The Opportunity And Security Challenge Of Using Kiosks To Read And Process Vaccine Passports
September 1, 2021 by Dave Haynes
There’s been a lot of talk about vaccine passports as the numbers of fully vaccinated people have risen in many to most first world countries, and venues from restaurants to giant sports stadiums have started talking about requiring proof of being jabbed as a requirement of admission.
But how is that done efficiently and securely? And how are fraudulent papers identified and rejected?
One of the ways to process people quickly and accurately is using readers and scanners, handheld or as self-service kiosks. The idea is that you’d have a government-issued vaccine passport that has validated vaccine records, plus some sort of image database that confirms you are who you say you are. You walk up to a scanner, it does its thing, and you’re in … or you’re rejected.
The hardware side of this, for kiosk and touchscreen manufacturers, is probably not all that complicated. But the back-end software and database side is hugely complicated.
I had a great discussion with Tony Anscombe, the Chief Security Evangelist for the tech firm ESET. We get into the opportunities and challenges facing any AV/IT company looking at these passport kiosks as an emerging business.
Tony, thank you for joining me. Can you tell me what ESET is all about and what also your role as Chief Security Evangelist means?
Tony Anscombe: So ESET is a longstanding cyber security company. We’ve been in the industry for 30+ years and we’re headquartered in Europe. Many people will know us from years ago as an antivirus company, but today we’re very much more than that.
We have anti-malware products that you and I might use on mobiles or laptops or such, but we also provide threat intelligence and endpoint detection and response systems all the way up through to big enterprises. So tens of thousands of seats, where they’re looking at anomalies in traffic patterns and such, and that intelligence is super important in today’s environment, especially when you’ve got so much ransomware attacking companies.
And as an Evangelist, you’re preaching to the choir, whether it’s people who are CIOs of companies or people who don’t know very much about network security, right?
Tony Anscombe: Yeah, a big part of staying safe online, whether you’re an enterprise, or whether you’re a consumer, is human behavior. Because we all have on occasion, a tendency to look at a link and think it’s safe and you click on that link and you’re on a phishing page or you’re downloading something that you don’t want.
And understanding what causes cybercrime and actually talking to people about how to avoid it and good behavior and the things to look out for is super important. So education is a large piece of cyber security and it’s important that people like me and most security companies have somebody like me are out there educating both enterprises and consumers.
I assume that those other C-level executives, like the CFO, may not know that much about it? It’s important to have somebody that can listen to this, not purely talking in acronyms and information that they can’t possibly understand, but get enough of it to realize, “I can sign off on this.”
Tony Anscombe: Yes. It’s important that we put it into real speaks, so when you’re talking to a CFO about what’s going to be the impact on their business if they get a cyber attack. Because that’s what they understand, you know, loss of revenue, loss of business, loss of reputation, etc. So actually bring it back to what it might cause to the business and those are important points. No company wants to be attacked and have to make some data breach notification or anything like that.
I was looking forward to chatting because recently I came across information and actually republished a post from another publication about Vaccine Passport kiosk, which is something I hadn’t really thought much about. I have not traveled yet, and I work at home so I don’t circulate a lot in buildings or anything else where this would be an issue.
But if we should shift to a world where vaccine passports are used a lot, I assume technology is going to have to be a big part of this because of the pure nature of throughput, that if you’re going to process a lot of people and verify whether what they have is real or not, you’re going to need machine help because getting humans to do that is just gonna create massive lineups and lots of mistakes.
Tony Anscombe: Yes, and there will be a place for kiosks, but they’ll also be a place for handheld scanners and it is probably best to step back one and I’ll explain because some of the people listening may not have a digital vaccine recognition.
It depends where you are, and what your government is handing out as in way of, “Yes, you’ve been vaccinated” and how that might actually be read. So in the US, I’m sure everybody has seen in some media stories, the little paper CDC card, and of course how would a kiosk actually validate that’s real. It’s just a piece of paper. Whereas some governments that have centralized health databases have gone to the other extreme of having QR codes and confirmation of the vaccination digitally, and if you haven’t got a smartphone, you can print it out and carry it with you. But I think there’s a wide range of different solutions and it’s not just the problem of you and me, Dave, going to maybe a concert or a theater or an office, where there’s huge throughput through the door. It’s also international travel and does a kiosk recognize every different variant of confirmation of vaccination?
