The ITIF, digital identity, and federalism

I just read an editorial by Daniel Castro, the vice president of the Information Technology and Innovation Foundation (ITIF) and director of the Center for Data Innovation. The opinion piece, published in Government Technology, is entitled “Absent Federal IDs, Digital Driver’s Licenses a Good Start.”

You knew I was going to comment on this one.

Why Daniel Castro supports a national digital ID

Let me allow Castro to state his case.

After Castro identifies the various ways in which people prove identity online, and the drawbacks of these methods, here’s what Castro says about the problem that needs to be addressed:

…poor identity verification is one of the reasons that identity theft is such a growing problem as more services move online. The Federal Trade Commission received 1.4 million reports of identity theft last year, double the number in 2019, with one security research firm estimating $56 billion in losses.

Castro then goes on to state his ideal solution:

The best solution to this problem would be for the federal government to develop an interoperable framework for securely issuing and validating electronic IDs and then direct a federal agency to start issuing these electronic IDs upon request. 

Castro then notes that the federal government has NOT done this:

But in the absence of federal action, a number of states have already begun this work on their own by creating digital driver’s licenses that provide a secure digital alternative to a physical identity document.

Feel free to read the rest of the story.

“Page two.” By Shealah Craighead – The original was formerly from here and is now archived at georgewbush-whitehouse.archives.gov., Public Domain, https://commons.wikimedia.org/w/index.php?curid=943922

But for me I’m going to stop right there.

Why Americans oppose mandatory national physical and digital IDs

Castro’s proposal, while ideal from a technological standpoint, doesn’t fully account for the realities of American politics.

Many Americans (regardless of political leanings) are strongly opposed to ANY mandatory national ID system. For example, many Americans don’t want our Social Security Numbers to become mandatory national IDs (even though they are de facto national IDs today). And while the federal government does issue passports, it isn’t mandatory that people GET them.

And many Americans don’t want state driver’s licenses to become mandatory national IDs. I went into this whole issue in great detail in my prior post “How 6 CFR 37 (REAL IDs) exhibits…federalism,” which made the following points:

  1. States are NOT mandated to issue REAL IDs. (And, no citizen is mandated to GET a REAL ID.)
  2. The federal government CAN mandate which IDs are accepted for federal purposes.
  3. Because the federal government can mandate the IDs to use when entering a federal facility or flying at a commercial airport, ALL of the states were eventually “persuaded” to issue REAL IDs. (Of course, it has take nearly two decades, so far, for that persuasion to work, and it won’t work until 2023, or later.)

So, considering all of the background regarding the difficulties in mandating a national PHYSICAL ID, imagine how things would erupt if the federal government mandated a national DIGITAL ID.

It wouldn’t…um…fly.

Transportation Security Administration Checkpoint at John Glenn Columbus International Airport. By Michael Ball – Own work, CC0, https://commons.wikimedia.org/w/index.php?curid=77279000

And this is why some states are moving ahead on their own with mobile driver’s licenses.

LA Wallet Louisiana Digital Driver’s License. lawallet.com.

However, there’s a teeny tiny catch: while the states can choose to mandate that their mDLs be accepted at the STATE level, states cannot mandate that their digital identities be used for FEDERAL purposes.

Here we go again.

Of course, federal government agencies are starting to look at the issues with a mobile version of a “REAL ID,” including the standard(s) to which any mobile ID used for federal purposes must adhere.

Improving Digital Identity Act of 2020, or 2021, or 2025…

While the government agencies are doing this work, another government agency (the U.S. Congress) is also working on this. Castro mentions Rep. Bill Foster’s H.R. 8215, introduced in the last Congress. I’m not sure why he bothered to introduce it in September 2020, when Congress wasn’t going to do anything with it. As you may have heard, we had an election at that time.

Of course, he just reintroduced it last month, so now there’s more of a chance that it will be considered. Or maybe not.

