Turing researchers work to ensure security and privacy of COVID-19 ‘immunity passports’

Thursday 28 May 2020

Introduction

In this blog Turing researchers David Butler, Chris Hicks, Carsten Maple and Jon Crowcroft discuss their latest work on providing secure systems that allow for antibody certificates, commonly referred to as immunity passports, for COVID-19.

Governments worldwide are currently considering, and in some cases even deploying, immunity passports that will allow citizens to demonstrate a positive indication of their immunity to the virus. In practice, the passports could be issued following a test for antibodies and may even be (mis)used to control access to transportation and other services. It is important that the academic community provide proposals for secure immunity passport systems, and the metrics for their evaluation, which are essential inputs to the development of appropriate government policy.

Turing researchers have developed a Secure AntiBody Certificate (SecureABC) system as well as provided a set of security properties with which to evaluate such systems.  SecureABC is a decentralised, privacy-preserving system that allows a healthcare provider to issue a digital (or paper) certificate confirming a positive test for antibodies to SARS-CoV-2 that can later be verified as legitimate by a third party. The decentralised design of SecureABC allows for user privacy by design, and ensures that the healthcare provider (or government) does not learn when or where a citizen uses their certificate. 

"SecureABC minimises the data that needs to be stored centrally, both preventing abuse and ensuring that the system can be readily dismantled after it is no longer required."

In more detail, SecureABC uses simple cryptographic techniques to provide each user with a QR code that contains a personalised, digitally signed certificate that cannot be forged or tampered with. Moreover, if a testing error is discovered after a certificate has been issued, or should scientific advice change, certificates can be revoked in a privacy-preserving way. SecureABC minimises the data that needs to be stored centrally, both preventing abuse and ensuring that the system can be readily dismantled after it is no longer required. 

Whilst a promising tool in the fight against COVID-19, immunity passports are also a controversial technology that has caused significant debate. Indeed, the World Health Organisation (WHO) has issued a scientific brief which discourages immunity passports citing a lack of evidence about the antibody-mediated immunity and concerns that passport-holders may be more prone to ignore public health advice. As part of their work on immunity passports, our researchers have also tackled several of these criticisms with a set of general principles which aim to mitigate some of the risks which this technology poses.

The working paper (under peer review) can be found on arXiv and an early proof of concept implementation can be found on GitHub. If you have any comments or thoughts on this work, or would like to collaborate please get in touch with the authors ([email protected]; [email protected]; [email protected]; [email protected]).