Don’t get too excited about ‘immunity passports’ just yet

As the UK government starts trials of its contact-tracing app in the Isle of Wight, attention will soon shift towards another potential app-enabled solution to help ease lockdown requirements and deal with the coronavirus crisis – so-called immunity passports, or immunity certificates.

Contact tracing is designed to accompany tests to show whether someone has the Covid-19 virus – and hence needs to self-isolate, and to inform anyone that has been in close proximity to also go into isolation. However, the concept of an immunity passport is to prove that you have previously had Covid-19, and are likely to be safe from catching or transmitting the disease.

It’s also pertinent to say that nobody involved likes the phrase “immunity passport” and it’s likely the terminology will be different, but for ease of explanation let’s stick with it here.

The topic was thrust centre stage when The Guardian led its Monday 4 May issue with the claim that “health passports” will be “possible in months”.

“Months” is a nicely vague and non-committal estimation.

The story appears to have come from a digital identity firm, Onfido, that claims to be “involved in a number of conversations” and to have “delivered detailed plans” to the government about what could be done. Notably, the story includes no significant quotes from anyone in government, the Department for Health and Social Care (DHSC), or the NHS, nor does it suggest the government has proactively asked anyone for detailed plans.

The Guardian article described a slightly absurd process where someone would “prove” their identity to their employer using facial biometrics to show they are who they say they are, and their test results, to be allowed back to work. This rather overlooked the fact that most employers already know what their employees look like and who they are – biometrics and digital identity are overkill for such a requirement.

I don’t know Onfido, and haven’t talked to them, but I have since talked to a couple of other companies, both of which have also had conversations with government about technology options that could support a programme of antibody testing to determine if people have some form of immunity.

As ever, the challenges are somewhat greater than is first apparent.

It would seem the government is open to ideas and advice on immunity apps, but without commissioning any specific initiatives at this stage – once the contact-tracing app is in the wild, that may soon change. Officials have talked to a number of tech companies, but there’s no evidence these have led anywhere yet.

The objective of such apps is to complement antibody testing, so that an individual deemed to be immune is able to return to activities that might not be suitable for someone at risk of infection or of spreading the disease – such as taking part in sport or mass activities, as well as safely returning to a workplace without following social distancing measures.

The digital identity element of the app would be used to match a test result with the individual who took the test – to prevent fraudulent use by people claiming to be immune, but who are not.

Most solutions would use biometrics – typically, facial recognition matched with biometric chip passports – although I’m told there are non-biometric alternatives that could be used. The contact-tracing app is already under scrutiny over data privacy, since the government chose to use a model that stores some data centrally, rather than the decentralised model that other countries including Germany are adopting, and which is recommended by Google and Apple.

In an immunity app, the privacy issues are even greater – as soon as biometrics become involved, public sensitivity over centrally gathering such personal data by the government could put a lot of people off using the app, not to mention animate privacy campaigners.

But the debate over an app is getting ahead of itself – which is perhaps why the government is not yet actively engaging with some of the companies offering potential solutions.

Boris Johnson, in full over-enthusiasm mode early in the pandemic, talked about antibody testing as a “game changer” and suggested that a home testing kit that was as simple to use as a pregnancy test would soon be available in the millions. Once DHSC started trialling these tests, they were found to be such poor quality that barely half of the test results were correct. The danger of a bad antibody test is that someone could be given a false reassurance of immunity, and go on to become infected – or worse, to infect many others by returning to the community.

Research is underway around the globe to develop a more foolproof antibody test, with some apparently close to a positive conclusion. Even then, some of these tests require complex laboratories to determine results – Johnson was right in one respect, in that home testing kits are the game changer, but only if they work.

Next, when you have a reliable home test, it’s not as simple as giving a yes or no answer to immunity. A test would check for two types of antibody: IgM antibodies are produced soon after infection but decline subsequently, and suggest the individual may still be infectious; IgG antibodies take several days to produce after infection, and suggest the individual may have a degree of immunity. Scientists still don’t know if full immunity is even possible, nor how long such immunity would last.

So, there are four possible outcomes of a test – no antibodies; IgM only; both IgM and IgG; and IgG only. As long as IgM is present, there is still a risk of infection. A high degree of sensitivity is required in the test, and possibly a certain degree of knowledge in the person interpreting the results at home.

It’s only at this stage that an app comes into play. People would need to record their test results in such a way that those results are definitively tied to the individual. What’s more, until scientists know whether immunity is longlasting, people would need to re-test every few months to maintain their “passport”, with any immunity privileges revoked if they do not.

That’s without discussing the further issues of the social acceptability of people who have had Covid-19 subsequently receiving privileges unavailable to people who have not had the virus.

In theory, app users would be able to present a digital proof of identity along with some form of proof of their test results, in the form of a unique identifier or a QR code, for example, that a receiving party can use to confirm their status – ideally in a way that doesn’t transmit to government what activities that individual is being allowed to conduct.

The potential minefield of privacy, privilege and fraud is obvious.

What if you don’t have a smartphone? Or a passport? There may be some circumstances where a printed certificate using a one-time code, along with a physical identity document – in a similar way to printing boarding cards for flights – will be sufficient, so why not start with a simple solution like that?

Smart people in government will be aware of the potential pitfalls. We’re bound to hear further confident claims from technology companies about what they can deliver, but there are plenty of hurdles to clear first.