance is particularly important for governments who may not yet have comprehensive data protection laws in place and the WHO encourages countries to adopt and adapt their national laws and regulations to comply with those pre-requisites.
This in an important message for governments that digital certificate cannot be introduced in a legal void, and that they should look to the WHO recommendations on how to respect these data protection principles and demonstrate compliance with them prior to deploying a system like an digital vaccination certificate.
Protecting people requires protecting their rights and freedoms
Given that this guidance still gives significant amounts of discretion to governments to deploy their own digital vaccination certificate systems, we enthusiastically welcome the WHO’s sustained emphasis on human rights. That is, the guidance draws repeated attention on governments’ responsibilities to comply with their legal obligations under national and international law, including any applicable obligations related to respecting human rights and data protection policies.
Anything positive statement from WHO around vaccination certificates will provide momentum to government’s ambitions. As a result, it was essential that the WHO guidance set those demands around human rights and recognise those existing obligations and responsibilities of governments.
As we have long argued, vaccination certificates implicate so many of fundamental rights and freedoms. Of course there are implications for privacy and equality; as a Lancet piece from May 2020 states, the impacts extend to autonomy, dignity, freedom of movement, amongst others. If vaccine certificates become necessary across our daily lives, they will impact upon freedom of peaceful assembly, access to employment, access to education and the right to equal treatment and non-discrimination. The WHO guidance makes it clear that the curtailment of rights and freedoms “is only justified when it supports the pursuit of a legitimate aim during a public health emergency and is provided for by law, proportionate, of limited duration, based on scientific evidence, and not imposed in an arbitrary, unreasonable or discriminatory manner.”
We welcome the WHO’s call for safeguards, as they ensure the application of this fundamental principle of human rights law, even if at times the guidance falls short of referring to the international human rights framework directly. The WHO includes the considerations needed before deployment, such as impact assessment, establishing legal and regulatory accountability mechanisms. Importantly, the WHO recognises that things may go wrong in the deployment of certificates, and thus call for the right to redress of individuals.
One area worth further highlighting is that while the WHO guidance requires governments to regulate their own practices and policies, it needs to further extend the responsibilities of governments to protect from abuses by third parties, such as the private sector. This means that governments must regulate effectively the role of the private sector with respect to the flows of data generated by vaccination certificates and the ecosystem that will be created to sustain them. More on this later.
The WHO’s emphasis on the need for governments to respect human rights and prevent inequity echo not only what we have been calling for throughout the pandemic. In fact, the Director-General of the World Health Organisations, the UN High Commissioner for Human Rights, the Council of Europe Commissioner for Human Rights have all called on countries to respect human rights principles when fighting Covid-19. In regards to “immunity certificates” the WHO has highlighted that “Beyond the scientific considerations, there are ethical, legal and human rights aspects related to privacy of personal data, medical confidentiality, potential risk of falsification or engagement in risky behaviour, stigma and discrimination,” which are the same as concerns associated with vaccination certificates.
More recently in February 2021, in a speech to the Human Rights Council, the United Nations Secretary-General highlighted a variety of concerns for human rights associated with the increased processing of personal data during this pandemic and called on governments to “place human rights at the centre of regulatory frameworks and legislation on the development and use of digital technologies”.
Exemptions exist but they must remain exceptions
A state of public health emergency may justify certain powers, but these extraordinary powers need extraordinary protections too. Within the mechanisms and structures in place to oversee the development of those emergency measures and policies, human rights protection must be prioritised, consultations run openly, risk assessments conducted. Put more simply, the rule of law is essential even in response to emergencies. This is not new.
The WHO reaffirms the need for governments to explicitly define the use(s) for a vaccination certificate and when it should not be used. We also welcome the reference to the “limits of legitimate uses” both in terms of duration but also curtailments of fundamental rights and freedoms stating that “to restrict the right to freedom to movement and other human rights is only justified when it supports the pursuit of a legitimate aim during a public health emergency and is provided for by law, proportionate, of limited duration, based on scientific evidence, and not imposed in an arbitrary, unreasonable or discriminatory manner.”
