Root Causes 92: COVID-19 Immunity Passports
As we plan our societal return to normalcy, a number of people and groups are discussing the concept of an electronic "immunity passport" that individuals can possess if they are known to be immune to COVID-19 (possibly through vaccination or prior infection). Today our hosts discuss the requirements for such an immunity passport, some of the opportunities and challenges in putting this kind of system in place, and how existing schemes and systems may fit into an immunity passport initiative.
- Original Broadcast Date: May 18, 2020
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
So, we are going to talk today about COVID-19 immunity certificates. So, this has been a big topic. A lot of people have talked about it in a lot of forums and the basic idea at a high level is assuming there is such thing as immunity that once you’ve had the disease or been vaccinated for the disease if you are truly immune, we could somehow certify that, give somebody an immunity passport, if you will and then they would be able to do certain things. I don’t know – work in an office, go to the movies, eat in a restaurant, that you can’t do if you don’t have yet immunity.
-
Jason Soroko
That’s right, Tim. There’s been several initiatives. There’s certainly been a lot of talk about it and what interests me is there’s been a lot of form factors proposed for this as well – some of which of those form factors we’ve talked about on this podcast several times such as blockchain, etc. So, it’s an interesting subject for us to cover today.
-
Tim Callan
Yeah. And, so, you know, you gotta imagine, you know, I’ve gotta imagine that we are gonna hold the bar higher than I walk into my employer and hand them a piece of paper that looks like my vaccination record. Right? I think that is considered adequate when I’m taking my dog to the vet, and they want to know my dog is vaccinated for rabies but I think we are probably gonna go a little higher on this one. Right? So, if that’s the case, then we need something that is robust, unspoofable, and you know, ultimately tracks back to some type of authority so we can say that this really is legitimate and real. Right?
-
Jason Soroko
That’s right, Tim, and I think the other property to it, not just the providence of where you got this authorization from but it’s also the ease of provisioning. In other words, it cannot be incredibly difficult to get people provisioned onto this system otherwise it all kind of falls apart.
-
Tim Callan
Well, and it’s gonna be the biggest volume certificate base in history. Right? Like, if in principle, every human needs to be able to have a certificate, we are now talking about what is it? 8.5-billion certs? I mean that’s gotta be the biggest ecosystem there is.
-
Jason Soroko
Yeah. It probably is. Outside of IoT systems and perhaps DevOps and other things like that. And, of course, when we are using the word certificate in this case, we sometimes might switch between something that contains a private key in terms of PKI, but we also may just literally mean some form factor that’s been certified by some authority.
-
Tim Callan
And that’s a good point. This is where in this general dialogue that everyone is having in the world, there is a real chance for looseness of communication to lead to misunderstanding because, you know, we use certificate, and it means two very different things. One of them means certification and the other one means a very specific digital mechanism to ensure the identity of something and they are not in any way the same thing even though they have the same name.
-
Jason Soroko
That’s exactly right, Tim. Because, you know, that document that you were talking about that you might bring to a vet, that document - - I remember when you and I were first talking about this, you brought up a real nice easy form factor which would be how about a PDF document that’s been signed. Digitally signed.
-
Tim Callan
Sure. Yeah. And that has a lot of advantages. Like we all have the software; we all know how to use it; it’s had the bugs and the bones shaken out over the last three decades. There’s a lot of good to that approach.
-
Jason Soroko
Exactly. And it fits, you know, it ticks all the boxes that you said earlier, which is it’s authoritative and it’s authoritative to the point where it’s used in legal proceedings in some jurisdictions and, as well, it’s easy to provision. You know, your hospital doctor health authority of whatever it is can produce one of those documents for you easily.
-
Tim Callan
Sure. Your average hospital employee who does not have a computer science degree can sit down at a standard system that they have provisioned all over the building and follow a simple procedure they can be trained on that will be secure and reliable and can produce one of these. Absolutely correct.
-
Jason Soroko
Yeah, that’s right and if it’s PKI-based, the beauty of it is a CA can do the job of doing the identity vetting of the hospital or the doctor, etc. So, the anchoring the trust chain kind of flows in both directions.
