How would digital COVID vaccine passports work? And what's stopping people from faking them?

Although international travel restrictions for Australia have been extended to at least June, there may still be potential for a trans-Tasman bubble with New Zealand (and maybe some other countries), according to reports.

Air New Zealand will begin trialling digital vaccine passports (or “immunity passports”) on routes to Australia in April. Ideally, these digital certificates will allow authorities to quickly check whether prospective travellers have been vaccinated.

The specific passport system New Zealand is set to adopt — along with Qantas, Malaysia Airlines, Singapore Airlines and Qatar Airways — is the International Air Transport Association (IATA)‘s digital Travel Pass app.

But to be effective, this system would need to meet several key criteria. The vaccine passports would need to be linked securely to travellers, comply with different countries’ regulations and be almost impossible to illegally copy or modify.

How would it work?

It’s expected at least the vast majority of people travelling on an airline using the IATA software will have to use the pass. The system has four steps:

1. a vaccine-recording component for when a person is first vaccinated

2. the transfer of this person’s vaccine-related and personal data to the IATA software

3. verification of the data by an authorised party

4. digital cross-checking, to ensure a government’s travel requirements are applied to all travellers entering or leaving that country. This would also make sure each traveller has the necessary prerequisites needed to enter their destination country.

The software would work by establishing an international network of trusted vaccine providers. The IATA is already compiling this list. These providers, including hospitals and clinics, would receive access to the software’s vaccine-recording component.

With this they’d log information about a patient’s vaccination and identity details (such as passport number). So you’d almost certainly need to present a valid passport when getting vaccinated.

For those already vaccinated by the time the system is rolled out, an option would be needed to transfer existing records to the app. Again, this would require confirmation the person requesting the data transfer is the same person who was vaccinated.

Read more: A COVID 'vaccine passport' may further disadvantage refugees and asylum seekers

Before-departure checks

Once your vaccine and identification details are logged, this would generate a data file to be sent securely to the app’s software. This file would be encrypted and stored on the device itself, only to be retrieved by an authorised person with your consent.

Border and airline staff could check whether the lab identification is valid by comparing it to the IATA’s list of trusted vaccine providers. This check would be done using a wireless near-field communication system, similar to that used for contactless payments.

At this point, the border control unit would also confirm if the identification you presented when getting your vaccine is still valid. They could also check your passport against the national passport database, which is standard procedure.

Such a system could be set up to flag important updates. If a vaccine batch failed quality control, or a certain provider was removed from the approved providers list, this would need to be reflected quickly.

Security advantages of vaccine passports

A notable advantage of vaccine passports is they’re hard to forge compared to paper records. The IATA software would unbreakably link your identification details with your vaccination status.

Even if someone stole your phone or copied its data, this data would match only your passport. If they stole your passport, too, they’d likely still get caught during normal passport checks.

On Apple (iOS) smartphones the in-built “secure enclave” feature would prevent your Travel Pass app information from being moved remotely to another device without the right permissions. Android and other operating systems have similar tools used for smart wallets.

Using vaccine passports also minimises data sharing. In each case of information transaction, such as when crossing border control, the only data shared are your identification details and vaccine information.

An achievable set-up

Most countries are requiring that all COVID vaccines administered be recorded on a national register. In Australia, this is the Australian Immunisation Register.

The IATA will publish the Travel Pass app’s software interface, which is what enables other programs to transfer data to and from the software.

With the interface available, countries should be able to simply integrate the software into their own vaccine management systems. Governments could even apply their own rules to the software.

For instance, one may decide to reject vaccine records from a particular provider, or demand a longer waiting period once a vaccine is received.

This could obviously cause problems for travellers who may be planning to go to a destination with different protocols to the origin country. That’s why this would have to be sorted prior to travel, just as visas often are.

Minor issues and loopholes

For now, a digital vaccine passport would only be available for people with a smartphone or tablet. Also, each traveller in a group would need their own vaccine passport.

This could be tricky for families with young children or other dependants who don’t (or can’t) use smart devices. One fix would be for parents or carers to store dependants’ information on their own device.

The only credible route for vaccine passport forgery would be if a vaccination management system, such as one used by a GP or hospital, somehow recorded patient data incorrectly.

This could be done by someone deliberately impersonating someone else. Then again, the impostor would have to convince both the health worker administering their vaccine and staff at the airport. This would be difficult if a passport is used.

Similarly, a hacker could potentially attack the Australian Immunisation Register (or other vaccine registers) to generate false data to feed into the IATA system. But these registries tend to be well-protected.

And if one were compromised, it would be simple to invalidate vaccine certificates tracing back to it for as long as the issue wasn’t resolved.

Read more: Before we introduce vaccine passports we need to know how they'll be used