This reminder by the WHO to governments clearly highlights those mechanisms allow for limitations of certain human rights in cases like a public health emergency but it does not give governments carte blanche to deny human rights in the name of fighting the pandemic. In this respect, rules to regulate the processing of personal data are fundamental, as it is often based on processing of such data that decisions affecting individuals’ lives are made.
Side-lining in the name of fighting the pandemic public participation, rule of law, independent oversight, and accountability, amongst others, is concerning. It that these are obstacles rather than tools to protect people, and ultimately our societies. As set down in the guidance, Member States should look to their existing legal national and international frameworks to identify if and how they can deploy vaccination certificates. It is the safeguards and protections which should inform their decisions, not the exemptions.
Independent monitoring and oversight
It is important that regulatory mechanisms at national and international levels, such as data protection authorities, or others such as entities with monitoring and sanctioning mandates continue to play a role in enforcing data protection and human rights in decisions being made for the deployment of digital health initiatives, particularly in moments of crisis, such as we are seeing with vaccination certificates.
We welcome the procedural values provided for in the guidance including transparency, inclusiveness in decision-making, accountability and responsiveness to regularly review and revise decisions.
Throughout the pandemic we have seen government by-pass such mechanisms and this undermine not only democratic principles and the rule of law but it also risks undermining public confidence. Laws and regulations that are expected to be established regarding the deployment of Covid-19 certificates must be subject to open, inclusive policy-making and legislative processes. Given their implications for the future they cannot be decided by the executive within the confines of emergency powers.
We also encourage the WHO to ensure that regulators take on this role to monitor the implementation of this guidance by Member States and where possible for the WHO itself to contribute to this process to ensure that the minimum safeguards, standards and principles outlined are respected by governments and visibly integrated in the design, implementation and development of vaccination certificates. As it has done for other guidance and interim recommendations, we also hope to see the WHO take measures to update the guidance as necessary as the Covid-19 pandemic continues to develop, as lessons emerge from vaccination programmes and associated documentation, and importantly from the experiences of individuals and groups in what continue to be uncertain and turbulent situation for millions; and then the WHO must follow the implementations by Member States to ensure changes are made in accordance and in compliance with revised versions.
Preventing the predictable
As noted, the WHO guidance leaves lot of discretion to Member States about how they want to implement these systems. We need to see governments not only reflecting lessons learned since the pandemic started but also addressing concerns civil society and other experts have been flagging for years about the potential risks associated with the use of data and technology, and in particular the digitisation of access to public services like healthcare, without the necessary due diligence, impact assessments and minimum safeguards, and open and deliberative decision-making processes.
Repeated mistakes by governments are no longer excusable. “Once is a mistake. Twice is a decision.” And the repercussion is that governments will lose public confidence and trust, and efforts will be undermined. As the guidance notes, vaccination programmes play a crucial role as part of wider public health response at national and international levels to tackle the Covid-19 Pandemic, and any signs of abuse, mistrust and poor behaviour from governments, and industry, could influence individuals’ trust in the system and to even come forward to get vaccinated.
The WHO guidance highlights the potential for such fallouts including resorting to fraudulent documents, concerns about coming forward and sharing medical history, and being reluctant to get vaccinated if the certificates end up being used against them. The WHO warns that this requires governments to be transparent from the onset about data processing activities, the involvement of third parties, in particular industry and non-health related government bodies, and to be clear exactly what the vaccination certificates will be used for.
Take measures to ensure non-discrimination, equity and equality
In the DDCC:VS guidance, the WHO reaffirms its commitment to ensure equity, to never create and to prevent exacerbating existing inequities. We welcome the recognition that the deployment of (digital) vaccination certifications can lead to discrimination - unintentional and/or systemic - and safeguards must be taken to minimise this risk. The documentation alludes to some of those safeguards such as recognition of both paper and digital certificates, considering the differences in access to tech and infrastructure among and within countries/societies.
