The best defense is offense: policy recommendations for a COVID-19 vaccine passport in Boston

Note: this blog post was was written in response to an assignment for the course DPI-662 Digital Government: Technology, Policy, and Public Service Innovation at Harvard Kennedy School. It is in response to a fictitious scenario.

Scenario: You are a senior policy advisor to Boston’s Acting Mayor Kim Janey, who is running for a full term next month. You have learned that other major metropolitan cities are requiring proof of COVID-19 vaccination to enter restaurants, gyms and indoor venues. Advise Mayor Janey on what the city’s position should be, given its implications for security and privacy.

Source: Brookings.com

My response:

Mayor Janey,

As you know, two of our top priorities as a city right now are 1) to mitigate the spread of COVID-19 in a way that foregrounds equity and minimizes adverse consequences and 2) to enable people and businesses to ‘get back to normal.’ Though these priorities have appeared to be in conflict at times, we have a clear opportunity to tackle both at once: following the lead of our peer cities, we ought to mandate proof of vaccination to enter restaurants, gyms and indoor venues. With vaccination rates falling, cases rising, and ongoing challenges implementing indoor mask mandates, this is our strongest option.

However, implementing vaccine passports will come with many risks and challenges. I will use the rest of this memo to describe why we should do this, and what downsides we should be guarding against — especially from a security and privacy perspective. By planning around the latter, we can mitigate them significantly.

Why we should mandate indoor proof of COVID-19 vaccination

COVID-19 vaccines demonstrably reduce virus transmission, and also reduce virus levels in people who get infected. Why mandate proof? The answers here are straightforward:

• Creates strong incentive for vaccination: With vaccination rates in the US largely plateau’ing, it’s critical that governments use carrots and sticks to drive behavior change. Though direct mandates for non-government actors are untenable politically, restricting one’s access to commercial opportunities is an extremely effective strategy.
• Aligns with city and state trends: To date, close to 70% of our state is fully vaccinated. This sort of policy is not out-of-step with the tides of public opinion. Instead, it protects Bostonians from, e.g., the risks posed by out-of-town visitors.
• Supports businesses and stimulate economy: By making businesses safer both in practice and in the public mind through these targeted restrictions, we will end up actually supporting them financially.
• Paves broader path towards comprehensive digital identification: In the future, comprehensive digital identification will likely be a goal of government at various levels. Though this bears many risks and watch-outs (see below), this effort would be a critical source of learning (an MVP, so to speak) for future ones. As several authors in Brookings recently argued, “now is the time to implement a national standard on how personal data is collected and processed to avoid the abuse of fundamental rights.”

Risks we must plan around

As they say, the best defense is offense. For each of these risks, I propose that we actually run scenario tests to see how well we’re defending against them. Though my primary point here is around privacy/security, it bears naming the many other risks this policy poses.

• Exacerbating inequities: This solution does favor tech-savvy/ smartphone-using citizens; those on the wrong side of the digital divide could be excluded from commercial activity and other basic services. We must continue investing in closing the device and connectivity gaps; we could also consider creative ways of turning paper cards into true, validated passports.
• Failure to scale: The success of a COVID-19 passport in our city rests on large adoption and network effects; without broad buy-in, we will have jumped many technical, legal, and logistical hurdles for nothing. We must advertise heavily, and partner with big, popular businesses to make the case.
• Lack of enforcement: As with mask mandates, there remains a risk that even with digital passports, businesses won’t check potential customers in practice. We must create accountability mechanisms (e.g., random checks) to ensure these passports are used.
• Potential for fraud: There is an emerging black market for anti-vaxxers to get fake vaccine cards online; it seems nearly inevitable that similar efforts will emerge even with digital passports connected to government databases. We should run fraud checks on our system once it is stood up.
• Privacy & security concerns: This is the big one!! Actually, let’s give it it’s own section…

Privacy & security concerns

By far, the biggest risk of this policy recommendation surrounds data privacy, and the protection of citizens’ personal information. Especially given that we don’t have a strong federal privacy law covering this sort of application, citizens would be right to have fears around distribution of their PHI — either through sale to commercial entities (i.e., privacy), or through an attack of some sort (i.e., security).

As there are many levels of security risk that this poses, I will walk through some possible scenarios from The Security Cards, and then propose some ways to hedge against those.

• Adversary’s motivations: convenience (e.g., as a new system, this may seem more hackable than other city databases), curiosity/boredom (e.g., look up celebrities’ medical records), politics (e.g., someone trying to block your re-election may seek to hack this system), money, worldview (e.g., to prove that this is an unethical use of citizen data), warfare (e.g., as means of spreading misinformation)
• Adversary’s methods: manipulation or coercion (e.g., through phishing our city government employees), processes, indirect attack, attack coverup
• Adversary’s resources: expertise, impunity, inside capabilities, inside knowledge
• Human impact: emotional wellbeing, personal data, societal wellbeing (could induce mass hysteria, alter public discourse, or impact access to resources)

Principles to safeguard:

• Use the minimum amount of citizen data possible to build the app
• Integrate two-factor authentication and other cybersecurity best practices
• Train employees on avoiding cyber attacks like phishing; run system tests
• Perhaps advocate for state-level (or better yet, federal level) privacy legislation, setting a standard for how we collect and process citizens’ sensitive data

In conclusion

Despite all of the risks and concerns I’ve outlined, implementing a COVID-19 passport for indoor businesses is the strongest path to achieving our priorities for the city of Boston. We must do so very cautiously and in partnership with cyber-security experts, equity-focused stakeholders, and user researchers who can help us understand the businesses and citizens we’re aiming to serve.