Yeah, and because every jurisdiction seems to be doing it a little bit differently. There are no standards and there’s no harmony around what it looks like, what you presented, nothing, right?
Tony Anscombe: Correct, and I’m actually gonna use New York as an example because I think New York has gone through the pain of what I define as three solutions.
They’ve gone through having the CDC card, then they’ve created an app where you can, in effect, upload the card, and it’s not much more useful than the card other than it’s a digital copy of the card. And then they’ve recently in the last few weeks adopted the Excelsior app, which is produced by IBM and works on the blockchain. So the actual app itself provides some security about the data that it’s holding, but it creates the QR code and it tells you the date of vaccination, the person’s date of birth, and who they are. But of course, one thing that’s missing from it is actually confirming who they are.
So it’s all very well having a vaccination record, but you also need to confirm the identity of the person that’s holding the vaccination record, because if you and I were together and one of us was vaccinated on one of us was not, I could easily install my vaccination confirmation on your phone, because I know you’re going to a concert or such and if there’s no validation of identification at the point where somebody checks the vaccination, then you’d be traveling unvaccinated on my vaccination record.
So what needs to happen? What would be the baseline of what’s required to make this truly work and secure and validate it?
Tony Anscombe: So for you to be certain that the person coming in, you need to have pre-validated their identity. So either an app needs to have, for example, take your picture and you upload your driver’s license or other recognized government-issued identity document, and then it does a facial comparison between the person uploading and, the government approved identity document, and then it goes off to the vaccine database and collects the vaccine record for the person with that identity, either the same date of birth, same name and maybe you’ve had to provide an email address or a mobile number that you did when you had your vaccination so that it picks up the correct record and then it marries the two together and holds them in some way in the app.
Now the app should only hold the information it absolutely requires and that is your name, your date of birth, and that your vaccine is valid, and I say that because of course, we will come to a point where like the flu jab, you’d need to have another vaccine because vaccines don’t last forever. So at that point, it needs to know that you’re within whatever period of time it is that health organizations decide that they’re valid for, and then it will create a QR code that’s readable by a kiosk or a scanner. So that actually your data is not being shared, but somebody, as you look at a kiosk that it’s reading the QR code it knows you have a valid vaccine, and if it’s, for example, the company CLEAR that runs airport security, and they do facial recognition. So they take your picture, look at the record that they have on file and match the record to the farm.
So imagine if you’re now turning up to a concert, you go up to the kiosk, you show your QR code, it knows you’ve got a vaccine and it’s checking you are the person that was on the identity document that was uploaded at the time you registered with the kiosk manufacturer.
This sounds very complicated.
Tony Anscombe: And that is maybe an understatement actually, and from the point of explanation, it is. But now think about this from the consumer side.
I’m at home. I’ve got my vaccination records, whatever that may look like, whether it’s an email, whether it’s a piece of paper, a card, or whatever, but my government has decided that they do have a method of having digital vaccine records. So I use my mobile device and I log on to download the app. I validate that I’m the person I am, so here in California for me to get my digital vaccine, where I’m based, I tell it my phone number. I told it the email address I used at the time I had my vaccination. It downloads the QR code, puts it in the app, and then if it’s going that extra step, which it doesn’t by the way in California, which is a flaw in the entire process here. But if it went the extra step and then ask me to verify my identity, all I’d be doing is taking a picture of my driver’s license, looking into the camera on the phone, and it takes that comparison, links my identity to the vaccine record.
Now, when you go to the concert, you walk up to the kiosk. You look in the camera, you show the QR code, the kiosk gives a green light and off you go. So actually once you’ve registered, it should be a simplified process.
If all those records are in place, and they’re exportable, you could do something with them?
Tony Anscombe: Yes, and that’s a good point because now imagine, and this is where I think there needs to be a big piece of standardization. So you’ve got CLEAR in the US who do airport-style kiosks, creating a system. You’ve got Excelsior in New York, creating a system. So now all these different companies will require access to the government or state-backed databases. Now, whether that’s in Canada, whether that’s in Europe, whether that’s in the US, or wherever it is, you’re going to have the same issue.