-
Tim Callan
Yeah. And there’s even work that, at least similar work that’s already been done for this. Right? There are standards and protocols for the sharing of confidential patient information between medical practitioners and that electronic transfer requires certificates and so it may be that some of that backend work is reusable and already done.
-
Jason Soroko
I wouldn’t doubt that in many jurisdictions. I know in Canada there’s a big infrastructure for that. In the United States, there is as well. I think at the very least at the state level. So, it really depends on where is this document going to be recognized as being valid. See, that’s the difference between an IKO certified passport, which can take you to any international border in the world and be recognized compared to something that says, well, I can go to an employer or a restaurant, whatever it happens to be used at, within my state but it might not be recognized elsewhere. It could be interesting.
-
Tim Callan
That might be fine. That might be not even so much an 80/20 rule as a 99/10 rule, right, which is to say most of the time what do I need this for? I need this to be able to prove that I’m allowed to work in the state that I live in and prove that I can do some other things in the state that I live in and maybe send my children to school in the state that I live in. Like it seems that your local jurisdiction, your state or your country should cover almost all of the use, like international travel, ok, and maybe a few other kinds of off situations and if I’m traveling overseas and I have to go to the hospital. So, there might be some weird circumstances but most of what we need I would think would be covered just fine so long as our system at the local level worked.
-
Jason Soroko
Yeah. It probably is sufficient for that. It might be enough to get you onto a United Airlines flight and then get you into an employer in the next state that you land in. It really depends on the trust model use case which is something we do often in PKI with our customers.
-
Tim Callan
And that’s a real good point you’re heading in which is it’s one thing and I know there are these consortia and these people are standing up webpages and writing articles and all that stuff that’s going but, boy, this is about as complex as it gets in terms of building a real total 360-degree ecosystem including rules and audits and governance and potentially legislation and so, you know, it’s a lot more than just saying I’ve got a technology foundation and I’m gonna do this with x.509 certificates and it’s gonna be shaped this way and they are gonna expire at this amount of time and they are gonna contain these fields. Right? That’s important and that’s gotta be done right but, gosh, what about the rules about who issues them and how they issue them and how are those systems secured. You know, if I can trick the, you know, walk up to the nurse’s station - - the last time – - we had a child last year and, you know, walking around the maternity ward most of those monitors had nobody sitting at them most of the time and I could have sat down at any one of those at any time and if that sufficient for me to issue myself an immunity certificate, then the whole model breaks down in terms of trustworthiness.
-
Jason Soroko
Yeah. I can tell you right there that’s breaking a HIPAA rule. I am not a HIPAA master, but I know that that breaks the rule.
-
Tim Callan
Right. So, right there, like there’s gotta be a lot of thought put into the whole system, the whole process more than just to say this is the electronic signature and how do I know that that’s robust?
-
Jason Soroko
Correct. So, the COVID credential initiative, which is just one of several initiatives that are out there which was an initiative put out by some of the folks that are experts in sovereign identities. So, in other words, they are using the underlying blockchain technology to be able to enable users, people like you and I, to walk around with a smartphone app and collect attributes ourselves that have been assigned to us by authorities such as a hospital, a doctor, etc.
-
Tim Callan
Ok.
-
Jason Soroko
And what they’ve been busy doing is trying to define a lot of these rules, Tim. So, in other words, you know, is just one authoritative signature enough? Do you have to have more than that? And here is a real tricky one, Tim. Can you self-identify? And, in fact, I know that in Europe there are equivalent laws around the ability to self-identify certain attributes of yourself that are recognized as being authoritative to a point. And then the other complications that I see trying to be solved are what happens if down the road you test positive again - because we cannot assume that immunity will last forever or perhaps there was a problem with the first test. So, you know, there’s no black and white. There is almost no binary decision at any point in this to be able to say yes or no. Every step of this needs to have mechanisms to be able to reverse itself and then reassert itself. So, the ability to collect these attributes of yourself from an authoritative body and then assert yourself with those attributes in an anonymous way – that’s complicated, Tim.
-
Tim Callan
Yeah. Yeah. And then there are privacy concerns. Right? And then there are constitutionality concerns.
