While everyone agrees that there should be some way to tell if travellers are free of COVID-19, there are still problems with the idea of digital health passport that's similar the passports we use for travel, says Synopsys.
Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group explained: "One of the first challenges becomes the definition of 'vaccinated'. Outside of the Yellow Card, more formally known as the international certificate of vaccination for yellow fever, there really isn’t an internationally accepted means to confirm if an individual has met a vaccination requirement.
"Considering the Yellow Card is itself a paper document signed by a medical professional who supervised the actual vaccination, that model would be difficult to replicate given the scale of COVID-19 vaccination requirements – and that’s before we get to the potential security implications."
According to Mackey, several businesses are now providing mobile apps that attest to the COVID-19 state of the bearer. "The security implications of those mobile apps are similar to any healthcare app – any medical data on a person is of prime value to an attacker. The reason medical data is so valuable stems from how personal it is. Even if the medical data is limited to a simple statement of vaccination, the nature of the pandemic makes even that data rather valuable. For example, if there were a bug in the app or underlying service that caused it to display to someone that a vaccination protocol hadn’t been completed when it had, then such an error could result in the traveller being denied entry or worse," he said.
He stressed that security reviews are a must. "Those reviews often uncover issues that were overlooked or deferred during the design phase when the business is trying to define a new market or disrupt an existing market. We need only look back at the challenges faced with contact-tracing applications to recognise that a technologically-acceptable solution might not address privacy concerns," he observed.
"That’s in part because there is no single solution to any problem, and often cool new technologies like Blockchain or complex technologies like encryption are applied without understanding how they might function under adverse conditions like those found during a cybersecurity attack."
"Returning to a world where international travel and even air-travel is once again commonplace is something we all want, but it requires far more than an app to be solved. Significant coordination between international entities is required to ensure that the data recorded by the app is correct and complete," he concluded.
"Once in the app, the data needs to be verifiably secure and stored in a tamper-evident form that itself can’t be modified. Building confidence around this process requires some of the transparency seen within open-source software development, where skilled practitioners are able to review the implementation and configuration of the proposed solution. Mis-steps along this path could easily tarnish the reputation of digital health passports and form a setback to the return to a pre-COVID-19 travel experience."