So there needs to be some standardization on the mechanism that the terminal uses to go and gather the vaccine, but also, to a certain degree. I think I would feel more comfortable if, like in Europe, they put their stake in the ground and turn and say we’ve partnered with this kiosk manufacturer and we’re going to make sure this is ultra-secure and work with one vendor. Because that would give me a lot more of a warm feeling that when I walk up to this terminal, there are not 15 different commercial companies that all have different privacy policies, that all have different security systems, all accessing vaccination records just sound a bit of a mess.
Yeah, and what is the risk to a private citizen to all this?
Tony Anscombe: That’s a very interesting point because there’s another argument of there’s an anti-vaccine passport discussion as well. Yeah, goes along the side of every other anti there is, as there’s always a cohort, isn’t there? People in everything that decide that they’re against things.
Now, the anti-vaccine passport argument is that it’s breaching your privacy because you’re disclosing the fact you are vaccinated. Now I’m just going to throw in consideration here that to go to school in Ontario, you have to have a number of vaccines, 3-5, whatever it is, number of vaccines. So therefore if you stand on the street and watch kids that go to school, they’re already disclosing that they’ve had five vaccines or however many it is. So if that’s an infringement of somebody’s privacy, then surely these kids are having their privacy infringed by going to school. So let’s dismiss this infringement of privacy rights because I think that’s a red herring. I think that’s just somebody who doesn’t want to have a digital vaccine record. I think the privacy infringement is somewhat negated, once you look at it with schoolchildren in mind, and in fact, I’m a green card holder in the US and the same goes for green cardholders, by the way, you have to have had five vaccinations.
I was issued a green card and my arm was very sore the afternoon I had all five, the health authorities in Europe couldn’t confirm that I’d had them historically because it was pre-digitalization. It was a very sore afternoon.
But so now we’ve got that piece out of the way. Your date of birth is pretty much everywhere, it public record, and your name is a public record. So if the vaccine passport is holding the fact you’ve had a vaccine, your date of birth, and your name. It doesn’t appear to me that it’s holding too much data. However, if you then get into when the vaccination was and what type of vaccine was used and you start including other pieces of information, then that’s a good question. Now, the only reason I can understand is if you and I were going to a concert in Toronto, I understand the venue wants to know my identity and it wants to know that I’ve been vaccinated. Do they care what I was vaccinated with? No. Do they care when it was applied? No. All they want to know is that it hasn’t expired, which in theory, the vaccine passport is going to do because I’ve had to register. So therefore my QR code or barcode or whatever it decides to display Would be invalid if I’m past the expiration date.
Now that’s a minimum amount of data. So in theory, that to me is an acceptable risk because my date of birth and name are already in the public domain. And yes, there is a link to that vaccine record, as long as the kiosk render or the app provider is not monitoring my location, and it’s not holding any information on me without good reason. So I can understand you might have some phone contact tracing reasons for a period of time. As long as that data is held only for those purposes and deleted when the contact tracing period expires, Then it may collect like a hash to identify me, but it doesn’t actually have to identify me, it only has to identify my device in the same way contract tracing systems works. I actually think this could be built very securely.
I’m up in Canada. So we’ve got universal health care and everybody who lives in Canada, who’s a citizen or proven resident has a health card with a health number. So that’s how you are up here, at least where I live, you registered for your vaccination and so on, but in the US, which is, 10x the size, you’ve got 50 states and you’ve got HMO’s and everything else, and they all, I’m guessing do a little or a lot differently.
How much of a job would it be to figure out something that would work across state lines?
Tony Anscombe: Firstly, let’s congratulate Canada for having a centralized system because although people may look at it and go…
Tony Anscombe: Well, it is and it’s not. I actually believe it’s a human right to have healthcare. That’s a very non-American viewpoint. But yeah, I come from Europe where that’s pretty much normal as well, but in the US, you have one card that was issued by all states that the CDC vaccination record is the same in every state. The unfortunate part about it is it really is a piece of card. And I’m going to use myself as the example because I have no reason not to share, but when I went for my vaccination, there was a big, long line of people and the healthcare provider in the small rural town where I live, was desperately trying to vaccinate lots of agricultural workers. So it was a lot of pressure on them to get people through the door quickly.