Regardless, the “Improving Digital Identity Act” proposes the creation of a task force at the federal level with federal, state participants, and local participants. It also mandates that NIST create a digital identity “framework,” with an interim version available 240 days after the Act is passed. Among other things, the ACT also mandates that NIST Special Publication 800-63 become “binding operational directives” for federal agencies.

(Does that mean that it will be illegal to mandate password changes every 90 days? Woo hoo!)

Should this Act actually pass at some point, its directives will need to be harmonized with what the Department of Homeland Security is already doing, and of course with what the states are already doing.

Oh, and remember my reference to the DHS’ work in this area? Among those who have submitted verbal and/or written comments, several (primarily from privacy organizations) have stated that the government should NOT be promoting ANY digital ID at all. The sentiments in this written comment, submitted anonymously, are all too common.

There are a lot of security and privacy concerns with accepting digital ID’s. First and foremost, drivers licenses contain a lot of sensitive information. If digital ID’s are accepted, then it could potentially leak that info to hackers if it is not secured properly. Plus, there is the added concern that using digital ID’s will lead to extra surveillance where unnecesary. Finally, digital ID will not allow individuals who are poorer to be abele to submit an ID because they might not have access to the same facilities. I am strongly against this rule and I do NOT think that digital ID should be an option.

I expect other privacy organizations to submit comments that may be better-written, but they echo the same sentiment.

Are unified digital IDs a thing?

I’ve been busy helping a client who needed summer fill-in help, but I’m finally making the time to catch up on my reading. And this article from Government Technology was on my reading list.

When I read the title “Mobile Driver’s Licenses Pave the Way for Unified Digital IDs,” I was intrigued by the last three words. I mean, there are more and more states releasing (non-pilot) mobile driver’s licenses, and the standard is coming along, and work is being done to prepare for federal acceptance.

But what about the “unified” part? How did David Raths address that?

Government uses of digital ID

Well, he listened to Eric Jorgensen, director of Arizona’s Department of Transportation.

“I actually hate the term ‘mDL’ because it doesn’t recognize the power of what we’re doing here….The whole concept is that we’re providing a way to remotely authenticate a person, to provide a trusted digital identity that doesn’t exist today. Once we provide that, we’re opening doors to enhanced government services. Also, the government can play a key role in facilitating commerce, providing a better citizen experience and providing for the security of that citizen — that goes way beyond what a driver’s license is about.”

Although all that Jorgensen is discussing is providing a trusted digital identity that is equivalent to a trusted physical identity. If you have to show your driver’s license when visiting a government office’s physical location, conceivably you can show your digital driver’s license when visiting a government office’s website.

Enterprise uses of digital ID

And there are applications beyond government. Delaware and other states are persuading private businesses to accept mobile driver’s licenses as valid forms of identification. There’s a powerful use case for age-restricted products, of course; since all that an alcohol-selling business needs to know is whether you are over the age of 21, the mobile driver’s license ONLY shows that you are over the age of 21. It doesn’t show your address, your weight, or even your birthdate.

But what about a true UNIFIED digital ID?

However, I semantically question whether this is truly a “unified” ID. This is just digitization of an existing government-endorsed ID. A “unified” ID would be one that would not only let me drive, vote, and buy alcohol, but would also serve as my ID to log into Facebook or buy Bitcoin. (Yes, I realize that use of a government ID to buy Bitcoin violates the space-time continuum in some way.)

And for that to happen, work may need to be done to make mobile IDs compatible with existing authentication/authorization methods such as OAuth and OpenID Connect.

And the whole “but what if I don’t have a digital ID?” question must be addressed.

And the whole “but what if I want to use a self-sovereign ID that is NOT government endorsed?” question must be addressed.

And presumably a myriad of other questions would need to be addressed also.

But for me, I can’t address unified digital IDs today. Just got a message from my summer-challenged client…

The EUDCC and Covishield

Well, that was unexpected, at least by me.

