Building robust and ethical vaccination verification systems

A vial of the Moderna COVID-19 vaccine is seen at a vaccination center.

The rapid development of an effective COVID-19 vaccine provides hope that the pandemic might be brought to an end, but as societies roll out vaccines and begin to open up, policymakers face difficult questions about how to best verify individuals’ vaccine records. Building vaccine record verification (VRV) systems that are robust and ethical will be vital to reopening businesses, educational institutions, and travel. Historically, such systems have been the domain of governments and have relied on paper records, but, now, a variety of non-profit groups, corporations, and academic researchers are developing digital verification systems. These digital vaccine passports include the CommonPass app developed by the World Economic Forum to verify COVID-19 test results and vaccine status, as well as similar systems several major tech companies are actively exploring.

VRV systems present both opportunities and risks in tackling the COVID-19 pandemic. They offer hope of more accurate verification of vaccine status, but they also run the risk of both exacerbating existing health and economic inequalities and introducing significant security and privacy vulnerabilities. To mitigate those risks, we propose a series of principles that ought to guide the deployment of VRV systems by public health authorities, policymakers, health care providers, and software developers. In particular, we argue that VRV systems ought to align with vaccine prioritization decisions; uphold fairness and equity; and be built on trustworthy technology.

Vaccine verification systems

Instead of focusing solely on the technical details of vaccine record verification technology, we consider the technology as a system in order to better understand the policy questions associated with it. As illustrated in figure 1, VRV systems involve 1) data sharing by health care providers, 2) methods for verifying vaccine records, and 3) regulation of how entities (e.g., workplaces, schools, businesses, and airlines) may request proof of vaccination. Each component of the system poses unique policy questions with implications for health outcomes and individual privacy and requires robust oversight governing its development and use.

Fig. 1. Policy questions for building a vaccine record verification system. The VRV system has three components: 1) data sharing by health care providers, 2) methods to verify vaccine records, and 3) regulations regarding how entities (e.g., airlines, stores, restaurants, schools, and workplaces) could demand proof of vaccination.

Existing public health surveillance measures

The idea of an internationally recognized VRV system is not new. In the 1920s and 1930s, countries began conditioning air travel on health certificates verifying inoculation against certain diseases. In 1951, the World Health Organization took existing measures a step further by establishing the International Sanitary Regulations that aimed to limit the international spread of disease. An International Certification of Vaccination, known as the carte jaune, followed in 1959 and logged an individual’s vaccination history to meet countries’ exit and entry requirements. The WHO publishes vaccine requirements, largely an annual update on yellow fever vaccination requirements across countries. The success of the carte jaune suggests that paper-based vaccine records should not be abandoned. Indeed, countries including the United States and the United Kingdom are issuing paper vaccination cards, even if those are not meant to be used for verification. Unlike digital health records, paper records are less error-prone (e.g., not sensitive to internet connectivity), do not exclude those without smartphones, and can serve as a backup for digital verification tools.

Public health authorities have considered implementing digital certificate technology for individuals who have been infected with COVID, but these efforts have failed to gain traction. In mid-2020, several countries considered adopting immunity passports in the form of a certificate or app that would verify that an individual has neutralizing antibodies against COVID-19. These antibody immunity verification proposals were not adopted because they may have provided adverse incentives to encourage individuals to become infected with the virus. Concerns about the sensitivity and specificity of serologic tests and the possibility that people can become reinfected with COVID-19 added additional roadblocks.

Vaccine records would eliminate many of the problems associated with immunity passports based on antibody tests. But such a system raises other concerns, such as whether immunity passports based on antibody or vaccine verification would create a two-tiered society: those who have greater freedom to work, travel, and perform other activities versus those who do not. Therefore, public health policies must prioritize fairness and equity in vaccine verification systems by not punishing people who cannot yet access vaccines.

COVID-19 exposure notification apps, designed to supplement manual contact tracing, illustrate the potential problems associated with quickly implementing technological solutions in a pandemic. Although many countries have adopted the privacy-preserving Google/Apple exposure notification system, use rates in the United States and Europe remain relatively low. Vaccine passport apps are likely to face similar concerns regarding privacy, surveillance, and fear that the collected data will be abused. Widespread adoption of vaccine passport apps requires overcoming public distrust of this new technology and the government and private organizations that run them.

Challenges in building VRV systems

Health care providers that are vaccinating patients face challenges regarding the storage and sharing of vaccine records. VRV systems require the mass collection of health data, generally understood to be particularly sensitive information under most privacy law regimes, such as the EU General Data Protection Regulation. Electronic transfer of health information also incurs legal obligations under regulations like the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Beyond legal concerns, the United States also faces information technology hurdles, as many health care providers do not enter vaccine records into online immunization information systems (IISs) that facilitate data sharing. As of 2019, only 60% of U.S. adults’ vaccine records were in IISs. Expanding health care providers’ IT capacity would require considerable resources.