She handed me my card. It had my vaccination on it and nothing else. She said you can fill in the rest of the details yourself, so my name and my date of birth and the other pieces of information. So already there’s flaw number one.
So there’s no traceability of the fact that you even had the vaccine, other than you’re saying I’ve got this piece of paper?
Tony Anscombe: I’d already registered to have the vaccine. They already had a driver’s license number. So there is a state record. But the card I’m holding, I could’ve put anybody’s name on it, but because it’s just a piece of paper, unfortunately, you found outside sporting events that have been held by people selling fake cards, because they’re very easy to replicate.
I actually reckon I could probably create one in five minutes with a bit of photoshopping and a bit of paper card in the printer and I’d be away while you were there. Of course, I think, people shouldn’t do this.
It might not be good for the Chief Security Evangelists to do that as a hobby.
Tony Anscombe: I’m just making that point. I wouldn’t do that, but it’s wrong for anybody else to do that because actually, you may be risking somebody else’s health in doing so. But you’ve also seen examples of some doctors selling the cards without giving the vaccine.
Whereas in Canada, you’ve got this record, and let’s call it a Canadian health number, whatever it might be called. The Canadian health number gives you that centralized database. So you’re in a much better spot for actually knowing whether somebody had a vaccine or not. Now sure, are there going to be some mistakes in systems and your media might find two or three people in the entire country whose vaccine wasn’t recorded correctly or it states they didn’t have one and they did have one, they’ve got proof they had one and, yeah, they’ll always be the odd mistake.
Recognizing that a lot of this verification process as it evolves will be on handheld readers. If it is a kiosk, which is part of my world in digital signage, is there a business opportunity? Is this a high growth potential area or is this something that’s being talked about a lot, but probably won’t happen because all we just talked about is too complicated?
Tony Anscombe: No, I think this is something that is happening. One thing that grates on me slightly is that the industry seems to be reacting, not being proactive in some of it. So the pandemic hit, and then countries realized they didn’t have centralized medical data, and then they realized they need contact tracing type technology. So I understand the pressure on the early parts of the pandemic, were to create technologies that nobody had ever considered. So that is understood.
But at the same time, I think you’re always going to need technology to come out of the other end of this pan day. Of knowing who’s vaccinated and where they were vaccinated and whether it’s valid for the country you’re in. And I say that because there are different approvals on different vaccines in different countries, and they don’t recognize some. I’m amazed that actually, we’re at the hopefully latter end of this pandemic with this wave of Delta variant, that’s going around, hopefully, this puts a stake in the ground and we’re going to come out of this particular variant in a much better shape. But you’re going to at least a year to 18 months with different variants knocking around, most of the world are still not vaccinated, and people traveling, then you’re going to need some sort of kiosk or scanner to verify people’s vaccinations in that way.
So this is an industry, why wasn’t this being built this time last year? We knew we were going to need it. So why don’t we why a company is only building it now? But that’s my gripe as a technologist.
So if I am a kiosk hardware manufacturer, will the ask be for just a QR code reader or are you going to need a camera that’s going to do facial recognition or will the QR code be enough because that was part of what got you to a QR code?
Tony Anscombe: It depends on the scenario where I think you’re scanning the person. So if you’re at a stadium, I think you’re going to need a kiosk that has the camera, because you’ve got maybe 10,000 people coming through a gate, maybe you’ve got 10 gates, a thousand people coming through each one and you want to process them quickly. So maybe 15-20 seconds, they’re going to look at the camera. They’re going to scan the QR code. It’s going to be a quick match on their identity. Yes, that’s the person who allows them in green, off they go. So in that scenario, I think you need a camera.
However, when you and I go to our favorite restaurant and the restaurant turns around and says only vaccinated people can come into this restaurant and eat, he’s probably going to have a mobile app or with the person on the door, and that mobile app is going to scan your QR code and know it’s valid. Now, for them to actually know that the QR code belongs to you, they’re also going to need to ask to see your driver’s license and look at the name and date of birth on the driver’s license and make sure it matches the QR code.
So I think there’s actually a place for different systems in different environments because of the throughput in a restaurant where you’ve maybe got a hundred people coming through a night. It’s fairly easy to do that identity check as well.
