Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:15 PM

Post Pandemic, Technologists Pose Secure Certification for Immunity

Going digital with immunity passports could speed rollout and allow for better warnings of potential hot spots. But security and privacy issues remain.

With signs that the coronavirus pandemic is waning in several countries, world leaders have begun to consider how their economies can be reopened, with a focus on the large — and growing — group of people who have already survived infection and should be able to return to work.

Yet to do that, businesses and the government need to be able to identify and certify those who have gained immunity. Enter the concept of "immunity passports."

The promise of such immunity certificates is that people who have already had their bout with the novel coronavirus and gained immunity can go back to work because they are presumably vaccinated against reinfection. Germany plans to introduce immunity certificates for citizens who have been exposed and are now immune. China has already implemented a red-amber-green system that classifies citizens according to the risk they pose to others. And in the United States, immunity cards are being considered, Anthony Fauci, director of the National Institute of Allergy and Infectious Diseases, told CNN.

While paper certificates may be an option, a digital certificate will likely be preferable. Already, China has deployed such certificates to its citizens' mobile devices. It's likely that other countries will do the same, making the infrastructure easier to roll out and maintain but raising the possibility of privacy and security issues.

"This can be a catalyst for how best we can use technology to help us, if done in the right way," says Husayn Kassai, CEO of digital-identity startup Onfido. "We can't argue with the fact that the Chinese model is effective —if your phone cannot say you are green, then you cannot be out — but there is zero privacy. There does not need to be a trade-off, however. You can offer all those benefits and have a privacy-first approach with a decentralized model."

For decades, decentralized systems that rely on certifying attributes — such as that the bearer is old enough to consume alcohol — as opposed to identity have been a dream of privacy-conscious technologists. Cryptographer Stefan Brands built on efforts by David Chaum to create the technical underpinnings needed for anonymous credentials in the 1990s and early 2000s. While digital tickets for events and gift certificates have adopted some digital certificate technology, neither attests to an attribute of the bearer nor disconnects the use of the certificate from the identity of the user.

Anonymous certification of immunity could be the first widely used application to do both.

Yet digital immunity certificates also pose a number of challenges in terms of infrastructure, education, and economics, says Kayne McGladrey, chief information security officer at prototyping firm Pensar Development and a member of the IEEE, the world's largest technical professional organization. 

"Businesses and organizations would need to ... educate their workforce on how to validate that a certificate was correct," he says. "And there would need to be a substantial educational investment to combat the inevitable phishing campaigns that’d spring up, such as fake websites to collect personally identifiable information and fake security alerts associated with these digital certificates."

The basic infrastructure of a privacy-preserving architecture would include public-key certification infrastructure that verifies approved test kits, certifies the results either remotely (for a home test kit) or through a provider (at a doctor's office of clinic), links the result to a credential stored on the user's mobile device, and then provide the public version of the certificate to others when approved by the user.

Getting it right is necessary because if an immunity certification is needed to return to work, cheating could become an issue, says Onfido's Kassai. The company has gained new funding to apply its artificial-intelligence technology for verifying identity to, among other applications, the positive identification of people taking a coronavirus test by matching a photo ID with a selfie.

"Let's say a testing kit arrives at my house — the question is how do I prove that I was the one that was tested?" Kassai says. "And if you are out and you are asked to show your certification that you are immune, you need to be able to re-authenticate with your face."

All the components of the infrastructure for a digital passport exist, but creating open standards and certifying tests are both hurdles that need to be overcome, says Jasson Casey, chief technology officer for Beyond Identity, an identity provider aiming to ditch passwords.

"There are a lot of details that do not have to do with technology, but more with the chain of custody, that have to be addressed and handled," Casey says.

Other problems exist for any immunity passport system, whether digital or paper-based. The number of false-negatives — people who initially test negative for COVID-19 even though they have the virus — may be higher than scientists believe, making the re-evaluation of a certification a necessary element. Digital credentials could more easily be rescinded if a class of testing is found to be too inaccurate.

In addition, how long immunity to the novel coronavirus lasts is still an open question. People only retain immunity to the common cold, also caused by the same category of viruses, for a few months. Any immunity certificate infrastructure would have to be able to have an expiration date on the certificate.

Finally, because the digital certificate has to do with health information, privacy becomes a major issue, as does who can request access to the certificate. 

"Off the cuff, people will say certainly I don't mind saying I'm COVID-free, but we don't know what stigmas might come or go in the future for those infected by COVID," says Beyond Identity's Casey. 

Yet, if done correctly, immunity certification could be help jump-start the economies of many nations and prove the concept of digital credentials, he says.

"Attestation to claims prior to this, honestly, has always felt like something that it is nice to have. This is clearly different," Casey says. "Some very large percentage of the US workforce is sitting at home. If this is an enabling capability to get them back out the door, that is a much stronger use case than giving people the anonymous ability to log in to an 18-plus site."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 


Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Which InfoSec Jobs Will Best Survive a Recession?"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...