-
Jason Soroko
In some jurisdictions such as the United States.
-
Tim Callan
The United States is a perfect example. Absolutely. You know, if I have a - - if there is an immunity credential that is required to do certain things, let’s say go a political rally, now is my right to assemble being stepped on by the government? Because, if so, the United States Constitution doesn’t allow that. The Bill of Rights doesn’t allow that. So, then we get into all that stuff.
-
Jason Soroko
It’s amazing, Tim. It’s amazing. And all of this – everything you’ve just said is - - everybody is trying to do this at warp speed that it’s never been done at before.
-
Tim Callan
Right. And people die every day. I mean it’s absolutely – it’s crazy.
-
Jason Soroko
Oh and, Tim, don’t forget. We could have perhaps ten more podcasts just on the topic of contact tracing. We are not even talking about contract tracing. We are just talking about immunity passports.
-
Tim Callan
Yeah. Contract tracing. Use my phone, the Bluetooth on my phone, sniff everybody that gets within Bluetooth range and now if one of those people turns out to be diagnosed, I have the list of everybody else who has been within Bluetooth range, and I can tell them. Ok. And maybe get them to go in and take a test. At that level, it sounds genius, right? It sounds brilliant. It sounds wonderful. But once again, you get into the constitutionality of it and the abuse. Ok, well, I’ll tell you what. You don’t have COVID-19 but it turns out you are a suspected terrorist, so I’m gonna use the same mechanism to learn everybody better in Bluetooth range and I’m gonna check them out to see if they are terrorists. Right? So, and now you start going down that rabbit hole and it’s back to conversations you and I have had before about am I gonna allow every single individual in the government to decide what’s a violation of privacy and what isn’t.
-
Jason Soroko
Well, Tim, it’s interesting, isn’t it? In the United States, if you were to log into your Facebook and all of the sudden Facebook had logged into the API of your doctor’s office and your current status on Facebook was “infected with COVID-19”, you’d probably have a flip-out. If you were in Singapore and some app that you use with your government because of citizen IDs is being used and you were being uniquely identified as being an infected COVID-19 patient to everyone around you, you might not even be surprised that that’s happening because of the jurisdiction. So, those are the two extremes. I just wanted to say within this podcast by this point, I have noted that the Country of Chile has already declared that they have something that they are going to put in place. I have not heard the form factor that they are going to use yet but Chile is already down that road and what I can also tell you is that certain countries within Europe and normally the EU does this in unison, but I think there’s been some bad blood. I’m completely speculating now. Certain countries within Europe, i.e., Italy, who feels that they’ve been slated by the rest of Europe because of the lack of support with this pandemic, it looks like they are going off on their own initiatives for this kind of a passport. So, I have no idea if that’s even completely true or what will come of it but these are things that you are reading right now on the internet.
-
Tim Callan
You could also image if you are a country like Italy like you feel like the need is greater. The need for speed is greater. Perhaps you are willing to make other compromises more aggressively than somebody else with a much more nonchalant posture about the whole thing like let’s say Sweden who hasn’t even really bothered to put social distancing requirements in place. And so, you could imagine that the Swedish government might say, oh, I’m not willing to make these following compromises and sacrifices. You can imagine Italy saying, well, I sure as heck am willing to and that could enter it as well.
-
Jason Soroko
Let’s play dystopian world for a moment, Tim. Sweden – I’m not saying this is Sweden of the reality today. I’m just saying this is dystopian Sweden. If you were an epidemiologist in Sweden and your goal was herd immunity, which was to get 60% of the population infected at a certain rate. In other words, flatten the curve enough so that the population being infected was at the exact - -
-
Tim Callan
Somebody always has a hospital bed.
-
Jason Soroko
Exactly. You know, the number of ventilators and medicines and everything that needs to be place with their infrastructure, imagine if there was an app that did the opposite which was, hey, meet up with Joe down the street. He is infected and they could literally time the rate of herd infection. I mean that’s dystopian talk but there it is.
