Behind the Code: Making COVID-19 Digital Health Pass
It was in March 2020, at the start of the COVID-19 pandemic, when Elli Androulaki first thought about creating a digital health pass. The leader of blockchain research at the IBM Research Europe near Zurich, she knew that once the pandemic begins to ease up, returning to work, attending events, or even using public transport would require people to provide information on their health.
“I got from my manager asking to set up a brainstorming session with my team. I noticed a sense of urgency in his voice,” Androulaki recalls. Her manager, Marc Stoecklin, leads the Security Research department at IBM Research Europe.
“At the time, the company had just launched the IBM COVID-19 Technology Task Force to respond to the crisis. I was confident that on the security team we had the right mix of skills and experience to also help out,” Stoecklin says.
On a swiftly convened virtual meeting, the scientists presented a handful of ideas — and chose a blockchain-powered solution to securely verify a user’s health status while protecting their privacy.
The idea assumed people would get certifications of their health status, including PCR and antibody test results or vaccination status, from their healthcare providers. The obvious device to store and share the data would be mobile phones. But not everyone has a smartphone. To make the solution more widely accessible, they decided to also make it available in the form of a printed QR code that could be scanned.
The IBM Digital Health Pass was born.
“I knew immediately that this technology had very high potential to produce a lasting impact when dealing with the pandemic and even beyond,” Stoecklin says.
A prototype in three days
After receiving approval from the Task Force, Stoecklin and Androulaki had to get the idea to market.
On the other side of the globe, colleagues from IBM Watson Health developed a similar solution. The teams, some 20 people, got together: the Watson Health team designed the IBM Digital Health Pass user apps and services and integrated the blockchain-based, identity-powered technology provided by IBM Research.
Androulaki then asked Ilie Circiumaru, a software engineer on her team, how long it would take to build a prototype. His Slack message was short and confident: “Three days.” He did it with time to spare.
Soon, though, challenges started to pop up. Androulaki remembers having a hard time imagining all the different customer requirements the app would have to meet. “For us, it was clear that data privacy was crucial. We wanted the users — the data owners — to be the ones deciding which pieces of personal data they would share ,” she says. The data owners also had be able to delete their data at will.
Ways to address privacy concerns were built into the health pass from the get-go. But how would they implement this for different use cases? “Our initial scenario was international travel, but we wanted the app to be as customizable as possible. We think that it could someday be used beyond the pandemic to manage everything from a student’s academic records to an employee’s CV,” says Androulaki.
Figuring out client’s requirements
But even sticking to the health status verification use case, questions arose around aspects like establishing trust in the issuers of a vaccination certificate, or accommodating data analytics without compromising privacy.
To address the future costumer’s needs the best way, the global team worked together. “Watson Health engineers were great at translating client requirements into technical and security specifications that we could understand,” says Androulaki. “It was one of the best-functioning collaborations we’ve ever had.”
Exactly six months after the first brainstorm, on 25 August 2020, IBM announced the IBM Digital Health Pass. It was launched with limited availability on 15 November.
Part of the appeal of the IBM solution is the freedom it gives organizations to select the criteria to assess health status based on medical data. Whether it’s vaccination or on-site temperature scans or other data, those managing admission can always choose what they want to rely on.
But for the Research team, it’s the focus on privacy protection, accountability and transparency that makes the most difference. “Looking back, I think we made the right choice in being conservative about privacy,” Androulaki says. The team wanted the app to be used widely and that meant compliance with data protection regulations like the European GDPR. It also implied a change in mindset.
“We couldn’t just do things based on convenience and put everything on the blockchain,” says Androulaki. At the same time, she and her team had to get the job done within a few months. “It was quite a challenge, but rarely have I felt that my work has such an immediate impact on everyday life.”