Tag Archives: airport

The Digital Green Certificate (EU Green Pass), for and against

So I attended the ID4Africa webcast that discussed vaccination certificates, including its discussion of harmonization of the myriad of certificates—a topic that clearly interests me.

If you didn’t already hear this on my recent podcast (microcast?) episode, Pavlina Navratilova of IDEMIA discussed three vaccination certificate standards that affect Europeans. One of these is the Digital Green Certificate, also known as the EU Green Pass.

In this post I’ll explain what the Digital Green Certificate is, why some people think this health measure is essential to the continuance of civilization, and why some people think it destroys civilization as we know it.

Or something like that.

What is the Digital Green Certificate?

First, a clarification. The word “green” in Digital Green Certificate does not refer to saving the whales. It refers to “green means go” in terms of COVID-19. Specifically, a Digital Green Certificate is a digital proof that a person has either

tick iconbeen vaccinated against COVID-19
tick iconreceived a negative test result or 
tick iconrecovered from COVID-19

The certificate will also be available in paper format for us old-school types, but the digital version is what interests me.

The certificate will not be issued by the EU itself, but by entities within each EU country such as health authorities or individual hospitals. The certificate will be in a person’s national language and in English (for those who have forgotten, English is no longer a national language within the European Union due to Brexit).

From https://ec.europa.eu/commission/presscorner/api/files/attachment/868508/Digital%20Green%20Certificate_en.pdf.pdf

Each certificate will contain a QR code to ensure authenticity, and these QR codes will be tracked at the EU level.

Each issuing body (e.g. a hospital, a test centre, a health authority) has its own digital signature key. All of these are stored in a secure database in each country.

The European Commission will build a gateway. Through this gateway, all certificate signatures can be verified across the EU. The personal data encoded in the certificate does not pass through the gateway, as this is not necessary to verify the digital signature. The  Commission will also help Member States to develop a software that authorities can use to check the QR codes.

The idea is that any EU citizen can provide national proof of vaccination, negative test, or recovery from COVID and that this national proof will be accepted in any other EU country, subject to the specific rules of that country.

On the other hand, the EU does not want to restrict freedom of movement within the EU.

The Digital Green Certificate should facilitate free movement inside the EU. It will not be a pre-condition to free movement, which is a fundamental right in the EU.

For more details on the plans for the Digital Green Certificate, see this European Commission page. Work continues to get the Digital Green Certificate up and running, including approval of technical specifications.

Entities supporting the Digital Green Certificate

Like anything COVID-related, there are entities that support the Digital Green Certificate, and entities that oppose it.

One group of entities that supports the Digital Green Certificate is the European airline industry. Because of the adverse economic effects of COVID travel restrictions, the airline industry not only wants Digital Green Certificates, but it wants them in time for the summer travel season. Here’s an excerpt from a statement from Airlines for Europe (A4E):

A4E welcomed today’s decision by the European Parliament to fast-track the European Commission’s Digital Green Certificates proposal using an Urgent Procedure. A positive decision by the European Council later today would set in motion a vote on the certificates by the end of April, facilitating the European Commission’s plan to have the certificates operational by June….

“With vaccination programmes underway, I am even more confident travel will be possible this summer. Airlines are ready to re-connect Europe and support economic recovery. I look forward to working with A4E members and policy leaders on this critical work ahead”, (A4E Chairman John) Lundgren added.

The “get people on flights” message is loud and clear.

And it’s not just the airlines; this initiative is also supported by the World Travel and Tourism Council and European Travel Commission. And the European Tourism Manifesto. And the European Exhibition Industry Alliance.

And (most importantly!) the general concept is supported by Vince, who though he is no longer in the EU (did I mention Brexit?), wrote this back in April:

#vaccinationcertificates The reason we need mandatory #vaccinationcards is because of the #superspreaders who demonstrated yesterday. Banning them from #pubs#football.#holidays#events etc will force #covididiots to adhere to the rules or stay at home. @LBC

And then there is the view of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). They support the idea, but with some qualifications:

Andrea Jelinek, Chair of the EDPB, said: “A Digital Green Certificate that is accepted in all Member States can be a major step forward in re-starting travel across the EU. Any measure adopted at national or EU level that involves processing of personal data must respect the general principles of effectiveness, necessity and proportionality. Therefore, the EDPB and the EDPS recommend that any further use of the Digital Green Certificate by the Member States must have an appropriate legal basis in the Member States and all the necessary safeguards must be in place.”

Wojciech Wiewiórowski, EDPS, said: It must be made clear that the Proposal does not allow for – and must not lead to – the creation of any sort of central database of personal data at EU level. In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended. I have always stressed that measures taken in the fight against COVID-19 are temporary and it is our duty to ensure that they are not here to stay after the crisis.”