I figured that discussion of the European Union Digital COVID Certificate (EUDCC) would focus on use of the certificate by residents of the EU.

However, the big debate right now is about how citizens of countries outside of the EU are affected. While the EUDCC is primarily designed for EU citizens, the EU has an interest in getting people from outside of the EU to travel to Europe and spend lots of euros and make everyone happy.

By Avij (talk · contribs) – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=30112364

However, some of the regulations that govern the EUDCC and the EU’s COVID response are actually hampering travel from outsiders.

And when words like “equitable” are being bandied about, people are going to take notice.

Let’s start by examining the list of vaccines that are approved in the European Union.

Four vaccines are currently approved for use in the EU: Pfizer/BioNTech, Moderna, AstraZeneca and Johnson & Johnson. Another four are under “rolling review” for possible approval: Russia’s Sputnik, China’s Sinovac, Germany’s CureVac and Novavax of the United States.

So if you received one of the first four vaccines, this can be listed on your EUDCC and you can go about your merry way.

But African governmental entities believe that a fifth vaccine, one that happens to be available in Africa, should be added to the list.

[W]hile the goal is for EU Member States to issue vaccination certificates regardless of the COVID-19 vaccine type used, the granting of a “green pass” applies, only to vaccines that have received EU-wide marketing authorisation. Thus, while the AstraZeneca vaccine (ChAdOx1_nCoV-19) produced and authorized in Europe (Vaxzervria) is included, the same formation of the vaccine (Covishield) produced under license by the Serum Institute of India (SII), is excluded.

The TL;DR version: since Covishield is equivalent to Vaxzervria/AstraZeneca, people who received Covishield should get EU travel privileges.

Why does the same vaccine formulation have two different names? Because a special effort was mounted to provide vaccines to the Third World without endangering First World profits.

Covishield is the Indian counterpart of AstraZeneca-Oxford developed Vaxzervria and is identical to the one made in Europe. It has been widely distributed in many low and middle-income countries through the EU-supported COVAX programme. However the vaccine has not been included on the EUDCC because it is not approved by the European Medicines Agency (EMA). 

The European Medicines Agency counters that Covishield is NOT the same as the European version of AstraZeneca, despite an identical formulation:

“Even though it may use an analogous production technology to Vaxzevria (AstraZeneca’s vaccine), Covishield as such is not currently approved under EU rules,” the European Medicines Agency (EMA) said in a statement to AFP. “This is because vaccines are biological products. Even tiny differences in the manufacturing conditions can result in differences in the final product, and EU law therefore requires the manufacturing sites and production process to be assessed and approved as part of the authorisation process.”

So that’s where things stand as of now. And they may remain this way unless there’s pressure on the EMA to revise its decision.

Now I’m wondering how many Nigerians…and how many Indians…and how many Chinese and Russians (remember that Sputnik and Sinovac aren’t approved either)…are choosing to forgo a European holiday this summer.

The air industry is worried about EU Digital COVID certificate activity on July 1

Charles De Gaulle Airport in Paris. By NASA – NASA/JSC, Public Domain, https://commons.wikimedia.org/w/index.php?curid=7156445

So for the last few months we’ve been saying “we need travelers.” And now that we’re about to get travelers, people are getting worried.

The European Union’s system of digital COVID-19 travel certificates is due to come into force on Thursday, but airports group ACI and airlines representative bodies A4E, IATA and ERA warned in a letter to EU national leaders of a “worrying patchwork of approaches” across the continent.

Of course, we’ve known for some time that the EU Digital COVID Certificates are being implemented on a national basis. But now the airport and airline industries are warning that checking the certificates can be dizzying.

The letter said the only way to avoid huge queues and delays during the peak summer season was to implement a system whereby both the vaccination certificate and passenger locator forms are processed remotely before the passenger arrives at the airport.

