The Problem with Health Passports
During these complicated times, it becomes clear that world governments did not have contingencies not only in case of a Pandemic, but any kind of contagion that covered more than an isolated region. It becomes clear then, that most of the measures taken against a threat that cannot be directly fought until such a time when we have a vaccine or working treatment, are examples of "playing it by ear". I find it commendable that most countries have taken measures that hit their GDP in the face of a threat for which they were unprepared. However, we are now at the point when technological "solutions" to some of the issues are being flaunted as quick solvers for a complicated topic. The questions on their legality and privacy-keeping features abound, without definite good answers. We want to talk about Health Passports today and the potential threats to privacy they present (contact tracing apps is a whole other beast and interest in those seem to be waining). I won't go too deep on topics such as social impact, actual sanitary benefits or logistics, as there is already a very nice article published for Nature by Natalie Kofler & Françoise Baylis[^1]. Now, I am sure that a team of cybersecurity and cryptography specialists far more prepared than I are working on a highly secure form of Health Passports; we need to keep in mind that this is a measure that is intended to restrict and control movement, which means it rests on a central system that can keep tabs on people. Here we have the first issue: as of today, most people have a smartphone, which means their location and movement history is being recorded by many companies, chiefly Alphabet (Google). Bad as this is already, the revelations made in the last few years show that, obtaining this information takes a government no small amount of interference in those companies. A health passport and sufficient control points spread out in a region would provide similar data directly to the State. Moreover, these passports would also contain a lot of sensitive information about the individual. It would certainly start with COVID-19 immunity linked to the person, but from there it's a slippery slope leading to, in the worst case, anything that might be related to how the virus *could* affect you, particularly medical history and biometrics. The latter has interesting ramifications, since more and more Access Control mechanisms, like vault locks or our own smartphones, rely on them. Let us also glance over the fact that, even if the app is secure and cryptographically sound, there still could be implementation issues (breaches in government systems and leaks of medical data is not unheard of). More often than not, these control measures will most likely persist over time. The government that puts this in place and has access to the data, will eventually change. It can be argued that people give some of this data willingly (although in some cases I would say *unknowingly*) to companies in exchange for services, why not give it to a government that was democratically elected and *should* be held accountable of any misuse? Because the extent of the damage would be multiplied. Take the example of the 2017 Argentinian mid-term elections: it was discovered that the then government was a client of Cambridge Analytica, but what went underreported is the fact that they also used the Social Security database to better direct their marketing and disinformation campaigns depending on the income of distinct regions. This would now also include a possible misuse of highly sensitive medical data. We shouldn't aim to lower the control of our privacy by also giving governments our data freely, but we should instead strive to make a push to regain it from corporations and make them legally accountable for any misuse.
Emiliano Ipar / 1600 Avenue - Justice League --- [^1]: [Nature Article] (https://www.nature.com/articles/d41586-020-01451-0)