No jab, no job? Injecting ethical considerations into Vaccine Passport tech (2/2)

Profile picture for user slauchlan By Stuart Lauchlan March 31, 2021
Summary:
If we are to have Vaccine Passports, what are the basic principles providers like IBM and Salesforce need to follow?

ethics

In the first part of this article, some of the well-rehearsed arguments for and against some form of Vaccine Passport, most likely an app, were aired. But with a move to deliver some version of trusted health credentials as part of a society-wide return to ‘normal’, there’s a clear requirement to square some circles here to bridge the divide between practical need and ethical concerns. 

All that said, there are plenty of ideas being bounced around as to what criteria need to be in place to deliver an effective Vaccine Passport program. The SET-C (Science in Emergencies Tasking: COVID-19) group at the Royal Society, the oldest scientific academy in continuous existence, for example, has laid out 12 requirements that need to be met by any such schemes, arguing that a passport must: 

  • Meet benchmarks for COVID-19 immunity.
  • Accommodate differences between vaccines in their efficacy, and changes in vaccine efficacy against emerging variants.
  • Be internationally standardized. 
  • Have verifiable credentials.
  • Have defined uses.
  • Be based on a platform of interoperable technologies.
  • Be secure for personal data.
  • Be portable.
  • Be affordable to individuals and governments.
  • Meet legal standards.
  • Meet ethical standards.
  • Have conditions of use that are understood and accepted by the passport holders.

Meanwhile the Tony Blair Institute for Global Change - headed up by former UK Prime Minister Blair, a strong proponent of passport tech - lays out a five point plan for how to design an equitable scheme, arguing they need to be: 

  1. Equitable. Health passes should be available to all citizens, including people who have not been vaccinated - for reasons of not being eligible yet, for medical reasons or through personal conviction - and not forgetting the needs of non smartphone-users.
  2. Adaptable. A pass should be able to be updated as understanding of the virus changes and as wider circumstances alter. 
  3. Seamless. It needs to be easy and quick to use to encourage adoption and be as frictionless as possible in terms of the administrative burdens on businesses or health organizations. 
  4. Transparent. Data collection and retention policies and parameters need to be strictly defined and completely open to users. 
  5. Reliable. Passports must be designed with security and privacy at their core. 

Who builds it? 

Given such principles - and there are plenty of other examples out there - attention must then shift to who is going to build passports to meet such criteria - government, private sector, both? In the UK, it looks as though the task is being handed to NHSX, the British national health service digital unit that was responsible for the shambolic and hugely expensive development of a contact-tracing app last year, so that's er...good? 

In contrast, as noted in the first part of this article, the US administration is looking to the private sector to tackle the passport question, at least for now. Among the higher profile initiatives to date has been the IBM-driven Excelsior Pass that’s being trialled in New York State. The non-mandatory pass is stored on Android and iOS smart devices, provides a QR code to scan to gain access to participating venues and needs to be renewed every 30 days. No health information is revealed when the pass is scanned, with a green tick or a red X being the only visible identifiers, and no personal data is stored or tracked within the app. 

It's based on the IBM Digital Health Pass, part of the Watson Works safe return to the workplace initiative. In a blog posting, Steve LaFleche, General Manager, IBM Public and Federal Market, explains that the Pass has been designed “from the ground-up with robust privacy protections in place” and that users determine what information they share, with whom, when, for what purpose and without sharing the underlying personal data used to generate the credential:

The IBM Digital Health Pass conforms to IBM's high ethical standards, long-established Principles for Trust and Transparency, and guidelines for deployment of technologies in response to the COVID-19 pandemic. Because the Digital Health Pass runs on the open standards of blockchain technology, it can interoperate easily with other solutions so that people won’t have to rely on multiple apps when going about their daily lives. Its open architecture also allows other states to join the effort, which could provide the foundation for a secure and interwoven ecosystem enabling governments, businesses, and people nationwide to power a safer, trusted transition to a post-pandemic reality.

Salesforce's long game 

The pandemic response has also seen cross-industry alliances between tech firms and this is continuing around the concept of health credentials. Salesforce, for example, has committed to integrating the IBM Digital Health Pass into its work.com safe return to the workplace platform offering. The cloud leader is also a founding member of the Vaccination Credential Initiative (VCI), alongside arch-rival Oracle and a host of healthcare organizations. The VCI aims to develop a standard model for organizations administering COVID-19 vaccines to make the immunisation data available in an accessible, interoperable, digital format. 

For its own part, Salesforce’s internal Office of Ethical and Humane Use of Technology has been heavily involved in the specifics of work.com and in considering the wider complexities of Vaccine Passports, although this last is a term that Yoav Schlesinger, Principal of Ethical AI Practice, doesn’t use, preferring to talk about the broader idea of digital health credentials: 

From our perspective, one of the most critical elements of this safe return back to 'normal' is that digital health credentials incorporate much more than just vaccine status. Digital health credentials need, from an equity standpoint, to allow people to demonstrate their health status through a negative COVID test, through proof of recovery and antibody tests etc, so there needs to be multiple ways to present that information, so that we can all be assured of a safe return to whatever locale and location we're talking about, whether for travel or returning to work or attending a concert, etc.

