On 27 August, the WHO published the Technical Specifications and Implementation Guidance for digitally implementing a COVID-19 vaccine passport.
Call it “The Great Reset”, “A New World Order”, “Build Back Better” or whatever you like. It is not a good development.
An interesting section examines the ethical considerations of what they propose. Curiously their conclusion is that it is not really ethical. [DDCC:VS=Digital Documentation of COVID-19 Certificates: Vaccination Status]
It states:
Member States must establish the appropriate policies for appropriate use, data protection and governance of the DDCC:VS to reduce the potential harms, while achieving the public health benefits involved in deploying such a solution.
Does anyone here trust our lot in Wellington to get that right?
Another interesting quote:
Individual vaccination status is private information, and protections need to be in place to ensure that no individual is forced to disclose or publicly display a DDCC:VS to access any public area or activity. Such a practice and/or the lack of a DDCC:VS itself may result in the stigmatization of individuals without a DDCC:VS and may exacerbate the risk of harms.
No jab, no job, anyone? Sorry, only vaccinated people are allowed to fly. Sorry, only vaccinated people are allowed to sit inside in the restaurant etc. etc.
2.1.2. Ethical considerations related to further potential uses of DDCC:VS
The two currently proposed uses of DDCC:VS, proof of vaccination and continuity of care, are features of traditional clinical uses. However, a number of other possible uses for a DDCC:VS raise ethical issues. In the context of COVID-19, a DDCC:VS might play a role in achieving various public health purposes such as determining vaccination coverage in a given population, which may help to determine when to lift or relax public health and social measures (PHSMs) at a population level. A DDCC:VS might also be used to facilitate individualized exemption from, or, reduction of PHSMs (e.g. reduced quarantine time post exposure) or individual access to an activity based on proof of vaccination (if such uses are held to be ethical), which we can term a “health pass” function. The potential deployment of a DDCC:VS for these purposes, particularly as a health pass, engenders a number of potential ethical problems for individuals and communities, and human rights challenges.
First, use of a DDCC:VS as a health pass raises a distinct set of risks because of current scientific uncertainties regarding COVID-19 vaccines. While COVID-19 vaccines have demonstrated efficacy
and effectiveness in preventing severe disease and death, the extent to which each vaccine prevents transmission of SARS-CoV-2 to susceptible individuals remains to be assessed. How long each vaccine confers protection against severe disease and against infection, and how well each protects against current and future variants of SARS-CoV-2 needs to be regularly assessed. In this context of scientific uncertainty, use of a DDCC:VS as a health pass based solely on individual vaccination status may increase the risk of disease spread. This is particularly the case if individuals with a DDCC:VS are completely exempted from PHSMs or if it is hard to enforce individuals’ compliance with required PHSMs during an activity (e.g. mask wearing and physical distancing during a concert) to which they are allowed access based on their DDCC:VS.Second, some potential behavioural responses to a DDCC:VS in its role as a health pass could undermine individual and public health. These include the following.
Where the benefits of a health pass are significant, it may result in vaccination certification fraud. This may increase COVID-19 risks if a non-vaccinated person is potentially in contact with
vulnerable people.Individuals may be less willing to disclose their medical history and (potential) contraindications to a COVID-19 vaccine in order to be vaccinated and to obtain a DDCC:VS, which increases the risk of
adverse events.The creation of a DDCC:VS following vaccination for each individual may incentivize more people to receive a vaccine to access the benefits of a DDCC:VS. However, it may also increase vaccine hesitancy because of privacy and other concerns that the vaccination record could be linked to personal data and be used for functions other than those originally intended (e.g. surveillance of individual health status), or be used by unintended third parties (e.g. immigration, commercial entities, researchers).
Third, a DDCC:VS in its use as a health pass risks introducing unfair disadvantages and injustices. The limited supply of COVID-19 vaccine within some countries has been distributed to prioritize those at greatest risk of infection (such as health-care workers) or severe outcomes (such as the elderly). There is a danger that those who are willing to be vaccinated but have not yet been offered a vaccine, or those who are unable to be vaccinated for medical reasons, would be unfairly disadvantaged if a DDCC:VS incorporated health pass functions. Consideration should be given to whether unvaccinated individuals could use other proofs of health status to allow them similar access to the same services while mitigating the risk of disease spread. These other proofs may include a negative COVID-19 test or proof of post-infection-acquired immunity based on tests that are reliable and accurate (which have been called immunity certificates), although this also raises considerable scientific and ethical concerns.
WHO
I asked my friendly, on-call software developer for an opinion. Here’s what he had to say:
This document assumes that a PKI [Public Key Infrastructure] has already been deployed or is available within a country to support the DDCC:VS workflows described in this section.
First, obtain a frictionless pulley and a massless string… Or, they could use blockchain technology – but that is not widely adopted yet.
I skimmed it all. It’s super high level. There’s not anything here you could actually take and implement.
A human-readable plain text description of the vaccination data is transformed into a non-human-readable “document hash” using a hashing algorithm
This is executive-level stuff that we can all nod our heads at.
- Which hash (not “hashing”) algorithm?
- How is the chosen hash algorithm specified?
- Is this extensible?
- Can new algorithms be added in the future?
- How do we deprecate insecure hash functions?
- How is the data normalised first?
- What about a MAC?
An actual security review would tear this document to shreds.
————
Sounds like something our lot would be right into then, after the success of the MIQ booking system etc, this should be a doddle for them to implement in Aotearoastan.