This raises an interesting point that was also raised (after I left) in the ID4Africa webinar: what will happen to the Digital Green Certificate in the long term? The attendees were polled on this question.

From https://twitter.com/ID4AfricaLive/status/1390311486757744646

Obviously the EDPB and EDPS prefer option 3, in which the Digital Green Certificate disappears once the pandemic is over.

Entities opposing the Digital Green Certificate

But not everyone believes that the Digital Green Certificate is a wonderful thing. Take the attitude of the the Dutch section of the International Commission of Jurists (NJCM), as expressed in a liberties.eu post.

As NJCM explains in a letter to the European Parliament, the EU has set up a system and infrastructure for Green Certificates, but only partially regulates the use of these Green Certificates. This leaves it up to member states to make their use mandatory, or to use Green Certificates in many more areas than just border control. Such mandatory use of Green Certificates may limit the freedom of movement, the right to not be discriminated against, the right to privacy, the right to data protection and, indirectly, the right to the integrity of the person (since the ability to travel is made conditional on undergoing testing or vaccination).

While the UK is (as I may have previously mentioned) outside of the EU, that country’s National Museum Directors’ Council has weighed in on the concept of vaccination certificates in general. Unlike airlines that believe that such certificates will encourage travel, the museum directors think these certificates will actually restrain it.

In the UK, where a government consultation on vaccine passports has proved controversial, a coalition of leading museum directors has spoken out against their potential use in museums. Such a scheme “sits at odds with the public mission and values of museums”, the National Museum Directors’ Council said, warning that it would constitute “an inappropriate form of exclusion and discrimination”. 

And, to be truthful, the existence of any type of vaccine certificate allows a distinction between those who are (believed to be) COVID-free and those who are not. You can use the emotionally-charged word “discrimination” or the less-charged “distinction,” but either way you’re dividing people into two groups.

The only way to remove such a distinction is to automatically assume that everyone has COVID. That could close the museums

…but at least everyone will be treated equally without discrimination. So that’s a good thing…I guess…

The REAL ID deadline has been extended…again

Three days ago, I read a news item on LinkedIn that stated that the REAL ID deadline might be extended.

I reacted.

My response is a one-word response: “AGAIN?”

I admit to a bit of frustration. For years, some states resisted REAL ID because of federalism concerns. (When MorphoTrak was briefly trying to win driver’s license contracts by competing against our sibling MorphoTrust, I remember one state RFP that explicitly stated that the state would NOT comply with the REAL ID mandate.)

Finally, after hemming and hawing, all of the states agreed to become REAL ID compliant (15 years after the original mandate). Then, as people rushed to get REAL IDs, #covid19 hit and the driver’s license offices closed.

The offices are now open, but some people STILL haven’t gotten REAL ID.

Prediction: if the deadline is extended to 2022, significant numbers of people won’t have REAL IDs by 2022.

Well, I will never get the chance to see if my prediction was accurate, because in the end, the REAL ID deadline was NOT extended to 2022.

It was extended to 2023, according to sources. (As I write this, the DHS website has not yet been updated.)

The Department of Homeland Security will delay the requirement for air travelers to have a Real ID-compliant form of identification, pushing it back 19 months, DHS Secretary Alejandro Mayorkas said Tuesday.

The deadline was supposed to be Oct. 1, but it’s now being postponed until May 3, 2023. 

Here’s the rationale that Secretary Mayorkas provided.

“Extending the Real ID full enforcement deadline will give states needed time to reopen their driver’s licensing operations and ensure their residents can obtain a Real ID-compliant license or identification card.”

Of course, since may people object to REAL ID on principle, it could be extended again and again for ANOTHER fifteen-plus years and people STILL won’t get it.

How many health passports will convention attendees need to revisit Las Vegas?

Two years ago, this picture wouldn’t look strange to me. Now it looks unusual.

ISC West, Las Vegas Nevada, 2017. https://twitter.com/JEBredCal/status/849649679016927233

I took this picture on the morning of April 5, 2017. I had just flown from Ontario, California to Las Vegas, Nevada to attend the ISC West show for a day, and would fly home that evening.

The idea of gathering thousands of businesspeople together in Las Vegas for a day obviously wasn’t unusual in 2017. While many think of Las Vegas as a playground, a lot of work goes on there also, and Las Vegas has superb facilities to host conventions and trade shows. So superb, in fact, that Oracle announced in late 2019 that it was moving its annual Oracle OpenWorld conference from San Francisco (up the road from Oracle’s headquarters) to Las Vegas.

But then 2020 happened.

