Online Vaccine Passports Are Just As Hackable and Dangerous To Your Privacy As Paper Documents

No-one’s talking about the immediate cybersecurity threat that they pose to all— as well as ordinary citizens

Online vaccine passports may well be the most pertinent human rights crisis of our era — and humans might be losing the fight.

TL;DR: a database of health information isn’t usually a simple solution either. Storing data online does not guarantee data safety, integrity, or security. In the same vein, that also means citizen data, safety, integrity and security is at risk.

So much so that in the UK, senior politicians and NGOs from across the whole political spectrum are coming together to say no to digital passport / vaccine identity data (VID).

The vaccine passport debate rages on. In nearly two years (we’re in 2021 as of this article) where the world’s been turned upside down — the world at large, at least, in countries like the UK — the ability to roam in public freely, openly, and without access restrictions or access-based surveillance currently hinges on the introduction of vaccine passports.

However, vital questions about data safety, security and dependable safeguards against exploitation, exclusion and freedom of movement are not being answered.

As far back as last year, major human rights NGOs such as Privacy International have been calling for greater equality, transparency and justification for the digital IDs by way of immunity passports:

Quite worryingly, Privacy International have also highlighted the sheer lack of scientific basis for immunity passports:

Yet there is currently no scientific basis for these measures, as highlighted by the WHO. The nature of what information would be held on an immunity passport is currently unknown.

And, as if working to plan, the discourse has now moved away from trying to “prove immunity” to introducing vaccine passports — but such discourse is fraught with the same issues; that the use of digital identities are not safety-guaranteed, they’re not hack-free, and they have not been even partially or transnationally assessed for their impacts to basic human rights.

The UN gave it a good shot with their assessment:

“Diseases are stigmatising, and we’ve seen cases around the globe of hate-crime related to Covid-19. As the United National Special Rapporteur on contemporary forms of racism, racial discrimination, xenophobia and related intolerance said, “Political responses to the COVID-19 outbreak that stigmatise, exclude, and make certain populations more vulnerable to violence are inexcusable, unconscionable, and inconsistent with States’ international human rights law obligations.”

Privacy International & UN Special Rapporteur

But it does not look like it made a difference to policy creation thus far.

The danger of vaccine passports to basic human freedoms?

The biggest problem now is government overreach; specifically: that the promise of rights and freedoms — that humans are already are granted, enjoy inherently and are citizens of — could be permanently taken away if the ruling of vaccine passports are not adopted or adhered to. Or, as is the view from some corners of the ring: they’re gone if the public do not fight back and demand the return of their freedoms.The ability to venture to open, IRL shared spaces has been severely limited. So much so, that the impact of rolling lockdowns is understood to be leading to a global mental health crisis (which surely points out how much we must now know we have the ability to do what we like with good intentions, and need to socialise with each other as humans) — that is affecting those who already live with mental health conditions, and young people, the most.

Sure: scientists might be tracking it, but there’s little thought going in to what might repair it.

It is clear that human wellbeing is being negatively impacted by infection safety (I refrain from saying ‘health’ when mental health and physical health are not being made the priority in the current scenario — with Ireland’s looming post-Covid health crisis being just one global example).

And what is increasingly clear, is that vaccine passports are being rushed in prior to any proper accessibility, safety or cybersecurity analysis of the populace’s status at large.

So Why Are Online Vaccine Passports Just As Hackable and Dangerous To Your Privacy As Paper Documents?

The reasons are numerous.

Andrew Bud, founder of a biometrics company iProov, has quietly but openly said that paper/card vaccine passport forgery is a significant risk, but fails to go on to explain why online credentials are also risky.

Speaking to the BBC this morning, he said: “Forgeries I think is a real risk. ” If they were allowed to exist, he says “I think it would fatally undermine public confidence in the scheme”.

Disclosure: iProov is involved in the UK’s Covid certificate / vaccine passport trials.

Bud went on to say that vaccine passports also have to be “inclusive, convenient, secure, and respects people’s privacy, or [it] just won’t sustain public confidence” — which is great as lip service, in theory but in practice, we are likely to witness a large number of UK GDPR breaches within even the first few hours of any vaccine passport going live.