Another important question is with whom health care providers should share vaccine records and what specific data should be shared. Currently, there is a proliferation of third-party software developers building vaccine passport apps. Without oversight or credible information about these app developers, health care providers may be rightly hesitant to share vaccine records. Patients may also be reluctant to participate because they fear that these apps could leak sensitive medical data.

One central debate regarding verification methods is whether vaccine passport apps should supplement paper cards or replace them entirely in some cases. While paper vaccine records have a proven track record, some express concerns that paper records are easy to fake. Well-designed vaccine passport apps can prevent fraud. Nevertheless, apps must be designed with privacy, security, and transparency in mind to protect medical and personal data. App-based verification will not work well in areas where health care providers do not have the technical capacity to share data, where many people do not own smartphones, or where people distrust the apps and the actors developing the apps.

One lesson from the exposure notification app experience in the United States and Europe is that public trust in new technology and the actors developing and managing this technology is vital for widespread adoption. In a survey conducted in early December 2020, we found that the U.S. public does not prefer paper records over cellphone-based verification. In our survey (results shown in figure 2), 54% of U.S. adults support requiring cellphone-based verification in order to travel on airplanes and public transportation, compared with 52% for paper records. Nevertheless, 46% said that requiring cellphone-based verification would violate privacy, compared with 39% for paper records. Even if vaccine passport apps were made mandatory, failing to establish a trustworthy and privacy-preserving app could cause long-term distrust in tech companies and governmental institutions.

Fig. 2. U.S. adults’ attitude toward vaccine passports (certification on cellphone versus paper card). These survey results came from a survey of N = 2,000 U.S. adults that conducted between Dec. 4 and 5, 2020. In one section of the survey, respondents were randomly assigned to evaluate three out of 12 public health policies. One of the policies stated: “Once a vaccine becomes available, to use public transit or travel by train/plane, everyone would be required to show a government-issued certification on their cellphones confirming that they have been vaccinated against COVID-19.” Another policy had the same wording except “paper card” replaced “certification on their cellphones.” Respondents were asked how much they supported or opposed the policy using a 0 to 100-point scale. In the upper panel, we present the distribution of responses. Categories in the figure divide the raw responses into five categories shown on the scale (0-20 = strongly oppose, 21-40 = somewhat oppose, 41-60 = neutral, 61-80 = somewhat support, 81-100 = strongly support). We also asked respondents to predict whether certain outcomes will happen if the government were to adopt the policy. In the bottom panel, we show responses to four of the eight outcomes most relevant to this commentary. The results were weighted to match marginal distributions of age, gender, region, race, income, and education in the U.S. adult population using data from the 2018 American Community Survey.

Another difference between paper record cards and passport apps is that the former is largely issued by governments, while the latter is currently being built by non-governmental actors, like non-profits or tech companies. Would the public trust certification by non-governmental actors? A recent Brookings-USC-Brookings Schaeffer study by Mark Hall and David Studdert found that the American public slightly favors “private certificates” (48% support) more than “government passports” (43% support) based on antibody tests. Future public opinion research should investigate whether this difference holds for proof of vaccination. 

While educational institutions and some employers have traditionally required proof of vaccination, many more entities (e.g., landlords, stores, restaurants, cinemas, airlines, and public transit) may soon request it as well. Who is allowed to request proof of vaccination, when they are allowed to begin request proof, and what type of verification they will accept represent major questions for vaccine verification regimes.

From a legal perspective, U.S. law provides little recourse against discrimination based on immunity verification. Both states and private businesses have broad power to implement mandatory vaccination requirements. U.S. laws protecting health data (e.g., HIPAA and the Genetic Information Nondiscrimination Act) do not prohibit discriminatory uses of immunity information. The Americans with Disabilities Act (ADA) also does not protect against discriminatory impacts of immunity verification. Indeed, the ADA allows employers to limit hiring to individuals who “shall not pose a direct threat to the health or safety of other individuals in the workplace.” The U.S. Equal Opportunity Employment Commission (EEOC) released guidance in December, stating that employers can legally mandate vaccinations, provided that accommodations are made for individuals with disabilities or those seeking religious exemption.

As immunity verification will likely impact fundamental rights related to housing, education, and employment, the absence of strong legal protections is troubling. Laws should balance protecting the health of the public while preserving fundamental human rights. At the very least, entities should not make impossible demands on individuals, such as requiring them to jump the vaccine prioritization queue when vaccine supplies are limited, as we will discuss in the next section.

