The government must explain how Covid-19 passports will be used and how they will ensure accurate identification, a privacy expert said.
Last week, Transportation Secretary Grant Shapps confirmed the The NHS application would be used as a Covid-19 passport from May 17, when international travel resumes.
Announcing the 12 countries on the UK’s “green list”, which will not require quarantine after returning, he said the passport will be used to show the British have had the vaccine or been negative for the virus before going on holiday. .
But Professor Eerke Boiten, a professor of cybersecurity at De Montfort University in Leicester, told Digital Health News that “too little” is known about how these passports will be used.
“They have to tell us what are the scenarios they foresee, what are the use cases? And then fix them sooner rather than later, ”he said.
“At the moment, we know too little about how they will implement it.”
Bioten, who has previously been a member of the privacy risks of some contact tracking applications, said in principle that it is “less concerned” about Covid-19 passports if they are limited to international travel, but added that it should have a strong authentication system to ensure privacy and proper use.
“As usual, the questions that need to be asked are based on authentication and the chances of abuse,” he told Digital Health News.
“What guarantees do you rely on for authentication? Because owning a phone is not a strong enough authentication or a strong enough holder identification.
“It has to be tied to some identity system at some point and use cases have to justify it.”
Boiten suggested that a QR code could be used to verify a person and only transfer the necessary vaccination data.
“In any situation, we must know that the person presenting the passport is the genuine holder of the passport. Not only can passport information not be falsified from scratch, but also someone’s information cannot be used in this situation, ”he said.
The NHS app allows users to access various NHS services from their smartphone or tablet. It was launched in 2018 and offers services that include symptom checking and triage; appointment booking; repetition of orders with prescription; access to patient records; deactivation of national data; and organ donation preference.
It already allows users to check their vaccination status if allowed by their GP, which applies to all strokes.
To better assess the potential security risks associated with using the NHS application as a Covid-19 passport, Bioten downloaded it and assessed the level of personal information it had.
“In terms of privacy risks, I don’t think it adds significantly to the risks that already exist in the NHS app itself,” he told Digital Health News.
“The NHS app has sensitive recipe information here. Having it on the phone, with the right security measures, is already a situation where we have to worry about making sure no sensitive information is leaked.
“Covid’s state is, in a way, probably less sensitive than some other medical information, but on the other hand, it’s also more powerful if it allows people more autonomy.”
But he said a data protection impact assessment would need to be done before deploying Covid-19 passports to ensure privacy and security.
Following the confirmation of Shapps’ Covid-19 passports, a government spokesman said “security and privacy will be at the core of our approach.” The added solution was also considered for people who did not own a smartphone.
When contacted by Digital Health News about how Covid-19 passports would be implemented, the Department of Health and Social Care was unable to provide further information.