Immunity Passports Are a Threat to Our Privacy and Information Security

by

With states beginning to ease shelter-in-place restrictions, the conversation on COVID-19 has turned to questions of when and how we can return to work, take kids to school, or plan air travel.

Several countries and U.S. states, including the UK, Italy, Chile, Germany, and California, have expressed interest in so-called “immunity passports”—a system of requiring people to present supposed proof of immunity to COVID-19 in order to access public spaces, work sites, airports, schools, or other venues. In many proposed schemes, this proof would be stored in a digital token on a phone. Immunity passports would threaten our privacy and information security, and would be a significant step toward a system of national digital identification that can be used to collect and store our personal information and track our location.

Immunity passports are purportedly intended to help combat the spread of COVID-19. But there is little evidence that they would actually accomplish that.

On a practical level, there is currently no test for COVID-19 immunity; what we have are antibody tests. But we don’t know whether people with antibodies have immunity. Meanwhile, there has been a flood of flawed tests and fraudulent marketing schemes about antibody tests. Even when validated tests are widely available, they may not be 100 percent accurate. The system should be a non-starter unless it can guarantee due process for those who want to challenge their test results. This has often been a problem before; as we saw with the “no-fly” lists created after 9/11, it is very difficult to get off the list, even for those whose inclusion was a mistake.

The problem with immunity passports isn’t just medical—it’s ethical. Access to both COVID-19 testing and antibody testing is spotty. Reports abound of people who fear they have been infected desperately trying to get tested to no avail. Analysis has shown that African Americans are far less likely than white, Hispanic, or Asian patients to be tested before they end up in the emergency room. Mobile testing sites administered by Verily (a subsidiary of Google’s parent Alphabet) require people to have a smartphone and a Google account. Residents in San Francisco’s Tenderloin district, one of the city’s poorest neighborhoods, were turned away from testing sites because they didn’t have cell phones.

Requiring smartphone-based immunity verification to access public spaces like offices and schools would exacerbate existing inequities and reinforce a two-tiered system of the privileged, who can move about freely in society, and the vulnerable, who can’t work, shop, or attend school because they don’t have a cell phone or access to testing. We’ve been here before. When yellow fever struck the South in the 1850s, those thought to be “unacclimated” to the disease were unemployable. This burdened Black and lower-income people more than privileged members of society.

As we saw then, conditioning access to society on immunity incentivizes “bug-chasing”—that is, people deliberately trying to get sick in order to get the immunity passport. No one should have to expose themselves to a potentially deadly disease with no cure to find work.

 Risks of Digitized Immunity Passports

The push for immunity passports has largely been premised on the promise of technological solutions to a public health crisis. A proposed bill in California, for example, would use blockchain technology to facilitate an immunity passport system on peoples’ smartphones. We oppose this bill. Technological advancements such as blockchain technology or other methods  of implementation do not address our objections to this type of system in of itself.

Moreover, digital-format immunity passports could normalize digital-format proof-of-status documents more generally. Advocates of immunity passports visualize a world where we can’t pass through a door to a workplace, school, or restaurant until the gatekeeper scans our credentials. This would habituate gatekeepers to demand such status credentials, and habituate the public to submit to these demands.

This digital system could easily be expanded to check not just a person’s immunity status, but any other bit of personal information that a gatekeeper might deem relevant, such as age, pregnancy, HIV status, or criminal history. The system could also be adjusted to document not just a particular person’s status, but also when that person passed through a door that required proof of such status. And all data of all such passages could be accumulated into one database. This would be a troubling step towards digital national identification, which EFF has long opposed because it would create new ways to digitally monitor our movements and activities.

Digital format documentation also brings the risk of presenting such documentation under duress to varying authorities. Handing over your phone to police, unlocked or not, includes significant risks, especially for people in vulnerable communities—risks that could lead to unintended consequences for the presenter and a potential abuse of power by law enforcement.

Moreover, requiring people to store their medical test results in a digital format would expose private medical information to the danger of data breaches. Again, this is hardly new—we have seen exactly these types of breaches in the past when medical information has been digitized and collected. Just last year, for example, an HIV database in Singapore leaked the personal information of more than 14,000 individuals living with HIV.

We should learn from our past mistakes, and ensure that technology works to empower people, instead of creating new vulnerabilities.