Vaccine passports may totally fail GDPR tests

Seriously? Yes. Given that the convenience of public health information sharing among non-healthcare professionals appears to immediately fail being in the data subject’s (your) interest, even with emergency draconian powers — the consent has not been fully informed (i.e. data risks) nor consented to.

How does this breach further expand into data rights? Specifically, there is more benefit to a data subject (or, person) achieving the same level of access and freedoms by not having exorbitant levels of data storage, transfer or sharing imposed upon them.

The same reasoning and process would likely go for the original European GDPR regulation.

“That’s why we think that the master credential itself must be stored online,” says Bud. “The paper credential actually would be little more than just a serial number. In our model, people could actually just turn up and give the venue their number, then the venue would check the person against the photograph.”

Simply put : no. It isn’t that simple: biometrics like these are not the safe solution when it comes to ID. For one, a basic database of photographs is extremely hackable; and more pertinently — so is a photograph.

Let’s find out why biometrics are not a failsafe.

Biometric data is surprisingly forgeable

Why do fake passports still exist — successfully? Because biometric data is surprisingly forgeable. Fingerprint data are simply a collection of data points, not a copy of the actual print itself (which, over time, due to ageing and other environmental factors, fingerprints can change anyway). And as for photos — they have long been fakeable. Most recently, AI has become highly capable producing extremely convincing, cheap-to-produce visuals, which generate humanistic avatars that pass time and again for real human faces.

Biometrics are not the safe solution when it comes to ID

Guess what — biometrics are well marketed, but they don’t always live up to the hype. It isn’t massively innovative or inherently secure — in fact, biometric information systems have two points of instant failure: the database, and (perhaps shockingly) data accuracy.

Biometric databases are singularly vulnerable

It’s 2021 and there’s still no fix for a database breach. A compromise of a database as we all know, results in the loss of thousands, if not millions of points of private data as well as any programmable interfaces which may be feeding it data, either in real-time or on request.

Because biometric information can’t be changed by an individual — any loss, unauthorised transfer or database compromise means that this highly personal, mostly unchangeable data input can be under almost anyone’s control.

Biometric data is not detailed enough and cannot account for biological change

If a fingerprint reader recorded all possible details, it’s still true that tomorrow your stored fingerprint would not match your fingerprint today. Biometric data does account for natural biological changes and therefore also puts any data processing and approvals — never mind the data itself— at the risk of major or fatal error, which could even result in consequences as extreme as false imprisonment or even capital punishment.

The same biological changes go for your iris, retina and face. Most recently, this has been trolled by facial rec sentiment analysis scientists proving how easy it is to game the system.

To account for biological changes, biometric readers and verifiers — even multimodal ones — have to loosen their parameters of accuracy.

According to CSO Online:

“In fact, this de-tuning is usually so thoroughly implemented that the purported uniqueness of the real biometric factor ends up getting far more matches with other unrelated stored values.”

— CSO Online

In other words: the margin of error for biometric vaccine passport systems is large, and the risk of false positive results is also large.

Biometric databases are tasty incentives in and of themselves for hackers

Sadly, the higher the rewards (biometric data en-masse that can become either a resource for financial hostage, physical extortion or even a spoil of war in the “grey zone” of modern international cyberwarfare), the more likely these sorts of databases become a delicious target for a huge range of extremely clever and capable online bodies, be they comprised of either organised crime orgs or state-based actors.

Now, combine all this, with the pleas from intelligence services to add backdoors into messaging apps that are marketed to the public as being encrypted — and you have a full recipe for bring about a data breach disaster; total identity theft and practically traceless financial fraud — imposed on millions of people.

Blockchain biometrics are also hackable and not perfect

Even for blockchain ID applications (the hacks on blockchain usually take the form of code injections, and for all of blockchain’s benefits), a simple dodgy QR code can screw the system.

This is why vaccine passports and a huge database (either centralised or on a blockchain) that necessitates easy, and largely unverified personal data access and transfer, can be incredibly dangerous.

Based on all of the above, it does seem that until the real hard work is done in understanding the relevance, impact, true long-term usefulness / practicality and the data integrity and security of vaccine passports — there is little reason to celebrate going ahead with them.

Linguistics, health, computing, philosophy, XR, marketing, privacy, narrative, media, ecology. Views ≠ those of employers or clients.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store