Sec. Health Technology Implementation
Volume 3 - 2021 | https://doi.org/10.3389/fdgth.2021.594124
Digital COVID Credentials: An Implementation Process
- 1Division of Primary Care Medicine, Geneva University Hospitals, Geneva, Switzerland
- 2Faculty of Medicine, University of Geneva, Geneva, Switzerland
- 3Division of Infectious Diseases, Geneva University Hospitals, Geneva, Switzerland
- 4SICPA, Prilly, Switzerland
- 5University Centre for General Medicine and Public Health, University of Lausanne, Lausanne, Switzerland
Initial public health responses to the COVID-19 pandemic have focused on non-pharmaceutical interventions including stringent physical distancing measures, lockdowns, and restriction to free movement. This comes at significant costs however, both economically and socially (1, 2). As authorities begin to ease existing measures, governments are looking into specific alternatives to lockdown, such as phased mobilization of the economy (3), less stringent physical distancing measures, or immunity passports that would determine individual access or restrictions (4). Immunity passports vs. certificates differ in the rights related to their use and their issuing authority. Immunity passports have been cautioned against by the WHO and at international levels (5, 6) citing a lack of reliable interpretability of the presence or absence of COVID-19 antibodies, as well as ethical risks (7). With the advent of vaccines, these risks are potentially mitigated while other risks arise such as universal access to vaccination, and the debate around immunity passports is once again justifiably revived (8). COVID credentials could be an answer to facilitate some of the currently difficult scenarios in society and everyday life (travel, large gatherings, etc.). The need for a non-falsifiable solution is of utmost importance, especially with reports of fraud increasingly emerging (9).
Reflecting on the digital aspects of such a solution is important to ensure the implementation of adequate safeguards, display the right amount of information and use digital health systems to society's advantage. The European Union has recently published open source material detailing a potential trust framework and technical specificities that would be used in establishing a European Union Digital COVID Certificate that would be uniform and interoperable (10). COVID credentials taking into account vaccination, serology, PCR testing, and self-reported symptoms can employ algorithms to certify an individual's most recent COVID-related status. Certification would take into account results from pre-certified laboratories and pre-certified vaccination centers only, thus decreasing the prospect of false positive results and individuals inadvertently foregoing protective measures, putting themselves and others at risk (11). In addition, information could further assist individuals in making the right decisions and can also provide reminders to get tested or retested, vaccinated or re-vaccinated; which would also accommodate continually evolving aspects of the current COVID-19 pandemic and virus response. An example is setting reminders for individuals who received a vaccination to receive a booster shot, depending on the duration of the immune response (once defined), but also for individuals who received a specific vaccine to follow specific measures if a new variant turned out resistant to that vaccine. The presence of symptoms should also be part of the algorithm and could determine the need for fast-track testing or the implementation of isolation measures.
Here, we propose a very practical decentralized secured digital solution (Figure 1). The solution is securing the original data provided from a certified vaccination center, a certified laboratory or testing center. A digital security seal protects and guarantees the integrity of the data to be secured, through an unforgeable mathematical link between the hash of the data and the seal. To ensure the immutability, the digital security seal is timestamped on a blockchain. As the digital security seal contains only metadata, it guarantees privacy protection of the holder with personal and medical data only on the credential (QR code) itself. The blockchain is acting only as a secure “Trust Anchor,” in the form of an undisputable timestamp. Thus, no data are ever exposed or stored on the blockchain. Unlike the European Union Digital COVID Certificate, this solution does not need to handle the complex management of cryptographic keys, thus avoiding the risk of having some of these keys being compromised or stolen.
The individual presents him or herself to the certified vaccination or testing center. His or her identity is verified (using an official ID) prior to testing, vaccination or determination of recovery. The information on vaccination status, or the test result or the recovery status is secured as COVID credentials. The COVID credentials consist of a certificate, secured by its QR code, containing the name of the person (previously verified), the medical information (vaccine, test result, recovery etc.) as well as the name and identification of the issuing authority. The COVID credentials are issued in batches (in the form of secured QR-codes) by the issuing authority (certified vaccination or testing center) using a Digital Certification SaaS. This Digital Certification SaaS is accessible online by the issuing authority only, with a secure login. Once the QR codes are generated, they are activated by the issuing authority and all information used to issue the credentials is deleted from the Digital Certification SaaS. This process reinforces the decentralized approach by removing the need for a central database that could be easily targeted, and safeguards are important to ensure only certified testing and vaccination centers are capable of issuing such credentials while respecting data protection and privacy regulations. The data remains in the issuing authority medical records (like any other laboratory or vaccination result and for a defined period of time if needed), enabling individuals to have their credentials re-issued when necessary (lost QR code for example). The secure QR code can be stored on an individual's phone or delivered as a print-out to reduce the digital divide. The secure QR code reduces the risk of forgery or tampering, and can be universally verifiable via a web-based portal or a mobile app, without the need to access a database containing personal or medical information. The individual has access to the web-based portal to verify his or her own credentials. The individual can choose to disclose information in specific contexts (airport control, access to a venue, nursing home, etc.) and interpretation of the result ensues, based on the context-related requirements (for example negative PCR within the last 72 h to enter a specific country vs. 24 h etc.). Individuals can selectively decide who to show this information to and how many identifying details to reveal depending on the context. Selective disclosure and decentralized information can further assist in preserving privacy and confidentiality. A digitally secured solution can also reduce the risk of loss, identity theft and forgery while ensuring accessibility, bidirectional information and the possibility to revoke the credentials or update the expiration information when needed. In order to ensure more universal access, a paper version of the digital certificate and QR code is also available. This paper version provides the same level of security as the digital one, as its content is certified via the QR code which can be universally verified with the same security as the digital credential. QR code verification acting as a digital unforgeable stamp remains a cornerstone of certification in order to avoid any fraud or falsification. The QR code verification can also be performed offline as the verification keys (digital security seals) can be periodically replicated locally on the verification device when connected.