Guiding ethical principles

Aligning VRV systems with vaccine prioritization. Public health authorities have made painful trade-offs in deciding which groups should be given priority in the COVID-19 vaccine queue. Proof of vaccination requirements need to be aligned with vaccination prioritization. Only those who can get a vaccine ought to be subject to mandatory proof of vaccine. When VRV is required for international air travel, for example, anyone who is at the back of a vaccine queue but who urgently needs or wants to travel can neither get a vaccine nor travel. This dilemma could create incentives to change vaccine prioritization plans to allow travel for those who are otherwise at the back of the queue, thereby undermining the principles that informed the vaccine prioritization plan in the first place. Plans informed initially by medical and social needs could be amended to satisfy economic or political interests instead. However, vaccine verification could complement and substitute for required pre/post-flight testing, mask-wearing, and quarantines to make travel safer.

Upholding fairness and equity. The COVID-19 pandemic has exacerbated existing socioeconomic inequities by disproportionately harming ethnic minorities and low-income individuals. VRV systems should ameliorate rather than exacerbate these inequities so that those most exposed do not suffer the most scrutiny when unprotected by a vaccine. Individuals who cannot access vaccines while supply is limited should not be denied public services, employment, education, or travel. Likewise, those who cannot receive the vaccine for health reasons, such as those with severe allergies, should also not face discrimination. Furthermore, governments and/or employers should pay for not only the vaccines but also medical treatments for severe side-effects. Finally, official paper vaccine records should be accepted so that those who do not own smartphones do not face discrimination.

The fairness and equity principle should be applied internationally as well as domestically. While the vaccines will likely be widely available to the public in developed countries in 2021, some low-income countries will not see mass vaccination this year. Developed countries should not curtail immigration and travel from developing countries by imposing strict vaccine requirements that simply cannot be met.

Upholding fairness and equity may be costly. The public must continue to adhere to measures to prevent COVID-19 spread, such as social distancing and mask-wearing until vaccines are widely available and herd immunity is reached. Keeping these preventative measures in place, at least in public spaces, is prudent until we have more data regarding how effectively vaccination prevents asymptotic transmission.

Once COVID-19 vaccines are widely and easily available, entities may—and perhaps ought to—require vaccine verification. Permitting such policies would be in line with the individual autonomy of entities in the private economic sphere and protect individuals’ health. Moreover, such requirements would likely incentivize vaccination.

Building trustworthy technology. Any vaccine passport app should be privacy-preserving and secure. As a core technical design tenet, the app and its back-end should only collect and store data necessary for the app to function. All data should be securely deleted once it is no longer needed. Developers should avoid including any functionality that tracks unnecessary data and avoid implementing any third-party tracking or dependencies. All data communications should remain end to-end secure between user devices and the data controller’s infrastructure. Vaccine passport apps should also maximize privacy-preservation: Individual users should be able to verify their vaccination status without sharing personally identifiable (PII) or personal health information (PHI) with the verifying entity. This is technically and cryptographically feasible.

The application and back-end should implement strong and positive security controls. Program logic and back-end protections should include role-based access controls to ensure that users can only access the information they require to complete the specific tasks assigned to their role within an organization during a particular time frame. PHI and PII should never be collected, accessed, used, analyzed, or shared without verified user opt-in. Furthermore, the data controller should implement strong internal controls and safeguards to prevent staff from accessing any personal data without appropriate process, such as third-party approval, the four-eyes principle (i.e., two individuals being required to complete the process), documentation, and alerts to affected individuals.

The most effective way to increase the trust in, and the security of, VRV solutions is to use an open-source approach for application and back-end services, as demonstrated by the German Corona Warn App. This approach allows for crowd-sourced security review. Trust in institutions, both private or governmental, develops slowly and has taken serious hits in recent years. However, making source code available would allow regulators, security experts, and the press to peruse and improve it, building necessary trust in the VRV system.

Baobao Zhang is a Klarman Postdoctoral Fellow in the Department of Government at Cornell University.
Laurin Weissinger is a lecturer at the Fletcher School of Tufts University and an affiliate with the Department of Computer Science at Tufts.
Johannes Himmelreich is an assistant professor in the Maxwell School of Citizenship and Public Affairs at Syracuse University and a senior research associate in the Campbell Public Affairs Institute.
Nina McMurry is a research fellow in the Institutions and Political Inequality Unit at the WZB Berlin Social Science Center and a research affiliate at MIT GOV/LAB.
Tiffany Li is a visiting clinical assistant professor at Boston University School of Law and a fellow at the Yale Law School Information Society Project.
Naomi Schinerman is a fellow in ethical, legal, and social implications of genetics and genomics in the Department of Medical Ethics and Health Policy at the University of Pennsylvania.
Sarah Kreps is the John L. Wetherill Professor at Cornell University and the director of the Cornell Tech Policy Lab.

Acknowledgements: The authors are grateful for Farah Hasnie’s graphic design of figure 1 and Benjamin T. Miller’s copyediting. Original survey research for this commentary was funded by a Social Science Research Council Just Tech Covid-19 Rapid-Response Grant and received IRB approval from Cornell University.

Apple and Google provide financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.