We have been warning about an electronic immunity certificate and the severe consequences such a system would have on society since May 2020. In a cloak-and-dagger operation the legal basis was created last week. Today we publish internal slides on the project, which unfortunately confirm our fears regarding its scope. Before it’s too late, we want to initiate the public debate which politics has avoided so far.

The most sensitive data protection issue of the pandemic was rushed through parliament without a review procedure

Last week, the National Council passed a legal basis for the project within two days, skipping any kind of review procedure. This legislation created the data basis and the competencies for the Minister of Health in this matter. Meanwhile, Chancellor Kurz diverted attention from the judiciary's action against the right-wing conservative party (ÖVP) in a series of scandals with an international demand for a "green vaccination certificate". Angela Merkel gave in to this demand on Thursday 25 February and on Monday 1 March Commission President Ursula von der Leyen announced EU legislation on this issue for March 17. This system is supposed to integrate both, vaccinations and test results.

The history of the legal basis in Austria began with an independent proposal submitted by representatives on February 14 2021, which originally was only supposed to correct spelling mistakes in the law. On Monday February 22 the Green Party, the right-wing conservative party (ÖVP) and the social democratic party (SPÖ) added the actual text of the law in the Health Committee, and passed it with their votes in the plenary on Wednesday.  This same amendment has also excluded 300 000 people who opted out of the electronic medical record (ELGA) from receiving free antigen-tests. Consumer protection is going to take the matter to court. 

Who benefits from an immunity certificate?

There are three clearly identifiable interests in this project. Sebastian Kurz calls the "vaccination certificate a ticket to a normal life." This is not true, as only the vaccination itself is the ticket to a normal life. Therefore, all energy and attention should be invested into the smooth and swift administration of vaccinations.

The second interest we observe is creating subjective incentives for people to be vaccinated (nudging). All parties persistently rule out obligatory vaccination. While people’s willingness to be vaccinated has increased over the last months, at 61% it is still not sufficient to reach herd immunity. If the lockdown were to be eased for those who have been vaccinated, this would certainly motivate people to be vaccinated after all. However, if the vaccine is not yet available to all, such a regulation would mean that that only a selected group could benefit from this easing.

Finally, such projects naturally involve economic interests. Presumably, restaurants and bars, cultural and sports facilities would readily incorporate such a system in their safety concepts if politics were to combine it with steps to re-open. International and national providers present their eID-products as the solution to the problem. Especially the aviation industry is well represented here. Whichever system wins the game in the end, companies hope for a widespread use as access system to restaurants, bars, cultural facilities, sports and events.  In Austria, however, the Federal Computing Centre (BRZ) appears to be developing the system on behalf of the Ministry of Health.

Centralized verification of vaccination and recovery certificates

This internal diagram from the Ministry of Health shows how it intends to enable verification of different certificates (recovery certificate and vaccination certificate) in a central system (right):

The architecture contains a central point which verifies the QR-code of every immunity certificate. As the certificate is always associated with a person and the verification procedure is initiated via the IP-address of the shop or event which a person requests access to, this system potentially generates a tremendous amount of information on people’s activities. It then only depends on a few entries in a configuration file at this central point, whether this data is stored or not. Such a mountain of data inevitably attracts greed and it would be far too simple to later activate this surveillance feature.

What alternatives are there?

Offline verification of certificates directly on the end device would be more secure than the ministry’s system. Such a system can easily be built with apps or desktop applications. This solution would technically preclude the possibility of subjecting people to surveillance from a central point. The International Civil Aviation Organization’s (ICAO) eVISA-standard is an example of how such a system can be put into practice and it is being considered for the European implementation.

We appreciate that the system does not include identity verification. To be sure whether the person standing before you is really the holder of the certificate they present, their photo ID must be checked. Otherwise one could go to the hairdresser with someone else’s vaccination certificate. Alternately, the system could have been fully integrated with an eID-system, which would have increased both risks and project duration significantly.

There’s already a globally recognized standard for vaccination certificates. The yellow vaccination certificate by the WHO is available today. It’s cheap and most importantly it works without electricity or internet everywhere in the world. The security of this system could be increased by issuing hologram stickers for the corona vaccination. An even higher level of security could be reached if the name and date of birth of the person vaccinated were engraved in the hologram sticker with a laser. The Ministry of Health could issue these hologram stickers for every vaccination which would probably still be far cheaper than any software project planned by this government (e.g. such as Kaufhaus Österreich and österreich-testet.at)

Don’t gamble with the people’s trust

For almost a year now, we have been warning politicians about how precious the people’s trust is during the current crisis. This is even more true for such a sensitive project, which concerns the important issues of trust and the voluntary nature of the vaccination. Of course, a state must also abide by the constitution and our fundamental rights in a crisis situation. This is why we sincerely hope that a data protection impact assessment which properly takes into account all risks will be completed on this sensitive health data system and be published by the Ministry of Health shortly. In this case, the data protection impact assessment is required by law and the Minister of Health should not set a bad example. If an analogue solution were to be considered, risks would certainly be easier to control.