But in practice we need more than commitments from governments. We need them to demonstrate the concrete measures they are undertaking to ensure equity and prevent discrimination. Here we outline some of the measures we need to see them undertaking:
- As the guidance states, Member States should undertake an impact assessment of the ethical and privacy implications and potential risks prior to deploying the system. This is crucial in order to prevent discrimination and other potential harms by comprehensively identifying who - individuals and communities - will be impacted, both positively and negatively, and the risks associated both in terms of health inequities and other risks, e.g. digital divide. This should inform not only the policy but the design and the infrastructure of the vaccination certificates.
- Equity in the system also requires removing barriers to access, and this requires governments to ensure they do not impose arbitrary requirements for getting vaccinated. These could impose obstacles, such as requiring a form of ID which some just do not have. For instance, marginalised communities may be excluded, as would others who may fear being asked to provide identity documentation, such as migrant populations. So while we welcome that the guidance does not recommend a specific ID as prerequisite for vaccination, the wording outlining that the vaccination certificate is “associated with an identity” remains problematic because of how it can be and in some contexts has already been associated with the provision of a national ID card.
- Ensuring the same value, trust and recognition is given to paper-based and digital certificates. It seems that the WHO accepts the principle that there needs to be a range of options available. However, it maintains that a digital certificate is more reliable, secure, and trustworthy and so undermines the paper options. The WHO assertion that paper-based vaccination cards “are easily lost and prone to fraud” is an unproven assumption, and also no baseline is provided that this is a problem that needs rectifying. The claim of ‘fraud’ also presumes that fraud is limited to scenarios where the individual is claiming falsely about the integrity of the credential, e.g. that the certificate itself is fake. While we are unclear as to how frequent this fraud occurs, it is by no means the only type of fraud that could be perpetrated within a system of vaccination. Nor is it necessarily (or likely) the largest source of fraud. The irony is if we increase the importance of the certificate in modern life, we increase its value, and we will increase the likelihood that fraud will become systemic – for which the certificate itself will be the cause. There is also a blind faith that digital certificates would not give rise to fraud, when the reality is that considerable resources would be needed to ensure that a digital certificate is indeed secure.
- Providing an alternative mechanism, even if temporary, for (i) those who cannot be vaccinated, i.e. those with existing health conditions, (ii) those who do not have access to vaccine as a result of the inequality and barriers to access and (iii) those who decide not to be vaccinated. This could take the form of a negative Covid-19 test result, for example. Tackling this concern is particularly important for the reason highlighted in the guidance that requirements to present a vaccination certificate “may result in the stigmatization of individuals without a DDCC:VS and may exacerbate the risk of harms.”
- Ensuring the introduction of certificates does not feed and further intensify the existing hostile environment at borders. Crossing a border is already a highly arbitrarily managed process where profiling based on data, and discrimination are of significant concern. It is a moment where an individual is in one of their most vulnerable positions. It is thus essential that only what information is purely needed to process entry/exit should be processed. Ensuring that the certificate is not arbitrarily used for purposes of border control and enforcement goes back to core principle of data minimisation and is also connected to the principle of “purpose limitation” which must be clearly defined, and the need to prevent other fundamental rights and freedoms being arbitrarily curtailed, as the guidance warns.
Preventing mission creep
The WHO guidance outlines two scenarios of use namely i) continuity of care, and ii) proof of vaccination. But they don’t go much further to elaborate on the specific uses within each of these scenarios. The guidance doesn’t go beyond these scenarios, nor consider non-health related purposes, and how such uses need to be regulated. The WHO guidance does require governments to set out in law or guidelines “limits to legitimate uses” within and beyond the accepted two scenarios. Further specific circumstances will be defined elsewhere in WHO guidance including temporary recommendations to States Parties the International Health Regulations Emergency Committees; WHO’s interim guidance documents on considerations for the implementation of public health and social measures; WHO’s interim guidance documents on considerations for a risk-based approach to international travel in the context of COVID-19; etc.