One month after Oracle started planning for the Las Vegas debut of Oracle OpenWorld, the 2020 Consumer Electronics Show took place in Las Vegas. Unbeknownst to the 170,000 attendees at that show, they were unknowingly spreading a new illness, COVID-19. They did this by doing things that people always did at trade shows, including standing next to each other, shaking hands, and (in business-appropriate situations) embracing each other.

Of course, the CES attendees didn’t know that they were spreading coronavirus, and wouldn’t know this for a few months until after they had returned home to Santa Clara County, California and to other places all around the world. By the time that CES had been identified as a super spreader event, Las Vegas convention activities were already shutting down. The 2020 version of ISC West had already been postponed from March to July, was then re-postponed from July to October, and would eventually be cancelled entirely. Oracle OpenWorld’s September debut in Las Vegas was similarly cancelled. As other companies cancelled their Las Vegas conferences, the city went into a tailspin. (Anecdotally, one of my in-laws is a Teamster who works trade shows in Las Vegas and was directly affected by this.)

Today, one year after the economies of Las Vegas and other cities shut down, we in the United States are optimistically hoping that we have turned a corner. But it’s possible that we will not completely return to the way things were before 2020.

For example, before attending a convention in Las Vegas in the future, you might need to present a physical or digital “health passport” indicating a negative COVID-19 test and/or a COVID-19 vaccination. While governments may be reluctant to impose such requirements on private businesses, private businesses may choose to impose such requirements on themselves – in part, to reduce liability risk. After all, a convention organizer doesn’t want attendees to get sick at their conventions.

As I noted almost two months ago, there are a number of health passport options that are either available or being developed. This is both a good thing and a bad thing. It’s a bad thing for reasons that I noted in February:

In addition to Clear’s Health Pass, there are a myriad of other options, including AOKpassCommonPass, IATA Travel Pass, IBM Digital Health Pass, the Mvine-iProov solutionScan2Fly from AirAsia, VaccineGuard from Guardtime, VeriFLY from Daon, the Vaccination Credential Initiative, and probably some others that I missed….

But the wealth of health passports IS a problem if you’re a business. Imagine being at an airport gate and asking a traveler for a Clear Health Pass, and getting an angry reply from the traveler that he already has a VeriFLY pass and that the airline is infringing upon the traveler’s First and Second Amendment rights by demanding some other pass.

When I wrote this I wasn’t even thinking about convention attendance. In a worst-case scenario, Jane Conventioneer may need one health pass to board her flight, another health pass to enter her hotel, and a third health pass to get into the convention itself.

This could potentially be messier than I thought.

Pangiam, a new/old player in biometric boarding

Make vs. buy.

Businesses are often faced with the question of whether to buy a product or service from a third party, or make the product or service itself.

And airports are no exception to this.

The Metropolitan Washington Airports Authority (MWAA), the entity that manages two of the airports in the Washington, DC area, needed a biometric boarding (biometric exit) solution. Such solutions allow passengers to skip the entire “pull out the paper ticket” process, or even the “pull out the smartphone airline app” process, and simply stand and let a camera capture a picture of the passenger’s face. While there are several companies that sell such solutions, MWAA decided to create its own solution, veriScan.

https://www.airportveriscan.com/

And once MWAA had implemented veriScan at its own airports, it started marketing the solution to other airports, and competing against other providers who were trying to sell their own solutions to airports.

Well, MWAA got out of the border product/service business last week when it participated in this announcement:

ALEXANDRIA, Va., March 19, 2021 /PRNewswire/ — Pangiam, a technology-based security and travel services provider, announced today that it has acquired veriScan, an integrated biometric facial recognition system for airports and airlines, from the Metropolitan Washington Airports Authority (“Airports Authority”). Terms of the transaction were not disclosed.

Pangiam is clearly the new kid on the block, since the company didn’t even exist in its current form a year ago. Late last year, AE Industrial Partners acquired and merged the decade-old Linkware and the newly-formed Pangian (PRE LLC) “to form a highly integrated travel solutions technology platform providing a more seamless and secure travel experience.”

But in a sense, Pangiam ISN’T new to the travel industry, once you read the biographies of many of the principals at the company.