Checks must only take place in the country of departure and not on arrival and national governments should manage the health data and provide equipment to check the QR codes, the letter said.

So there will be some confusion on Thursday. But will the confusion outweigh the benefits of increased travel?

Additional countries issue the EU Digital COVID Certificate (a/k/a the Digital Green Certificate)

First, a correction.

When I first began writing about the Digital Green Certificate, I referred to it as…the Digital Green Certificate, noting the confusion that the name could cause with climate activists and the like.

Well, it turns out that climate activists have no cause for confusion, because the name of the certificate is NOT the “Digital Green Certificate.”

It’s the “EU Digital COVID Certificate,” as noted here.

With that out of the way, let’s revisit developments since the first seven countries began issuing the EUDCC on June 1.

By Tuesday, June 15, the list of issuing countries will expand to 14:

Italy is one of the first EU countries to begin issuing the EU Digital COVID Certificate, alongside Austria, BulgariaCroatiaCzechiaDenmark, Estonia, GermanyGreece, Latvia, Lithuania, Luxembourg, Poland, and Spain.

The remainder of the countries should be issuing the EUDCC by July 1.

The EU Digital Green Certificate is live…in seven countries only (for now)

Remember the European Union’s Digital Green Certificate that I discussed about a month ago?

Well, it’s live…sort of.

Seven countries began using the European Union’s digital certificate on Tuesday (June 1), allowing for fully vaccinated people to travel.

The Digital Green Certificate began operating ahead of schedule this week in Bulgaria, the Czech Republic, Denmark, Germany, Greece, Croatia and Poland. The digital record stores whether a person has been fully vaccinated against COVID-19, has recovered from the virus or has tested negative for the virus within 72 hours.

So what does “using” mean? According to the European Union, this is what those seven countries are now doing:

…seven Member States – Bulgaria, Czechia, Denmark, Germany, Greece, Croatia and Poland – have decided to connect to the gateway and started issuing first EU certificates…

The referenced “gateway” is the EU-wide mechanism that “provides for the verification of the security features contained in the QR codes of all certificates.” As I mentioned previously, EU Digital Green Certificates are not issued by the EU itself, but by entities within member countries such as hospitals and health authorities. Each issuing entity, however, is registered with the EU gateway, to make sure that fake certificates are not issued by “Joe’s Reely Gud ID Service” or whoever.

As the German “Digitales COVID-Zertifikat der EU” web page notes, four of the seven countries (Czechia, Denmark, Germany, Poland) are contiguous, so presumably land travel over these countries’ common borders has been eased by the Digital Green Certificates. I have not been able to confirm this, however; sometimes it takes a few days to work out the kinks.

And, as noted above, the seven countries may not necessarily be verifying ALL types of certificates. Remember that a complete certificate will be capable of registering any of three events. The seven countries may or may not be capable of recording all three of them…yet.

tick iconbeen vaccinated against COVID-19
tick iconreceived a negative test result or 
tick iconrecovered from COVID-19

The Digital Green Certificate (EU Green Pass), for and against

So I attended the ID4Africa webcast that discussed vaccination certificates, including its discussion of harmonization of the myriad of certificates—a topic that clearly interests me.

If you didn’t already hear this on my recent podcast (microcast?) episode, Pavlina Navratilova of IDEMIA discussed three vaccination certificate standards that affect Europeans. One of these is the Digital Green Certificate, also known as the EU Green Pass.

In this post I’ll explain what the Digital Green Certificate is, why some people think it is essential to the continuance of civilization, and why some people think it destroys civilization as we know it.

Or something like that.

What is the Digital Green Certificate?

First, a clarification. The word “green” in Digital Green Certificate does not refer to saving the whales. It refers to “green means go” in terms of COVID-19. Specifically, a Digital Green Certificate is a digital proof that a person has either

tick iconbeen vaccinated against COVID-19
tick iconreceived a negative test result or 
tick iconrecovered from COVID-19

The certificate will also be available in paper format for us old-school types, but the digital version is what interests me.