-
Tim Callan
Well, so, this is like not in our generation but my parent’s generation. You know. Before they had – maybe even their parent’s generation now that I think about it. Before they really had reliable vaccines for things like chicken pox. They would have these chicken pox parties.
-
Jason Soroko
Yep.
-
Tim Callan
If you got chicken pox, they’d invite all your friends over for a sleepover and try to give everybody chicken pox so that they didn’t have to think about it anymore. You know. You are getting into that kind of scenario now. Yeah. So, final question from me, which is we kind of threw out - - two things got mentioned sort of in passing which is that assuming that this is something more robust than let’s say a piece of paper. We threw out a digital certificate approach – whether that was with a PDF file or something else. We threw out a blockchain approach. Are there any other candidates or are you confident it would wind up being one of those two?
-
Jason Soroko
That’s a good question, Tim. I think in jurisdictions where there are citizen IDs, I think this could literally be a, you know, I’m oversimplifying it but a flip of a switch.
-
Tim Callan
Another field, right? Add a field to the citizen ID?
-
Jason Soroko
Exactly.
-
Tim Callan
Sure.
-
Jason Soroko
And in countries and by countries, I mean one country, Estonia, their healthcare system is already very much on blockchain so, again, it could just be a field for them within their healthcare system.
-
Tim Callan
And that brings up the point is let’s say that nations who otherwise didn’t feel the need or didn’t get organized to put in this kind of system, if they feel they must do it for the sake of COVID-19, once it’s in place you can imagine someone saying, ok, I’m gonna add a field and I’m going to add more information to this citizen ID or this passport and I’m going to start using that for other things, too, that have nothing to do with this pandemic or even with health.
-
Jason Soroko
Yeah, Tim. And, you know, talking about other form factors, you know, just going back into my rolodex of PKI form factors, something like a smart card. It could be very light. It could perhaps contain the same kind of chip that a credit card has and in certain jurisdictions where you are not 300-million people like the United States, you know, in Demark if you are only X-million it wouldn’t be as difficult to just hand out to people who have this, you know, a form factor like a smart card. The equivalent of a credit card or even lighter.
-
Tim Callan
Right. And if you have this, if you are going to have a government issued ID, if you are gonna have a passport or a driver’s license, those are all going in that direction anyway.
-
Jason Soroko
Exactly.
-
Tim Callan
So, maybe they are all combined. Maybe my driver’s license contains my COVID-19 immunity passport using whatever the underlying mechanism is built into it.
-
Jason Soroko
Yeah. There are a lot of jurisdictions around the world where citizen IDs are really - - they are either legally not an option or they are just extremely frowned upon because of the way the population is and the traditions.
-
Tim Callan
Oh yeah.
-
Jason Soroko
And I know, you know, I live in Canada. I have my driver’s license. I have my health card. I have my passport and none of these things are linked necessarily. There’s no citizen ID per se, but I have government-issued identifications. They’re just not necessarily 100% linked into one thing. However, I guess, Tim, my final thought on this is these aren’t normal times and so, therefore, you know, some things may be forced upon people because of changes in laws that are deemed necessary because of public safety or national security. Who knows what governments will come up with to force citizen IDs down people’s throats? Who knows?
-
Tim Callan
Yeah. Who knows? Yeah. Lots to be done here and all of this assuming that there even is such a thing as reliable testing or reliable immunity, which aren’t even - - those aren’t known factors but if we just kind of take those as a given even then the complexity and difficulty and consequences and, you know, unintended consequences of this thing are just vast and mind blowing and every time I read about it or talk to somebody about it or even think about it, I think about a new one. So, it’s just, it’s just huge. So, it will be interesting to see if this goes anywhere. I am certain this story is not over and I’m certain this story is not over for us. But, right now, it’s so early, it’s so speculative then as things start to develop, I think we are gonna want to return to this and keep an eye on it.
-
Jason Soroko
I think so, Tim. And I think in certain jurisdictions, it will happen sooner than later, and we will be keeping an eye on it.
-
Tim Callan
I think so. So, probably a good place to leave it today, Jay. Very illuminating conversation.
-
Jason Soroko
As always.
-
Tim Callan
As always. And thank you, Listeners. This has been Root Causes.