“Less is more,” said Alan Butler, president of the Electronic Privacy Information Center. “These are public health related systems that should be managed by public health departments and should be limited in how they’re used to that context. We don’t want these to be broad data collection systems for all sorts of different uses that exist far beyond the public health crisis.”
The aim is to set guidelines so apps can be interoperable and open sourced, allowing developers to see what’s happening behind the coding to create a more transparent and collaborative process.
“Our goal is to have any business develop something — startups can play in this space, as well as IBM,” Wanger said. “We are working on this system so there isn’t a way for one company or one group of companies to have power over health records or be overly dominant.”
In theory, she said, people will have the freedom to choose what apps they want to use. “I don’t think we’ll see a future where you can buy paper towels through a Walmart app and then also get your vaccine credentials. But we think people will be able to manage their credentials through a platform and then use that domestically or overseas.”
Jenn Markey, a marketing director at security firm Entrust, said the success of these rollouts will also depend in part on how the apps work with multiple systems. “The vision is one set of secure digital credentials where the border guard at Heathrow is able to read the same credentials as the usher at Madison Square Garden without compromising citizen privacy,” said Markey.
She added that trying to manage too many solutions could open the process up to security vulnerabilities in the handoff between one application and the next.
At the start, Wanger said the rollout will be reminiscent of the early days of email; AOL users could only email AOL members before standards were developed.
“We are seeing a wave of closed group systems like IBM that are not letting anyone else come into that system and build onto it,” she said. “What we will see with wave two is apps [that can work together]; that’s when enforcement and community alignment comes in. Anyone who wants to play has to play by the same rules when it comes to security, privacy and match standards for interoperability.”
John Verdi, vice president of policy at the Future of Privacy Forum, said it’s too soon to see what methods will prove most popular but he expects to see a handful of approaches: “We’ve seen this dynamic with contact tracing frameworks, payment cards and other technologies.”
At the same time, people won’t likely want to manage too many digital health pass apps, and it’s possible businesses will accept only a few, much like credit cards at retail locations.
“I would be surprised if any apps that are not directly supported by the state public health departments gain any broad traction at all beyond very limited use cases,” Butler said.