However we are concerned that if the purposes within this two top level scenarios are not clearly defined at the onset, it is likely to result in arbitrary applications and will constitute yet another tool for exclusion and discrimination with the inherent implications on freedom of movement and migrants’ rights, and the enjoyment of other rights and freedoms. It is unclear who has the legitimacy to define such purposes within those scenarios, especially given that the role of “verifiers” will include bodies beyond medical professionals or even government bodies, and it is unclear on what grounds those requirements will be requested.
We welcome the WHO’s inclusion of specific references to mission creep and need to limit purpose in the sections on “Data Protection Principles for a DDCC:VS” as well as the considerations prior to deployment, this will be an area to further scrutinise when governments will present their plans for vaccination certificates especially give the long-term nature which both scenarios the WHO outlined ‘Continuity of care’ and ‘Proof of vaccination’ may be interpreted to mean.
Failing to ensure minimum safeguards on purpose limitation will mean that there is a real danger that the “proof of vaccination” verification process will creep into every aspect of our lives with no/limited scientific basis as noted above, yet with huge risks of arbitrary unregulated uses.
We’ve seen measures deployed in the pandemic such as contact tracing apps falling into the hands of law enforcement in Singapore, and now QR codes from vaccination certificates being used by the police as part of ongoing criminal investigations in Australia.
We need to see governments take measures to demonstrate these expansive purposes will not arise again. Vaccination programmes and associated documentation are components of the continued public health response to the Covid-19 pandemic but these measures, and others, must be deliberated within the strict confines of responding to this global health crisis not to support already arbitrary and invasive surveillance laws and practices be it at the border or within borders.
Limit access to and sharing of health data
One area largely unexplored in the WHO documentation is the process of disclosure which the two scenarios namely ‘Continuity of Care’ and “Proof of Vaccination’ will entail.
As the guidance notes it is essential that governments be transparent from the onset, and this is particularly important in relations to being clear about what data will be shared and/or disclosed at different stages. This case arises most clearly at the point of certificate verification, to ensure that only what is necessary and proportionate is shared with the “verifier”, i.e. that a person has been vaccinated, versus allowing them detailed insight into a person’s health status, country of origin, or some other detail.
Whilst not addressing head on the concerns about disclosures, we welcome the guidance referring to the data sharing being only permitted “if the principles underlying the lawful basis, as referred to above, are met; and the third party affords appropriate protection that is equal to or higher than those protections provided by the data controller, for the personal data.” Two other welcome additional safeguards included in the guidance states that “Personal data accessed at the point of verification of the DDCC:VS should not be retained and stored in a repository, database or otherwise.” and also the need for Member States to decide who will have the authority to verify documentation so that it is explicit which entities will have authorisation to do so.
Under data protection law, health data is awarded additional safeguards because of the risks associated with their misuse by governments and companies alike. As the WHO guidance notes “Individual vaccination status is private information, and protections need to be in place to ensure that no individual is forced to disclose or publicly display a DDCC:VS to access any public area or activity.” We struggle to imagine how to secure and protect people’s data and rights in situations where health data becomes routinely disclosed to an array of “verifiers”. In fact, the risks with disclosing such data is real but it also contributes to the normalisation of monitoring and surveillance of health data in society as well as to stigmatisation of individuals without a vaccination certificate, as the WHO correctly points out in its guidance. It also creates scenarios where third parties will be compelled to process sensitive data, even if they do not wish to and/or are ill-equipped to do so.
Although we welcome the reference to the principle of data minimisation and a clear articulation of the ‘core data elements’ (header, data elements for each vaccination event, and metadata) once again a lot of discretion is given to governments to process more data. Nonetheless, despite this discretion, any decisions must be in accordance with the principles of data minimisation and purpose limitation in terms of what data needs to be processed and for what legitimate purpose. If governments are to go beyond recommended ‘core data elements’ by the WHO then they need to justify this decision.
