In my country, there have been awareness campaigns about not giving out our passport or copies of our passport, as it contains our Social Security Number, biometric fingerprints, and other information that can be used to create a profile and impersonate a person.
This links 'a person' to 'a piece of health information'. Imagine what you or any data platform could do with that (big) data.
Imagine that you are only allowed to visit certain countries based on your vaccination status. Advertising agents of tourist and traveling agents would love to get their hands on that information, to create a better profile of you. Maybe Google could even make a FLoC of 'COVID-19 vaccinated people'.
Imagine that one year from now, one of the vaccines is known to cause health issue X, which would require over-the-counter medication Y.
Advertising companies would love to know exactly what vaccines you have received, to add to their 'profile'. and would go to great lengths to get this information (create their own 'reader app' and supply this to events).
Here we hide personal health information in a QR code and are expected to give random strangers 'consent' to this personal data to gain 'access' to a venue or 'service'.
Sounds awfully lot like a cookie consent-popup, which the EU is so actively trying to prevent through legislation.
Do you really need to link 'a person' to 'a vaccine profile'? Isn't it enough to link 'a person' to 'can access this service/venue according to local laws?'.
In software development, you separate authentication and authorization. The authentication part is 'are you who you say you are', the authorization part is 'are you allowed to access this resource'.
For authorization, you don't send the full list of all roles/permissions of this user for all authorized applications, you send a true/false based on the question canAccess(resource)? Otherwise a 'hacker' might find he has no permissions using the current authenticated account to resource A, but conveniently has full permissions to resource B.
You wouldn't give a random webshop access to your Bank Balance and history, would you? Your bank should only tell them 'transfer of X dollar is approved'.
The difference now is that this information is being made digitally available outside of a personal health dossier.
I have an international vaccination passport, paper-based, which is only shown to a customs officer of the country I am visiting. This has been 'good enough' to enter countries with vaccination requirements up until now. It has not been copied or entered into a computer system.
> Imagine that you are only allowed to visit certain countries based on your vaccination status.
How is this different from the uncontroversial practice of requiring yellow fever vaccinations when travelling to certain African or South American countries?
The difference now is that this information is being made digitally available outside of a personal health dossier.
When traveling to African or South American countries, you have to show proof to a public immigration agent. I have an international vaccination passport, on paper, which has been 'good enough' to provide this proof.
My health dossier is not publically accessible.
Currently, this check is
- looking at a piece of paper for the correct stamps,
- perfomed by a public immigration officer,
- upon entering a country.
With this QR code, I now put this check into the hands of
- any QR code 'reader' app,
- on a Google or iOS platform,
- which can be connected to the internet,
- performed by private companies (venue/event/organizer)
The WHO yellow fever certificate is not digital, it is just a piece of paper. Plus, many of the countries which ostensibly require it don't check it carefully or at all (and in West Africa, it is not unusual for the soldier checking it to be illiterate and unable to actually grok the details on it). So, this old-school vaccine proof doesn't pose the risk of being used for ad targeting that worries the GP.
Yes, in rare cases that might happen but in general that sounds like a trope. In fact, I've heard stories of people being denied entry and also getting vaccinated on arrival in a back room at the airport, which is as dodgy as it sounds.
Yes, I speak from repeat personal experience in both Africa and South America. That checking of the certificate in South America has dwindled is well known. Sure, some people may have bad luck, but there is a reason that many holidaymakers are no longer even aware that there is a rule on the books.
The certificate is commonly checked in Africa, but as I said, often the official on the border checking it is not capable of understanding the details – they just look for the paper with the familiar color and logo. Also, it has been common for travelers unable to get the yellow fever vaccine in their home country (historically supplies in Eastern Europe have been scarce, for instance) to simply forge the certificate, which is easily done. The WHO is aware that some amount of certificates will be forgeries, but nevertheless believes that the policy of requiring vaccination will be enough to reduce the risk of outbreaks.
This links 'a person' to 'a piece of health information'. Imagine what you or any data platform could do with that (big) data.
Imagine that you are only allowed to visit certain countries based on your vaccination status. Advertising agents of tourist and traveling agents would love to get their hands on that information, to create a better profile of you. Maybe Google could even make a FLoC of 'COVID-19 vaccinated people'.
Imagine that one year from now, one of the vaccines is known to cause health issue X, which would require over-the-counter medication Y. Advertising companies would love to know exactly what vaccines you have received, to add to their 'profile'. and would go to great lengths to get this information (create their own 'reader app' and supply this to events).
Here we hide personal health information in a QR code and are expected to give random strangers 'consent' to this personal data to gain 'access' to a venue or 'service'.
Sounds awfully lot like a cookie consent-popup, which the EU is so actively trying to prevent through legislation.
Do you really need to link 'a person' to 'a vaccine profile'? Isn't it enough to link 'a person' to 'can access this service/venue according to local laws?'.
In software development, you separate authentication and authorization. The authentication part is 'are you who you say you are', the authorization part is 'are you allowed to access this resource'. For authorization, you don't send the full list of all roles/permissions of this user for all authorized applications, you send a true/false based on the question canAccess(resource)? Otherwise a 'hacker' might find he has no permissions using the current authenticated account to resource A, but conveniently has full permissions to resource B.
You wouldn't give a random webshop access to your Bank Balance and history, would you? Your bank should only tell them 'transfer of X dollar is approved'.