The certificate will not be issued by the EU itself, but by entities within each EU country such as health authorities or individual hospitals. The certificate will be in a person’s national language and in English (for those who have forgotten, English is no longer a national language within the European Union due to Brexit).

Each certificate will contain a QR code to ensure authenticity, and these QR codes will be tracked at the EU level.

Each issuing body (e.g. a hospital, a test centre, a health authority) has its own digital signature key. All of these are stored in a secure database in each country.

The European Commission will build a gateway. Through this gateway, all certificate signatures can be verified across the EU. The personal data encoded in the certificate does not pass through the gateway, as this is not necessary to verify the digital signature. The  Commission will also help Member States to develop a software that authorities can use to check the QR codes.

The idea is that any EU citizen can provide national proof of vaccination, negative test, or recovery from COVID and that this national proof will be accepted in any other EU country, subject to the specific rules of that country.

On the other hand, the EU does not want to restrict freedom of movement within the EU.

The Digital Green Certificate should facilitate free movement inside the EU. It will not be a pre-condition to free movement, which is a fundamental right in the EU.

For more details on the plans for the Digital Green Certificate, see this European Commission page. Work continues to get the Digital Green Certificate up and running, including approval of technical specifications.

Entities supporting the Digital Green Certificate

Like anything COVID-related, there are entities that support the Digital Green Certificate, and entities that oppose it.

One group of entities that supports the Digital Green Certificate is the European airline industry. Because of the adverse economic effects of COVID travel restrictions, the airline industry not only wants Digital Green Certificates, but it wants them in time for the summer travel season. Here’s an excerpt from a statement from Airlines for Europe (A4E):

A4E welcomed today’s decision by the European Parliament to fast-track the European Commission’s Digital Green Certificates proposal using an Urgent Procedure. A positive decision by the European Council later today would set in motion a vote on the certificates by the end of April, facilitating the European Commission’s plan to have the certificates operational by June….

“With vaccination programmes underway, I am even more confident travel will be possible this summer. Airlines are ready to re-connect Europe and support economic recovery. I look forward to working with A4E members and policy leaders on this critical work ahead”, (A4E Chairman John) Lundgren added.

The “get people on flights” message is loud and clear.

And it’s not just the airlines; this initiative is also supported by the World Travel and Tourism Council and European Travel Commission. And the European Tourism Manifesto. And the European Exhibition Industry Alliance.

And (most importantly!) the general concept is supported by Vince, who though he is no longer in the EU (did I mention Brexit?), wrote this back in April:

#vaccinationcertificates The reason we need mandatory #vaccinationcards is because of the #superspreaders who demonstrated yesterday. Banning them from #pubs#football.#holidays#events etc will force #covididiots to adhere to the rules or stay at home. @LBC

And then there is the view of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). They support the idea, but with some qualifications:

Andrea Jelinek, Chair of the EDPB, said: “A Digital Green Certificate that is accepted in all Member States can be a major step forward in re-starting travel across the EU. Any measure adopted at national or EU level that involves processing of personal data must respect the general principles of effectiveness, necessity and proportionality. Therefore, the EDPB and the EDPS recommend that any further use of the Digital Green Certificate by the Member States must have an appropriate legal basis in the Member States and all the necessary safeguards must be in place.”

Wojciech Wiewiórowski, EDPS, said: It must be made clear that the Proposal does not allow for – and must not lead to – the creation of any sort of central database of personal data at EU level. In addition, it must be ensured that personal data is not processed any longer than what is strictly necessary and that access to and use of this data is not permitted once the pandemic has ended. I have always stressed that measures taken in the fight against COVID-19 are temporary and it is our duty to ensure that they are not here to stay after the crisis.”

This raises an interesting point that was also raised (after I left) in the ID4Africa webinar: what will happen to the Digital Green Certificate in the long term? The attendees were polled on this question.