Whilst the guidance sets a good foundation in terms of requirements and safeguards to be established by governments prior to deploying the digital vaccination certificates, we need to see Member States limit their continuous ambitions to monitor and control. They need to reign in data sharing to what is strictly necessary and proportionate for an effective public health response, not to drive a political agenda.
Challenge need for unique identification
Despites the WHO document stating that “a DDCC:VS is a health document” and not an identity document, further requirements make it mandatory to “verify the identity of the subject” and subsequently associate the certificate with “a globally unique Health Certificate Identifier (HCID)”. Doing so transforms the vaccination certificate into a credential to authenticate identity.
The WHO fails to adequately justify the need for attaching a unique identifier to create the HCID. This requirement is also not substantiated given that it has not been needed in current vaccination programmes being rolled out in many countries where no ID is being requested and merely giving name, and sometimes data of birth, is sufficient.
Governments must ensure that they do not create barriers to accessing the vaccination programmes with arbitrary requirements such as the provision of an ID card.
Furthermore, there is a risk that governments (and industry) will use the digital vaccination certificate to justify the establishment or expansion of digital ID schemes, as they have done in the context of counter-terrorism and immigration enforcement.
Throughout the pandemic there has been a welcomed public debate around identity and requirements for such identification, authentication and verification processes. People in countries around the world were wary about giving information that would allow their governments, and others, to identify, track them and surveil them as we saw with lack of trust and poor uptake of digital contact tracing apps until these were addressed. And now we’re seeing similar concerns with vaccination certificates, and especially verification mechanisms.
Governments must implement an effective test, track, trace, isolate regime, focusing on removing the channels of the spread of infection so that we can begin to unlock our communities again, without the devastating, lasting consequences of a digital ID scheme. Governments must find alternatives in order to deliver vaccination schemes that do not perpetuate and reinforce exclusionary and discriminatory practices and policies which are already well-documented and which in a socio-economic and political crisis have the potential to create even more lasting harm.
The infrastructure and the design
Alarmingly, the weakest part of the WHO guidance is when it gets into technical detail. We are concerned that the WHO does not seem to understand the complexity of digital identity systems. Early on the WHO set in stone what a digital certificate infrastructure would look like, in the first Release Candidate 1 for Smart Verification Certificates (as it was previously called) was announced in March 2021. At the time, there was no clear statement of purpose, and certainly no indication of governance. That is not the way digital systems should be designed.
Fundamentally, the form and design of any digital (identity) system must follow purpose and then function. Such systems are complex systems that can alter the relationship between the individual, the state, and all the companies and agencies who are granted power in between and beyond. And yet despite the vagueness of the function these certificates are meant to serve (from continuity of care to verification at domestic and international level, and plus all the additional instances to be defined by countries at their discretion) the design was already defined prior to considering technical, legal and policy standards.
From the onset we have seen the debate skewed not just in proposals from WHO but on a global level. The digital identity component of a vaccination certificate is a means, not an end in itself. The goal of the vaccination certificate must be its role in public health and the easing of restrictions surrounding the lockdowns and curtailment of rights; its goal should not be the spread of ‘digital identity’.
This is where we need to see governments shift their approach to first being clear about the purpose, the impact and risks, and to then decide on the design.
For a document whose purpose is to be used for international verification of vaccination certification, it is surprising that the WHO guidance assumes that “member states will need to establish or utilize a domestic PKI that can be leveraged to issue and to verify DDCC:VS”. In fact, “this document assumes that a PKI has already been deployed or is available within a country”. The guidance then provides a rudimentary explanation of how a Public Health Authority would generate keys and signatures. And in turn, trust of a certificate would follow from the trust created by this PKI.