Yeah, but different for a football stadium that has 90,000 seats if they go back to full capacity.
Tony Anscombe: You mean, they’re not at full capacity in Canada?
No, not where I live at least. I don’t think so.
Tony Anscombe: So you didn’t get my British sarcasm in there ‘cause I actually think they shouldn’t be at full capacity here in the US.
I’ve been to a couple of soccer matches up here, but they were at two-thirds capacity, but I live in a part of the world where I’m blessed that we barely got Covid.
Tony Anscombe: And, I think there are two things that aren’t there. There’s one of you as the spectator needs to feel comfortable, and I think the extra piece of space makes you feel comfortable. It’s not always about the opening up fully, but yes.
So if I’m looking at doing this. A hardware manufacturer is one thing, you can build it and as long as you’ve got the ability to drop a different kind of PC on there, whatever horsepower it needs to happen, you can do this. If you’re a digital signage software company or a kiosk software company, is this something you should even look at, or is it’s just too complicated right now and there are companies much larger and broader that are already light years ahead, like a CLEAR?
Tony Anscombe: I think there are companies that are light years ahead because they already had, what I define as the security element of creating such a kiosk, because bear in mind, it is taking somebody’s picture, it is validating against the vaccination database. You need to make sure all these things are done in a very secure fashion.
If you were a kiosk manufacturer that I can’t think of, maybe you create tourist attraction kiosks that provide information on tourist attractions. If you’re in that game and you’re now looking at this, I think to do this securely would be a massive challenge and I think you’d be six to nine months behind people that already have this technology, and it will be very difficult for you to do it, or you’d end up putting something on the market that might have vulnerabilities that somebody will exploit, and believe me, they will exploit them if they’re there, and then you’ll just get a bad rap. So I actually think, unless you’re already in the identity verification space or in that medical environment, I think it will be a big challenge.
Yeah. So almost the last time I was traveling and going out of Amsterdam’s airport, they had passport verification with a camera on and the camera would slide down to be level with your face and you would scan your passport thereon, the whole nine yards. So they had a whole orchestrated high throughput kind of system together. So that’s the kind of company that would have a leg up on the others, right?
Tony Anscombe: Yeah, and when I come back into the US if I can remember what that was like. Because I haven’t traveled like you probably for 18 months, When I come back in, I use a terminal to put my US identity documents, my green card details, it scans them, it takes a picture. It compares the picture and the company that’s created those terminals for TSA, they’re in a good spot to be able to do something similar for a vaccine record.
I suppose the other worry that I would have if I was a vendor looking at this, is going to be held up in court, no matter what you develop, there’s going to be the anti-vax crowd and privacy crowds, the people who worry about things like computer vision and so on, that they’re all going to file lawsuits and drag this whole thing down into the courts for, I don’t know, months or years even.
Is that realistic or you don’t think that’ll happen?
Tony Anscombe: I think that’s more of a governmental issue, isn’t it? The anti-vax is unlikely to turn and say that governments or states shouldn’t be doing this type of activity. As a provider of the technology, you’re not the one deploying the technology, You’re only the one providing it. It’s the person who deploys it, then I think could be dragged into the court for actually requiring it.
Right, but you’re manufacturing these things somewhat on spec or at least getting ready to spin this up, and then you are sitting on inventory and they can’t do anything with it, because it’s all held up in courts?
Tony Anscombe: Yes. I agree, and how long ago will these terminals actually be required for, maybe one, two years. I’d like to think we return to full normality at some stage, and maybe that’s a long game, maybe it’s even three years, but by the time you’ve created this technology, you’ve got it to market. I think you’re going to be on the backend of that marketplace. I think, all those stadiums and things like that needed it, will already have it.
I’m sure somebody is thinking about this as well. Two years out, they can divert these things into payment terminals for concessions, and so on.
Tony Anscombe: There’s a thought, isn’t it? Yeah, I’m sure they could be reused. Maybe they could be turned into voting kiosks?
That’s an entirely different discussion, isn’t it?
Tony Anscombe: It is, and we shouldn’t get into it.
All right, Tony, I appreciate you taking the time with me, this was very interesting.
Tony Anscombe: Oh my pleasure, Dave, anytime.