Obviously the EDPB and EDPS prefer option 3, in which the Digital Green Certificate disappears once the pandemic is over.

Entities opposing the Digital Green Certificate

But not everyone believes that the Digital Green Certificate is a wonderful thing. Take the attitude of the the Dutch section of the International Commission of Jurists (NJCM), as expressed in a liberties.eu post.

As NJCM explains in a letter to the European Parliament, the EU has set up a system and infrastructure for Green Certificates, but only partially regulates the use of these Green Certificates. This leaves it up to member states to make their use mandatory, or to use Green Certificates in many more areas than just border control. Such mandatory use of Green Certificates may limit the freedom of movement, the right to not be discriminated against, the right to privacy, the right to data protection and, indirectly, the right to the integrity of the person (since the ability to travel is made conditional on undergoing testing or vaccination).

While the UK is (as I may have previously mentioned) outside of the EU, that country’s National Museum Directors’ Council has weighed in on the concept of vaccination certificates in general. Unlike airlines that believe that such certificates will encourage travel, the museum directors think these certificates will actually restrain it.

In the UK, where a government consultation on vaccine passports has proved controversial, a coalition of leading museum directors has spoken out against their potential use in museums. Such a scheme “sits at odds with the public mission and values of museums”, the National Museum Directors’ Council said, warning that it would constitute “an inappropriate form of exclusion and discrimination”. 

And, to be truthful, the existence of any type of vaccine certificate allows a distinction between those who are (believed to be) COVID-free and those who are not. You can use the emotionally-charged word “discrimination” or the less-charged “distinction,” but either way you’re dividing people into two groups.

The only way to remove such a distinction is to automatically assume that everyone has COVID. That could close the museums

…but at least everyone will be treated equally without discrimination. So that’s a good thing…I guess…

ID4Africa Livecast, “Vaccination Certificates and Identity Management”

Since I’ve discussed vaccination certificates in the past (most recently here), I thought I should alert you of an event later this week that covers the topic.

Parts 1 & 2 of our trilogy on Vaccination Certificates & Identity Management have set the pace for discussions on policy deliberations and innovative solutions in the development of COVID verifiable credentials. Both events continue to be praised as being our best series yet and… there’s still more to come!

Join your host, Dr. Joseph Atick, for a series finale, tour de force coverage on CV19 credentials where he shifts gears with a league of domain experts in a live collaboration searching for a framework for harmonizing national, regional and international efforts in this domain.

The webinar will take place on Thursday, May 6, from 12:30-14:30 GMT (or 14:30-16:30 CEST). That translates to 5:30 am in my timezone, but it looks like there will be a replay if I oversleep.

If you want to attend live, register here.

There is a draft proposal (from GIPHT and CDISC) for vaccine certificate interoperability, but will the players pay attention?

I’ve gone on ad nauseum about the plethora of vaccine certificate options that are being developed by public and private entities.

Wouldn’t it be nice if all of these different options were able to talk to each other, so that my existing blue certificate would talk to systems that require the orange certificate or the red certificate?

Two organizations are pursuing this dream of interoperability.

The Global Information for Public Health Transformation (GIPHT) initiative of the Learning Health Community has collaborated with CDISC to develop a minimum set of key data elements for documenting vaccinations. The goal of the collaboration is to achieve multinational agreement around one global core data standard that will enable the success of vaccine credentialing applications and secure sharing of essential information for uses such as safe travel.

The organizations have published a draft standard for public review. This draft attempts to define the minimum key data elements, and draws upon the work of several different organizations.

The set of common data elements proposed has been based upon recommendations made available by the European eHealth Network as referenced by the European Commission in announcing their plans for a Green Certificate to facilitate travel by Europeans among EU countries. This set of common data elements has also been informed through U.S. CDC. The elements have been aligned with standards from HL7, CDISC and ISO (standards development organizations), where applicable.

