Set up by the government in 2018, the CDEI has a unique remit: to help the UK navigate the ethical challenges presented by AI and data-driven technology. We are led by an independent board of experts from across industry, civil society, academia and government. CDEI publications do not represent government policy or advice.
In the first of our introductory blogs, we are looking at the concept of immunity certificates - what they are, whether they could work, and identifying the core aspects of the debate. This blog is not intended to be exhaustive, but rather to lay out the key questions that decision-makers will need to consider. The ethical trade-offs around the potential use of immunity certificates need to be evaluated against the backdrop of the pandemic and the extraordinary pressures it has created. Certificates should also be judged against realistic alternatives, such as prolonged and universal restrictions on people’s movement.
An immunity certificate - sometimes called an immunity passport or licence - is a document that could be granted to an individual who has tested positive for COVID-19 antibodies, and who is now considered to be at limited risk of contracting the virus again, or who has received a vaccine in the event of one being manufactured. This may allow them to safely return to work, and for the economy to re-open whilst still protecting the most vulnerable from the virus. The presence of antibodies would be confirmed by a licenced issuer, either through an antibody test that indicates the individual has previously had the virus and recovered, or through antigen tests that show the individual currently has COVID-19, with the expectation they will shortly gain immunity. While several types of certificate are currently being investigated globally, the public debate has centred on the idea of an app that would bring together biometric data (for confirmation of identity) and antibody test results (for confirmation of immunity).
Why are we talking about immunity certificates?
A number of governments have indicated plans to implement immunity certificates. Interest has been driven by a desire to further reopen parts of the economy, helping to reduce the economic strain of the virus and the social toll of unemployment, while still allowing for responsible social distancing. Certificates present an opportunity for many people to return to some form of normal day-to-day life, including to visit non-essential businesses and in-person religious services. Only the Chinese government has confirmed that they are using this approach.
That sounds familiar - why?
Immunity certificates are not a new concept. The World Health Organisation (WHO), for example, created the “Carte Jaune” as early as the 1950s. This was required by travellers to demonstrate their immunity against Yellow Fever when moving between certain countries, and still exists today for this purpose. However, Carte Jaune’s are provided on the basis that someone has had a vaccination, not that they have built natural immunity from prior infection. The digital version for COVID-19 has already been discussed globally, with Australia, Germany and the USA all considering the idea.
Where could immunity certificates have the greatest impact?
Given immunity certificates would take time to test and roll out, it is unlikely that they would be used in the near future. However, they could prove valuable in the months to come, particularly in settings where there remains a high risk of virus transmission, such as sports venues and international travel hubs. Cross-border travel and hotel booking may even become reliant on such certificates. Indeed, Swiss hotel booking start-up Sidehide are working with UK company Onfido to develop an app that demonstrates the immunity of their guests. Policymakers could encourage the development of a similar scheme across the UK, which would support international travel and the reopening of our tourism industry. Importantly, this would rely on the certificates of different countries being interoperable, meaning that governments would have to work together to agree common standards for how the technology is built and deployed.
Is this all just hype?
There are two core issues that need resolving prior to immunity certificates becoming a practical solution. First, despite significant interest in the idea of digital immunity certificates, we do not yet have clear scientific evidence that immunity to COVID-19 is possible - either through antibodies or the existence of a vaccine. Even if it does, there are still questions about whether “immune” individuals can still transmit the virus to others, and if their immunity may wane over time. Some other coronaviruses produce antibodies and immunity for only a few months. Should COVID-19 mutate, immunity certificates would only apply to the specific strain that has been encountered.
The second element required to allow for the practical application of immunity certificates, is being able to ensure fair access to a method of establishing immunity. As this would either be through testing or a vaccine, it seems likely that access to a healthcare provider or medical professional would be a requirement for doing so. Even if home-testing kits became significantly more accurate, a trusted third party (the equivalent of a medical notary) might be required to authenticate the results, preventing self-certification. However, these kinds of conditions may necessarily exclude some communities from accessing immunity certificates (see risks, below), therefore presenting ethical challenges for their deployment.
Assuming the underlying scientific assumptions are accurate, are there any major risks?
One of the risks posed by immunity certificates is that they may incentivise people to become infected, especially if they allow access to places or activities that would otherwise be prohibited. There have been suggestions that those who are particularly frustrated with social distancing restrictions - particularly younger people who feel their level of risk from COVID-19 is low - may actively seek infection, thus endangering themselves and others around them. To mitigate this, it may be that testing negatively for coronavirus also gives access to a certificate, albeit for a shorter period of time than those who test positive for antibodies - similar to the difference between holding a passport, and holding a visa.
Another risk is that immunity certificates entrench existing inequalities. It is anticipated that users will need government-issued identification in order to receive a certificate - something that marginalised communities, or those distrusting of government, may not hold. Existing socioeconomic, racial, and ethnic inequities may therefore be reflected in the certification process. The need for a smartphone to produce the certificate will additionally exclude some of the most vulnerable, thus exacerbating the harm that COVID-19 is already causing across these populations. Alternate forms of credential will be required to support those without a device, and improved access to testing or technical infrastructure may be needed in some areas to avoid compounding existing disparities.
Finally, ethical data-use in part relies on individuals providing informed consent. However, in the case of immunity certificates, individuals may feel that they will be excluded from many aspects of society - including their employment - without one. Participation could be easily construed as mandatory by employers and others, but the ultimate decision of whether to participate should remain in the hands of the user.
I’ve heard immunity certificates pose significant privacy risks - is that true?
As with most uses of personal data, there is some level of risk to privacy - from data misuse to cyberattacks - and the confidential nature of health data exacerbates this. Yet there are ways to mitigate these risks, such as storing data on individual phones rather than a central server. Immunity certification should adhere to industry best practice for data minimisation and privacy - guaranteeing that only the essential elements of a person’s identity are included in the credential - as well as ensuring that it is resistant to fraud, and supportive of selective disclosure of information. There would also need to be clear guidelines about who should have access to the data stored on the certificate, so as to prevent undesirable data sharing between organisations.
However, much of the conversation around privacy will hinge on the method of identification used, with some methods - such as biometrics - adding more complexity and opacity to the debate. As most governments and companies are still in the early stages of scoping, there are too many potential solutions to evaluate here. Nevertheless, the right design of the digital ID system could help to address many of the concerns around privacy, whilst a flawed design could compound them.
Is there anything else I should look out for?
A related dilemma to consider is what the alternatives to immunity certificates are, as it seems that at least in some contexts we will need to understand individual levels of immunity - particularly when caring for those most vulnerable to the virus. Although there are risks inherent to immunity certificates, there are few tangible alternatives, and any that do develop will likely hold similar trade-offs and concerns.
What is clear is that given the comparatively lengthy timeframe to gain the required scientific knowledge to underpin any option, there is time for a period of consultation, as well as to build strong ethical oversight from the outset. Effective assessment, accountability frameworks and oversight processes to keep the chosen method under review will be crucial prior to any conversations about deployment.
This is the first in a planned series of blogs on the technological developments we are seeing emerge in response to the COVID-19 pandemic. To keep up-to-date with these COVID-19 related use-cases for data and artificial intelligence as we surface them, our repository can be found here.