How to build an equitable vaccine passport that respects people’s privacy

By John Ackerly

March 19, 2021

One of President Joe Biden’s executive orders aimed at curbing the pandemic asks government agencies to “assess the feasibility” of linking coronavirus vaccine certificates with other vaccination documents and producing digital versions of them. A vaccine passport, an official document that shows your vaccination status, may soon be required to work or travel. Airlines, industry groups, nonprofits, and technology companies are building a version of this idea that you can display on your mobile phone as an app or part of your digital wallet.

Fully reopening the economy requires that we quickly build and administer a protected and equitable digital vaccine passport system. Yet, there are two significant challenges to its success: trust and the digital divide.

The American public does not trust our institutions and government with our private data, including information needed for a digital vaccine passport. And for good reason—we can’t protect what we can’t control. According to a recent Pew Research Study, more than 6 in 10 U.S. adults don’t think it’s possible to go through daily life without having data collected about them. We’ve seen the devastating effects of this lack of trust throughout the pandemic response: widespread public rejection of digital contact tracing systems and now, new concerns over vaccine passports.

The other challenge, the digital divide, surrounds all aspects of the pandemic response and further complicates the feasibility of a digital vaccine passport. According to Pew Research, 19% of American adults do not own a smartphone while about 16% of U.S. adults are digitally illiterate.

But there is a path forward to building trust and closing the digital divide. New technologies are available that can put the control of data privacy in the hands of the American public. These technologies would enable people and institutions to easily protect data wherever it’s shared, without ever having to trust a third party. Through a simple user interface, you could have control and visibility over the data being shared—from when it’s gathered to when you want to revoke access to it.

People could decide at any time who has access to their personal information and set automatic expiration dates to revoke that access, especially when there’s no longer a need to share that data—for example, when the pandemic is over. These capabilities also mitigate the concern that the government would use data needed for the digital vaccine passport as an on-ramp to a national digital ID system.

These technology capabilities exist today and are being used in the U.S intelligence community. There’s no reason why they can’t be offered to the public as well.

Bridging the digital inequity gap also requires that paper-based passports and controls (for example, the ability to easily print) are available to those who need them. There have been paper-based vaccine passports in place for years (to document yellow fever, for example). And while we don’t want to move backward, a modern vaccine passport must support multiple modes, including paper, ensuring that everyone has access.

Outreach and education programs are also required to close the digital divide and build trust. For example, Maryland’s Vaccine Equity Task Force works with the state’s local health departments to focus COVID-19 vaccination efforts on underserved, vulnerable, and hard-to-reach populations to ensure the equitable delivery of vaccines. They are working to bring mobile vaccination clinics to these areas, and plan to partner with the other organizations to establish large, community-focused vaccination sites. These kinds of outreach programs can be used as models to provide vaccine passports (digital and paper-based) to underserved and digitally illiterate communities.

While technology and educational outreach are central to establishing trust within the public and private sectors, fighting the pandemic, and reopening the economy, government policy and regulation are also needed.

At the federal level, Biden should issue a privacy-first executive order that establishes a baseline for privacy rights: where data should be controlled and auditable, and any data shared should be revokable by the individual. This is often referred to as “verifiable control” of one’s data. Similar rights are included in the European Union’s General Data Protection Regulation. Putting verifiable privacy rights and controls in the hands of the public will go a long way toward building trust.

At a state level, the California Privacy Rights Act (CPRA) provides consumers with rights regarding their personal data. For example, the CPRA stipulates that consumers should know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed, so they can exercise meaningful control over that information.

Many parties are now collaborating on building a digital vaccine passport, working to create a long-lasting, ethical, inclusive technological solution that guarantees privacy while serving to strangle the spread of COVID-19. We have months, not years, to get this digital credential right. If it goes well, this can serve as a prime model for how government and institutions can roll out equitable digital services on a massive scale to great public benefit.


John Ackerly is the CEO and cofounder of Virtru. He previously served as a technology policy adviser at the White House and was the policy and strategic planning director at the U.S. Department of Commerce. 

(25)