Since the start of the COVID-19 pandemic, governments around the world have embraced smartphone technology as a key tool to manage the health crisis. In many Asia-Pacific countries, contact tracing apps (which come with their own privacy, security, and efficacy concerns) are now doubling as vaccine passports, used by governments to enforce various restrictions on travel and entry to a wide variety of venues and establishments. In doing so, vast amounts of personally identifiable information and medical data are being collected.
The widespread waning of vaccine protection against infection and transmission requires a debate on whether vaccine passports are effective as a pandemic management tool – or merely a form of theatre that opens up a host of privacy, and security issues.
Proponents suggest that regardless of ineffectiveness in limiting transmission, mandating vaccine passports drives up vaccination rates and can curb the impact of the virus. But sceptics point out that such measures pose risks to individuals’ digital security and are secondary to the primary purpose of reducing transmission. They also present a host of scientific, ethical, legal, and technological issues that may only exacerbate discriminatory practices or create new problems and inequalities.
Vaccine passports seen as ticket back to normal – but no clear proof of effectiveness
In the Philippines, Singapore, and Malaysia, proof of vaccination is required to dine at restaurants, enter malls, or visit hair salons. In Brunei, proof of double-dose vaccination is required to enter places of worship. Some Australian state governments have laid out specific activities – from attending social gatherings to entering entertainment venues – that vaccinated people can enjoy. Similar state-sanctioned privileges are also being considered in Indonesia and Hong Kong.
In light of Omicron, many countries have now further tightened restrictions for unvaccinated individuals and increased surveillance of the vaccinated as they go about their daily lives. In the Philippines, some local governments have taken measures – including arrest threats – to restrict the movement of the unvaccinated, with exemptions granted to those who can present health passes or certifications justifying essential travel.
Having electronic certificates easily verifiable using QR codes means a vaccine passport system can be implemented and scaled up rapidly at a very minimal cost. Most in-app COVID-19 vaccine certification systems work by storing the user’s records of vaccination in tokenised or hashed QR codes. In most cases, these QR codes are accessible through contact tracing apps like in Brunei’s BruHealth, Indonesia’s PeduliLindungi, and Malaysia’s MySejahtera. The vaccination records contain not only inoculation details but also personally identifiable information, sometimes beyond what would be necessary for verification. In India and Brunei, these documents also link to health records.
|Country||Required to enter premises or venues domestically?||Digital certificate request method||Private personal information on certificate other than inoculation details||Accepted non-digital forms|
|Australia||Yes, rules vary by state/territory||State contact tracing apps, My Health Record on Healthi or HealthNow apps, vaccination provider||Name, date of birth, sex, passport number||Print out of digital certificate, paper certificate, vaccination registry record|
|Brunei||Yes||BruHealth app||Health record number, name, identity card number, passport number, age, gender, date of birth, phone number||Paper certificate|
|Hong Kong||No, but being considered||LeaveHomeSafe app, iAM Smart app, eHealth app, vaccination centre||Name, date of birth, sex||Paper certificate|
|India||No||Crown app||Name, age, gender, identity card number, health record number||Print out of digital certificate|
|Indonesia||Yes, but only at certain types of premises or events in select localities||PeduliLindungi app or website, SMS, WhatsApp||Name, identity card number, date of birth||Print out of digital certificate|
|Malaysia||Yes||MySejahtera app||Name, nationality, identity card number (also contains place of birth and sex markers), passport number, date of birth||Print out of digital certificate|
|New Zealand||Yes||My Covid Record website, phone, vaccination site||Name, date of birth||Paper certificate, print out of digital certificate|
|Philippines||Yes||VaxCertPH website||Name, date of birth, sex||Print out of digital certificate|
|Singapore||Yes||HealthHub app, TraceTogether app||Name, identity card or passport number, date of birth||Print out of digital certificate|
A snapshot of vaccine passport schemes in select countries as of January 2022
Digital security: Vast amounts of data at risk of misuse
Digital proof of vaccination is essentially another form of identity credential. A vaccine passport scheme that requires individuals to check in at different points may easily be abused for surveillance by a variety of actors, whether authorised or not to access the data.
For the vaccine passport system to work, the validity of the certificate has to be easily verifiable – thanks to the QR code – against a central database or register. An individual entry in the database is created when people link their vaccination data to an app on their smartphone. However, having a central database that stores and transfers personal data is a privacy and digital security risk especially without proper and sufficient safeguards like robust encryption and stringent access controls.
In Indonesia, the leak of Indonesian President Joko Widodo’s vaccine certificate prompted concerns about the security of medical data. In the Philippines, some users have spotted errors in their vaccine certificates, suggesting problems in the digital encoding and storing process.
These cases highlight technical weaknesses and flaws of many vaccine passport regimes that are dependent on a central database. There are alternatives to the centralised model, such as a distributed digital vaccine verification system using blockchain technology.
Transparency and accountability is also another issue. Who is accountable in the event of a data leak in the vaccine passport system? This lack of transparency in how data is used after collection should raise serious concerns, such as in countries like Brunei and Indonesia that still do not have comprehensive personal data protection legal frameworks.
Digital rights and ethical due diligence
Opposition to vaccine passports should not be construed as vaccine scepticism, but a call to take into account the privacy and security risks that they pose. Authorities must adopt solutions that work effectively to safeguard public health while upholding our rights. Governments and tech companies involved in the digital management of the pandemic need to be held accountable to protect against overreach.
For vaccine passports, in particular, we should do our due diligence and ask the following:
- What is the exact purpose of a vaccine passport? Is it effective as a technology-based mechanism for the large-scale reduction of COVID-19 transmissions and infections?
- Does the vaccine passport system protect personal data and privacy? What personally identifiable data is shared, and with whom? Are there sufficient laws and technologies to protect personal data from being leaked?
- Is the vaccine passport scheme accessible for people with disabilities such as those who have visual impairment, diminished intellectual capacity, or limited cognitive skills? For marginalised communities like undocumented migrants and stateless persons, will the vaccine passport scheme further exclude them from access to essential services?
Proposals for any form of mandate aimed at curbing the pandemic must be closely scrutinised instead of hastily implemented, to ensure the proposed technology is fit for purpose, and digital rights and human rights are upheld.
Khairil Zhafri is EngageMedia’s Digital Rights and Technology Manager. EngageMedia Editorial Coordinator Katerina Francisco also contributed to this article. Learn more about them via our team page.