Of course, we have to ask the question: why listen to GIPHT and CDISC? Well, these two organizations claim a previous success, as noted in their press release.

“CDISC developed and published a COVID-19 data standard in less than a month by leveraging existing global clinical research standards, including those for vaccinesvirology and Ebola,” stated Rhonda Facile, Vice President of Partnerships and Development, CDISC.

However, there is one significant difference between exchanging COVID-19 data and exchanging vaccine certificate data. The former is an exchange of medical data which is of primary interest to health professionals. The latter has much greater ramifications, since it can potentially affect border crossings, travel in general, and access to facilities such as casinos, sports stadiums, and concert venues.

Is it even possible to develop a vaccine certificate interoperability standard that satisfies the foreign affairs and transportation ministries of multiple countries, the major airlines and airports, the casino operators, the major sports leagues, AND Taylor Swift?

LOS ANGELES – MARCH 14: Guest arrives for the 2019 iHeartRadio Music Awards on March 14, 2019 in Los Angeles, California. (Photo by Glenn Francis/Pacific Pro Digital Photography). By Toglenn (Glenn Francis) – This file has been extracted from another file: Taylor Swift 2 – 2019 by Glenn Francis.jpg, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=81523364

(We know Ms. Swift’s views on facial recognition, but as far as I know she has not expressed her views on vaccine certificates.)

And if it is possible, will all of these parties agree that GIPHT and CDISC are the ones to develop the standard?

How many vaccine certificates (not health passports) will citizens in Africa and elsewhere need to do anything?

This is a follow-up to my April 9 post, with a slight correction. I need to stop using the term “health passport,” and should instead use the term “vaccine certificate.” So starting now I’m doing that. Although I still think passports are cool, even if vaccine certificates aren’t passports.

An Ottoman passport (passavant) issued to Russian subject dated July 24, 1900. By FurkanYalcin3 – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=27699398

It’s also a follow-up to my February 16 post, which noted that there are a whole bunch of health pa- I mean vaccine certificates that are being marketed by various companies and organizations.

In addition to Clear’s Health Pass, there are a myriad of other options, including AOKpassCommonPass, IATA Travel Pass, IBM Digital Health Pass, the Mvine-iProov solutionScan2Fly from AirAsia, VaccineGuard from Guardtime, VeriFLY from Daon, the Vaccination Credential Initiative, and probably some others that I missed.

Obviously it takes a while to solve such issues, so you can’t expect that all of this would be resolved by April.

And you’re right.

As Chris Burt of FindBiometrics recently noted, the whole vaccine certificate issue was recently discussed by a panel at an ID4Africa webinar. Now even if you haven’t heard of the organization ID4Africa, you can reasonably conclude that the organization is in favor of…IDs for Africa.

And even they are a bit skittish about vaccine passports, at least for now.

Questions around how these digital health certificates should work, where and whether they should be used, and what can be done to mitigate the risks associated with them remain, and were explored by an international panel of experts representing major global organizations convened by ID4Africa. They found that too much remains unknown to inform final decisions…

The panel warned against rushing headlong into adoption of vaccine certificates without a better understanding of what they were, how they would work, and how individual information would be protected. And there are major questions all over the “how they would work” question, including the long-standing question of how vaccine certificates would be interoperable.

It quickly emerged that while several groups represented are working on similar projects, there are some key differences in goals.

The WHO is building specification which are intended to create digital records not for crossing borders or proving health status to any third party, but merely for continuity of care. Its working group also includes ICAO, IATA, and ISO, each of which have their own applications in mind for digital health credentials.

See the list above.

And even if you just look at the WHO’s project, it’s still not finalized. The present timeframe calls for a version 1.0 of its specification by the end of June, but timelines sometimes slip.

Chris Burt details many other issues in his article, but for purposes of my post, it’s relevant to say that it will be months if not years before we will see any sort of interoperability between vaccine certificates.