  • “Most recently (Kevin McAleenan) served as Acting Secretary of the U.S. Department of Homeland Security (DHS)….”
  • “Prior to Pangiam, Patrick (Flanagan) held roles at U.S. Customs & Border Protection (CBP), the U.S. Navy, the National Security Staff, the Transportation Security Administration (TSA), and the Department of Homeland Security (DHS).”
  • “Dan (Tanciar) previously served as the Executive Director of Planning, Program Analysis, and Evaluation in the Office of Field Operations (OFO) at U.S. Customs and Border Protection (CBP).”
  • “Prior to Pangiam, Andrew (Meehan) served as the principal adviser to the Acting Secretary for external affairs at the Department of Homeland Security (DHS).”
  • “(Tom Plofchan) served as a National Security Advisor to the Department of Energy’s Pacific Northwest National Laboratory before entering government to serve as the Counterterrorism Advisor to the Commissioner, U.S. Customs and Border Protection, and as Counterterrorism Counselor to the Secretary, U.S. Department of Homeland Security.”

So if you thought that veriScan was well-connected because it was offered by an airport authority, consider how well-connected it appears now because it is offered by a company filled with ex-DHS people.

Which in and of itself doesn’t necessarily indicate that the products work, but it does indicate some level of domain knowledge.

But will airports choose to buy the Pangiam veriScan solution…or make their own?

When the health passports can’t talk to each other

I’m going to open this post with something that I wrote nearly eight years ago.

I’m sure that many people imagine that standards are developed by a group of reasonable people, sitting in a room, who are pursuing things for the good of the world.

You can stop laughing now.

I wrote this in the context of the then-emerging compression format WebP (we’ll return to WebP itself later). The point that I was making was that something becomes a “standard” by brute force. If a lot of people like something, it’s a standard.

The issue with standards is that they can take years to develop, so standards are adopted after the fact.

Now let’s look at “health passports.” As you may have guessed, these “passports” can be used to enter a country, or a state, or an office building, and are specifically devoted to certifying the health of the passport bearer. If the person meets the health criteria, they can enter the country/state/building. If not, they are prohibited from entry.

An Ottoman passport (passavant) issued to Russian subject dated July 24, 1900. By FurkanYalcin3 – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=27699398

In a sense, the concept of a health passport is nothing new. Before entering a country, you are often required to satisfy various health conditions, such as being free of tuberculosis.

The current impetus for health passports, of course, is COVID. When COVID spread across the world a year ago, and governments began shutting down borders between countries, a lot of people at a lot of government agencies and a lot of companies began asking two basic questions:

  1. When reliable COVID tests are developed, how will we know whether someone has successfully passed a COVID test?
  2. When reliable COVID vaccines are developed, how will we know whether someone has successfully been vaccinated against COVID?

These questions, especially the second one, were mostly theoretical a year ago, but the government agencies and the companies needed answers to them as soon as possible. And the governments and the companies weren’t going to wait for the entire world to agree on a plan; they wanted to move ahead THAT DAY.

It’s a year later, and COVID tests are readily available, and COVID vaccines have been developed and approved in various countries. And we’ve made a lot of progress.

Or have we?

As Jim Nash notes in a Biometric Update article, there are several different solutions to the “health passport” issue. Nash lists two of them:

  1. The state of Hawaii is working with Clear, United Airlines, and Delta Airlines on a solution. Initially this only documents testing, but it could be expanded to vaccine documentation.
  2. The Malaysia Aviation Group is working with “local authorities” on its own solution.

And that’s just the start of options for health passports. In addition to Clear’s Health Pass, there are a myriad of other options, including AOKpass, CommonPass, IATA Travel Pass, IBM Digital Health Pass, the Mvine-iProov solution, Scan2Fly from AirAsia, VaccineGuard from Guardtime, VeriFLY from Daon, the Vaccination Credential Initiative, and probably some others that I missed.

Can you say “early in the product lifecycle”?

Now the wealth of health passport solutions isn’t much of a problem for most consumers, since we’ll probably need one or two health passports at most as this market matures. Maybe a US person might need one or two health passports for domestic travel, and maybe one to get into the office. In extreme conditions, maybe they’ll be required to enter grocery stores, but this is doubtful considering the resistance of American personalities to governments telling us what to do.

But the wealth of health passports IS a problem if you’re a business. Imagine being at an airport gate and asking a traveler for a Clear Health Pass, and getting an angry reply from the traveler that he already has a VeriFLY pass and that the airline is infringing upon the traveler’s First and Second Amendment rights by demanding some other pass.

Eventually there will be enough of a brouhaha over the multitude of incompatible passes. At that time, several efforts will be made to establish THE standard for health passports, or at least for health passport interoperability.

Yes, “several efforts” will be made. Because each vendor will unsurprisingly advance its own passport as the best one for the standard, or perhaps will form alliances with selected other vendors.

And it will get messy.

Take WebP, which Google was trying to push as a standard eight years ago, with some people accepting WebP, others not supporting it, and others opposing it and then supporting it. Well, while that fight continues…

…Google is experimenting with WebP2.

Yes, progress is good, but there’s a cost to planned obsolescence.