He adds that proof of vaccination is not the only way to establish that a workplace is safe: 

Relying exclusively on proof of vaccination status may or may not be the strategy that an employer wants to employ. I think it's critical that employees, and anyone else, are able to also establish that we can return to work through a negative COVID test or proof of recovery as well. There will certainly be circumstances and situations where people can't be vaccinated, because of health conditions or because of a religious conviction. We want to ensure for the sake of equity that people are able to present their health credentials and their health status in multiple formats and through multiple avenues. 

This all plays out against a changing COVID backdrop, he argues, and that means considerations will continue to develop as wider circumstances evolve: 

Early on in this pandemic, before we even had vaccines, we relied almost entirely on wellness as the format through which people would identify whether or not they'd been exposed to COVID, whether they were experiencing any symptoms, etc. And in our work.com product, we actually built features in such that all of those elements were bundled for the sake of employee privacy. If an employer [requires to] know whether you have a runny nose or a fever or exposure, any of those symptoms, it would just say, 'No, not available for work today'. In this way, we want to encourage employers just to say 'safe to return to work or not', based on the variety of ways that an employee might demonstrate that.

As to whether Vaccine Passport work should be left to the private sector or whether there’s a need for government to take the lead, Schlesinger argues that it’s still early days: 

We're at the very earliest stages of trying to figure out how to very quickly scale up an interoperable cross-governmental set of solutions that will allow people to do things like take a plane internationally. These are things we have governing principles for when you think about traditional passports, but we now need to very quickly figure out how do we build the technical and technological solutions that also enable people to do that kind of cross-border travel in a fair and transparent way that allows a person from the EU to travel to the US and vice versa?

Ultimately organizations like Salesforce, IBM and others can deliver technology, but can’t be expected to lay down policy, he adds: 

We're not going to suggest that there's a right or wrong way to do this. Each individual locality and public health agency really needs to establish those guidelines for themselves and build trust, such that if there is a desire to implement a digital health credentialing system in one of those locations, that can be done transparently and empower people to move interoperably through the system to present their credentials, but trust that they're only releasing information and detail that they choose, through selective disclosure, and that these principles around equity are built into those systems in the first place.

As diginomica has argued for some time, trust is a critical component of any safe return to ‘normal’ working, a thesis that Salesforce’s own data has backed-up and not always in the most positive light. Trust is absolutely critical to the work of the Office of Ethical and Humane Use of Technology here, affirms Schlesinger: 

Trust and transparency are critically important when we're talking about public health. We know that for technology to be effective, whether it's digital health credentials or vaccine scheduling, it has to be built responsibly, because no matter how good this tool is, people won't use it unless they trust it.  So, as we are in this constantly evolving situation, always keeping your eye on the ball with regard to trust and transparency as decisions are being made is a critical piece of keeping people informed and keeping them engaged in the process of a safe return to ‘normal’.

Ultimately this is a long game. The COVID crisis may seem like it’s been here forever, but in reality it’s just over a year since the lockdowns began around the world. There are signs of what will become a Vaccine Economy emerging, but there’s still a substantial way to go before a majority of the world’s population is vaccinated. Taking a long-term view is critical, says Schlesinger, and that includes forming a view on ethical considerations around health credentials: 

That's a critical part of the work that we do - to think through both the current situation and context as well as the ways that both society and technology will evolve over time. Even with a thing like digital health credentials, we're thinking about this in terms of 'how do we build these solutions such that we can responsibly turn the situation in the long term for management of flu vaccination or other non-COVID related elements as well?'.

I do think that a long term view of understanding what are the pros and cons, positive and negative anticipated consequences, that we might see from the implementation of a technology and the standards around it, are important considerations for anyone choosing to implement a new technological solution.

My take

For my part, I'm one of those people who, having had my vaccination, is impatient to get back to 'normal' as quickly as possible. That said, I have, to say the least, severe trust issues when it comes to how my own government (UK) will handle the implementation of a digital Vaccine Passport. But I suspect such passports will become a norm in the Vaccine Economy - today British Airways and Virgin Atlantic both announced they're trialling their own health credentials apps - and I'd rather this was delivered to a unified, international standard. Sadly, history suggests that's going to be easier said than done. That being so, it's crucial that every initiative of this form is put firmly under the ethical microscope. The UK's Health Minister has defended some highly dubious procurement breaches during the COVID crisis on the basis that his team were focused on saving lives first and foremost. That's an emotive 'argument' that can just about be deployed in 'wartime', but cannot be used in 'peacetime' to excuse ethical shortcuts, both inadvertent and commercially expedient.