The WHO guidance reads like a copied textbook on how such an infrastructure could be deployed. The reality is that getting a public health authority to deploy a PKI is a huge exercise in itself, even before a single certificate is issued. In fact governments have struggled to deploy PKI for decades. The nearest example is the creation of e-passports, a result of the post 9/11 era, which took years to deploy, and even then, governments struggled to deploy cross-country verification even longer. Even on the internet, where certificate use is widespread, including with national-level certificates, fraud continues to be a problem particularly when governments seek to undermine trust in the system for their own gain.
This returns us to the very question of a ‘digital’ certificate as a more trustworthy and fraud-reducing measure in contrast with paper. The WHO starts talking about PKI because only a large, and indeed global infrastructure of trust verification could begin to provide the promised benefits fraud-limitation of the digital certificate. Anything short of that is just costly theatre that slows down the deployment of a vaccine certificate, and more disastrously, could slow down vaccination programmes. And yet pausing vaccine deployment to develop and deploy a global interoperative PKI, which is a logistically challenging task and requires secure maintenance and auditing, is counter-productive.
Reigning in involvement of industry
The guidance remains completely silent on this matter and yet we need to question the interest of the digital identity industry and companies whose business models depend on data exploitation. Whilst they have the tools and resources, with many having built their business models on the basis of data exploitation and surveillance, but there is a need to ensure that whatever contribution they can make and will be invited to contribute to in the design and development of Covid-19 certificates, their involvement must be regulated effectively, and they must firewalled from their commercial interests, now and in the future.
It is an unequal playing field with some Member States not being able to make the best choices, or invest in necessary safeguards, or build their own systems. There are huge risks and hazards with public-private partnerships, and these are heightened when such agreements are done hastily, without the necessary regulatory infrastructure in mind. Partnerships can also lead to issues of dependency “vendor lock-in” if the provider is sole controller of the infrastructure, with such risks even more likely to occur in countries with limited resources to build or even manage and maintain their own infrastructure. These companies also build greater dependencies by expanding technical capabilities and exploiting data further, thereby again risking making a vaccination certificate system an enabler of a much more problematic world.
Some proponents of digital ID and those with private interests, i.e. digital ID industry, will take advantage of this to step in and sell their one-size fit all solutions to governments who rely on third parties, as well as to push for a broader adoption of digital ID for the provision of health services. Without appropriate safeguards this has implications far beyond the sphere of vaccination by letting private actors into decision-making processes in the health sector.
Industry saw the Covid-19 pandemic as yet a business opportunity, and with some solutions, like digital vaccination certificates, being set-up as long-term systems it is essential that the role of industry be careful scrutinised. The risks of letting industry shape the health sector are already visible, and they cannot be permitted such power in what is a very sensitive and intimate element of people’s lives.
What’s next: implementation and enforcement
The DDCC:VS guidance published by the WHO outlines many of the risks associated with the deployment of the digital vaccination certificates. It also outlines many of the necessary safeguards and protections in order to implement digital vaccination certificates. It is essential that these should be seen by governments as the starting point, the bare minimum, and we need to see them race to the top when it comes to getting things right rather than finding the loopholes and abusing the discretion the guidance provides for.
International, national and regional bodies offer some mechanisms by which to hold governments accountable and if they do not abide by their existing legal and regulatory obligations. We expect regulators and international bodies like the WHO to perform their function here. Otherwise, we will be there to hold them all to account and demand them to change their policies and practices just as we’ve been doing for over 30 years.
Disappointingly, as with our work on countering the excesses of intelligence agencies, in the past it has taken years to get judicial and oversight bodies to act, by which point governments could have built a world with thicker digital walls and new identity systems focused on excluding and targeting people – all while potentially delaying the exit from the pandemic.
This is why it is absolutely essential that the WHO, other bodies with public health mandate and other regulators take measures to assess the implementation of this guidance by Member States, and to ensure that this guidance and others they might develop are regularly reviewed and updated to reflect the evolution of the Covid-19 pandemic, lessons learnt from vaccination programmes and associated documentation, and importantly experiences of individuals and groups in what continue to be uncertain and turbulent situation for billions of people across the world.