With vaccination programs humming along, at least in the United States, and social distancing measures being relaxed, the long-awaited return of corporate travel finally appears to be on the horizon. But there won’t be a simple reversion to business as usual. Among the most significant new elements of post-pandemic travel—particularly in the first phases of the recovery, with entry controls still in place—will be the need to prove vaccinations and/or negative test results to access a particular jurisdiction or venue. To meet that need, a number of stakeholders in recent months have rolled out “digital health passports” designed to certify that a traveler meets the relevant entry criteria.
But while such passports promise to play a key role in getting corporate travel up and running, especially on the international level, many questions remain to be answered and concerns addressed. Chief among them are issues of data security, user privacy protection, interoperability and equity. The challenges on those fronts are significant, but stakeholders across the corporate travel ecosystem see the potential of digital health passports in bolstering the industry’s return and are using technology in a variety of ways to address them and support travel’s safe resumption.
Banking on Blockchain, Biometrics
The digital passports that have cropped up over the past several months share a few main similarities, such as taking a smartphone-centric approach and building out a network of participating medical providers and labs to actually administer the vaccines and tests.
But there also are a number of key differences, with the various passports employing a range of design models and technological frameworks to accomplish the same overarching goal. In some cases, that variety reflects the unique capabilities of the particular providers building and supporting those solutions.
Given the high level of compliance risk associated with storing and handling personal data—especially in the European Union, which has particularly stringent rules encoded under its General Data Protection Regulation (GDPR) regime—maintaining the security and privacy of the sensitive medical information stored in digital passports is essential. Some passport providers have worked to ensure such safeguards are in place by storing data on decentralized and anonymized blockchain-based systems.
Among the passports taking this approach are IBM’s Digital Health Pass, the Certus MyHealthPass from Swiss security provider SICPA and the AOKpass, developed by the International Chamber of Commerce and travel risk management specialist International SOS and now being piloted with several airlines, including Air France and Etihad.
“In the blockchain mechanism we’ve put in place, no data is exchanged. It doesn’t leave the [individual user’s] phone, and it’s not stored anywhere else,” said Sebastien Bedu, airport services product manager for MedAire, the ISOS aviation and maritime subsidiary working on AOKpass.
Instead, the data is maintained in a decentralized format throughout the entire process, from the medical lab to the passport holder’s smartphone, where it’s encoded into a QR code which can be scanned at airport check-in or at immigration control upon arrival to verify a vaccine or negative test. If the app is deleted from the phone, all the linked info is wiped out along with it, according to Bedu.
“Blockchain gave us the ability to operate in a space that’s highly regulated,” Bedu continued, citing the EU’s strict regulations. “We integrated, from the start, all elements of the GDPR constraints … and the blockchain was at the basis of that.”
Meanwhile, other passports are incorporating biometric identification functionality to secure access to health data, and providing additional assurances that the bearer of the digital passport is the same person to whom it was issued.
The International Air Transport Association is taking that approach with its Travel Pass app, which in mid-March began its first full-deployment trial, with Singapore Airlines. The Travel Pass largely was built upon IATA’s already in-progress One ID concept, in which passengers use biometric identifiers rather than paper documentation for travel.
“We were already working on the ability to create a biometric identity. … We basically leveraged the work we were doing with One ID and layered the Covid requirements on top of it,” said Anish Chand, assistant director for IATA’s Timatic entry requirement registry service.
Users create a digital identity within the Travel Pass app by taking a photograph of themselves, which is verified against a traditional passport using facial recognition technology. After the digital ID is created, users are directed to labs or sites where they can be immunized or tested, with records subsequently sent back to Timatic. The rules engine then compares the data with the relevant requirements at a given destination and, if all requirements are met, approves the trip within the app by displaying a green check mark. At airport check-in or border control, the user presents the app, and the agent verifies that the picture in the app matches the person presenting the passport.
But while the Travel Pass exists as a stand-alone app at the moment, the ultimate plan is to embed its capabilities into partner airlines’ own branded apps. There are multiple reasons behind that decision, according to Chand—not least of which is member airlines’ desire to own the relationship with their customers.
“Our member airlines were very clear that they wanted the experience to be within their own app,” said Chand. “And we thought it didn’t make sense to have another app the traveler would need to download.”
I do worry about the further implications of a passport … that enables those that are vaccinated to do things that others cannot.”
– Healix International’s Dr. Adrian Hyzler
Cooperation or Confusion
The question of where exactly passports “live”—as standalone apps, part of airline apps or other potential integrations, such as with online booking tools—is another key question that remains to be settled.
Adding additional complexity is the fact that some digital passports are designed not only to facilitate entry into a particular country but also to gain access to a specific event or venue, increasing the number of passports a traveler potentially would need to maintain.
One such passport is CommonPass, from Swiss nonprofit The Commons Project Foundation and the World Economic Forum. Along with being among the most widely adopted passport by airlines thus far—supported by JetBlue, Lufthansa, Swiss International Airlines, United Airlines and Virgin Atlantic—CommonPass also is aimed toward venue access, a use-case expected to become more prevalent as larger corporate events and meetings resume.
“We’re going to need to be showing some sort of test or vaccination demonstration to get into lots of places in the future, and you need to be able to do that in a way that’s trusted and private,” noted CommonPass president Simon Talling-Smith.
In early March, CommonPass significantly expanded its acceptance footprint by partnering with identity and access provider Clear, whose systems are used by nearly 50 facilities and organizations in the U.S. to verify Covid-related access protocols.
While user-facing mobile-based apps may dominate the early phase of the passport era, such behind-the-scenes integrations likely will have a greater impact in the future, predicted Talling-Smith.
“An app is only part of the story; more important is what’s hidden below that, and we expect CommonPass to be embedded in many, many third-party applications and processes,” Talling-Smith said, citing the U.S. Transportation Security Administration’s PreCheck program as an instructive model of how CommonPass eventually might operate seamlessly—and invisibly—across many locations in the future.
What About Equity?
While the promises and potential benefits of digital health passports are clear, one inherent pitfall that can’t be solved by technology alone is the risk that basing entry and access requirements on the ability to prove vaccination or negative Covid status risks creating two “classes” of travelers—those who can do so and those who can’t, some observers have warned.
“I do worry about the further implications of a passport … that enables those that are vaccinated to do things that others cannot,” said Dr. Adrian Hyzler, chief medical officer at travel risk consultancy Healix International. “This form of immune privilege will disadvantage a number of people, many of whom are already victims of inequity and discrimination, not just as a result of Covid, but dating back well before the pandemic.”
That demographic includes those without easy access to accepted testing and vaccine networks, and/or the technology to carry a digital-based passport, the doctor said.
“Let’s not forget that 3.4 billion people worldwide do not have internet access and over 1 billion people do not have a cell phone of any kind,” Hyzler noted.
Adding another layer of complexity is that several Covid vaccines have been manufactured, and some have not been authorized for entry to particular jurisdictions for various reasons—which could lead to countries turning away travelers on the grounds they received a vaccine deemed inadequate.
Given the potential for such inequalities to arise, “my thought is that vaccination status should be one of the determinants of entry quarantine requirements, in combination with natural immunity and testing,” Hyzler advised, adding that such a multi-pronged approach to prevention is not only fairer, but also more effective.
“No preventive measure is fully protective,” Hyzler said, “but each tool of prevention is layered on top of the next, and together they form a stronger barrier.”