Immunity passports, certificates or COVID credentials will be increasingly at the forefront of medical and public policy discussions in the months and years to come. The adequate safeguards around a digital COVID credential should be discussed, and a non-falsifiable solution should be implemented especially if rights are linked to such credentials. The solution presented here provides a decentralized approach to databases as well as a secure certification process in line with the European Commission's recommendations (10). This solution also provides a secure approach, ensuring the integrity and validity of the information and respecting data protection regulations on privacy and confidentiality. The question of COVID credentials, now at the forefront, should be also be addressed at a policy level involving discussions between medical and public health actors, technology experts, ethicists and governing bodies. It is also of utmost importance to actively engage the public on the options and opinions connected with this issue in order to assess their trust and needs when proposing a digital health solution.
MN, PG, PT, LK, SS, and IG contributed to the writing of the manuscript. MN, PT, and IG contributed to the figures. All authors contributed to the article and approved the submitted version.
This work was supported by the Edmond J. SAFRA Foundation for clinical research in internal medicine.
Conflict of Interest
PG and PT has a patent WO2020011447 pending, and a patent WO2020030382 pending. SICPA has developed the CERTUS digital solution certificates with digital seal technology.
The remaining authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.
1. OECD. Evaluating the Initial Impact of COVID-19 Containment Measures on Economic Activity. OECD (2020). Available online at: http://www.oecd.org/coronavirus/policy-responses/evaluating-the-initial-impact-of-covid-19-containment-measures-on-economic-activity-b1f6b68b/ (accessed July 18, 2020).
2. Correia S, Luck S, Verner E. Pandemics Depress the Economy, Public Health Interventions do Not: Evidence From the 1918 Flu. (2020). Available online at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3561560 (accessed July 27, 2020).
3. Edmond Safra Center for Ethics Harvard University. Roadmap to Pandemic Resilience. (2020). Available online at: https://ethics.harvard.edu/covid-roadmap (accessed July 18, 2020).
4. Persad G, Emanuel EJ. The ethics of COVID-19 immunity-based licenses (“immunity passports”). JAMA. (2020) 323:2241–2. doi: 10.1001/jama.2020.8102
5. WHO. “Immunity Passports” in the Context of COVID-19 Scientific Brief. WHO (2020). Available online at: https://www.who.int/publications-detail/immunitypassports-in-the-context-of-covid-19 / (accessed April 30, 2020).
6. National COVID-19 Science Task Force (NCS-TF) ELSI report. Ethical, Legal, and Social Issues Associated With “Serological Passports”. (2020). Available online at: https://ncs-tf.ch/en/policy-briefs (accessed June 15, 2020).
7. Olivarius K. Immunity, capital, and power in antebellum New Orleans. Am Hist Rev. (2019) 124:425–55. doi: 10.1093/ahr/rhz176
8. Hall MA, Studdert DM. “Vaccine passport” certification - policy and ethical considerations. N Engl J Med. (2021). doi: 10.1056/NEJMp2104289. [Epub ahead of print].
9. Europol. Europol Warning on the Illicit Sale of False Negative COVID-19 Test Certificates. Available online at: https://www.europol.europa.eu/newsroom/news/europol-warning-illicit-sale-of-false-negative-covid-19-test-certificates
10. European Commission. EU Digital COVID Certificate. Available online at: https://ec.europa.eu/health/ehealth/covid-19_en (accessed April 21, 2021).
11. Phelan AL. COVID-19 immunity passports and vaccination certificates: scientific, equitable, and legal challenges. Lancet Lond Engl. (2020) 395:1595–8. doi: 10.1016/S0140-6736(20)31034-5
Keywords: digital, blockchain, COVID-19, decentralized governance, free movement, immunity, certificate, vaccination
Citation: Nehme M, Kaiser L, Gillet P, Thevoz P, Stringhini S and Guessous I (2021) Digital COVID Credentials: An Implementation Process. Front. Digit. Health 3:594124. doi: 10.3389/fdgth.2021.594124
Received: 25 August 2020; Accepted: 04 June 2021;
Published: 25 June 2021.
Edited by:Constantinos S. Pattichis, University of Cyprus, Cyprus
Reviewed by:Gary Matkin, University of California, Irvine, United States
Joshua Coyne, University of Memphis, United States
Copyright © 2021 Nehme, Kaiser, Gillet, Thevoz, Stringhini and Guessous. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
*Correspondence: Mayssam Nehme, email@example.com