Criminals could falsify digital vaccine passports to take overseas holidays and people could be barred entry to pubs or restaurants if they are determined by an algorithm to live in a high-risk area if the Government failed to take sufficient care to safeguard the passports from ‘inappropriate use’, cyber experts have warned.
Britain is currently reviewing how vaccine passports could be used to travel and gain entry to hospitality or entertainment, Business Secretary Kwarsi Kwarteng confirmed on Wednesday, as the European Commission outlined its own proposals to create a ‘Digital Green Certificate’ to allow free movement within the EU.
The UK Government announced a review into the proposal that vaccine passports or certificates could be produced to gain entry into pubs, restaurants, theatres, cinemas and other indoor venues last month, the findings of which are expected to be published before England’s lockdown eases fully on 21 June.
Adam Leon Smith, chair of BCS, The Chartered Institute for IT’s software testing group, said IT experts were “really worried” about data collected as part of the vaccination process being cross-referenced to create a personal risk score for individuals based on information such as a person’s job, whether they’ve been vaccinated, how many doses they’ve received or their address.
“The worst-case scenario is a personal risk score that’s based on a series of rapidly evolving statistics and is linked to the vaccine passport that you’re required to use as part of your day-to-day life, that would be unfair to a lot of people,” he told i.
“We’re really worried about data getting joined together: for example, to check if you work as a nurse or a lorry driver crossing the Channel on a daily basis, to work out how likely you are to have been vaccinated or to have the virus.”
Once something like a vaccine passport system is created, there’s nothing in place to stop businesses asking customers to produce a passport or certificate to gain entry to a shop or requiring employees to hand over their personal risk score before setting foot in an office, he said.
The approach could discriminate against people yet to receive the vaccine, those who have decided not to accept a jab and people who don’t own a smartphone capable of displaying a digital passport.
Similarly, the more people are motivated to try and disrupt a system, to enter another country, for example, the more people will attempt to, Mr Smith warned.
“There’s also a stronger need for security because people are going to want to fake vaccine passports more than they do existing yellow fever certificates to go on an expensive holiday, there’s going to be a higher demand for fakes.
“The Government needs to speak to businesses and international partners to make a decision that’s not going to be made quickly and then rolled back.”
Professor Carsten Maple, from the Trustworthy Digital Infrastructure for Identity Systems project at the Alan Turing Institute and Prof of Cyber Systems Engineering at the University of Warwick’s Cyber Security Centre (CSC) said the Government should have started work on an immunity passports programme a year ago.
“I’m afraid the Government hasn’t really properly consulted on this kind of project during the pandemic, but it needs to do that before rushing into something we have to backtrack on,” he told i.
“We can’t make the same mistakes we made with contact tracing, we need to do this properly. We could get a system out that is both rigorous and reliable if we open consultations with expert groups now. They will be able to advise and test how the system might be abused or misused by people and companies.”