When governments move fast and break things

From titipi
Jump to navigation Jump to search

EU Digital COVID Certificates: When governments move fast and ...

EU Digital COVID Certificates: When governments move fast and break things

May 28, 2021 https://github.com/ehn-dcc-development/hcert-spec/issues/84


On 20 May 2021 the EU commission reached a provisional agreement on the issuance of the 'EU Digital COVID Certificate'––previously referred to as a 'Digital Green Certificate'. As The Institute for Technology In The Public Interest, we are deeply concerned about the short and long term implications of this Regulation.

The certificate is being introduced at great speed under the auspices of public health at a moment of urgency and vulnerability on all levels, be it the level of the state, political institutions such as the EU, collectives, businesses and individuals.

Whilst we recognize the vulnerabilities produced by the COVID-19 pandemic, in this bugreport we outline some of the serious issues that the implementation of the 'EU Digital COVID Certificate' raises. We think it is necessary that the EU commission undertake an 'impact assessment', a step which was dangerously omitted in the record time that the proposed EU Digital COVID Certificate Regulation was agreed upon by the different EU institutions. Our aim in this bugreport is to make a start with defining impact areas, with the hope that other concerned groups and individuals will further extend it.

What is the EU Digital COVID Certificate?

The EU Digital COVID Certificate depends on the establishment of a digital token that links to an individual, 'a holder'. It is proof of either vaccination status, testing status or whether someone has recovered from COVID-19. Setting up a digital token requires infrastructural support, which connects digital with administrative infrastructures. Such an infrastructure is needed to digitally issue certificates and ensure authenticity of each certificate. The certificate can be carried on a mobile device or as a paper document. It makes it possible for different 'verifiers', such as public authorities, travel operators, venue owners or organizers of gatherings, to establish whether the certificate is authentic; if it belongs to the 'holder'; and if it carries the value necessary for entering a space, participating in an activity, or crossing a border. For the verification to happen in a rapid manner, the certificate uses a QR-code signed by the authorities. This means the 'verifier' needs to use a digital device, such as a smart mobile phone or QR code reader, to confirm the veracity of the certificate.

We argue that the implementation of these different steps represents a shift towards administrative-infrastructural regimes. Regimes that are made possible by digital infrastructure and their operational logics––with significant short and long term consequences.

Re-purposing e-health infrastructure for managing freedom of movement digitally

Many public health systems in Europe are not fully digitized. However, the introduction of the digital certificate catapults them into the realm of digital administration on a scale never implemented before. This shift to administrative-infrastructural regimes implies the reorganization of public health, as it changes the trust and power relations between relevant actors and stakeholders. The proposed system goes far beyond digitizing health records and existing workflows, because it introduces a system through which "certificates" can be used to manage every day activities, specifically freedom of movement. Public health authorities are typically not responsible for setting policies and running digital operations which regulate people's movements. In addition, digital infrastructures can come to reconfigure or even break public institutions, as exemplified in the way journalism and publishing succumbed to the rise of social networks like Facebook. What impact does it have on the public health system, its objectives and responsibilities, to be repurposed in a digital environment for the issuance and verification of certificates? What mechanisms are in place to capture and respond to the potential risks of digital transformation of public health institutions at this scale and speed?

Growing public private interdependencies entrenched in an essential infrastructure

While any vaccine or test can be written into a certificate, not any test or vaccine will fulfill the requirements for freedom of movement. By virtue of regulating which test and which brand of vaccine can allow the holder of the certificate to enter a space, participating in an activity, or cross a border, the EU Digital COVID Certificate will act as a powerful gatekeeper between private partners, governments and the public. How is the growing interdependency between public and private agents being kept in check that is part and parcel of this essential infrastructure?

Policing will bleed further into daily life

Since the data in the QR code is available in the clear, this infrastructure has no built-in constraints for who can verify the certificate. Since certificate checks can be expected not only at the border but could be easily implemented for entering a workplace, a demonstration or a classroom, it introduces new forms of policing into every day life. This set up facilitates conditions of vigilantism through the everyday management of citizen movement, optimisation, population flow and control. It also potentially demands teachers, health-workers, shopkeepers and protest organisers act as if they were police. What mechanisms are in place to limit random checks? What legal and complaint procedures are foreseen to address grievances? How to ensure that rather than supporting freedom of movement, the digital token becomes a tool to restrict movement of people as they go about their daily life?

The expansion of borders

As argued above, the implementation of the certificate will further intensify technologies of the existing border regime into everyday life, also at places that are far from geographical borders. It extends the force of the state, which will no doubt add to histories of inevitable inequalities and asymmetries of such bordering regimes. The EU itself has a terrible track record when it comes to border regimes, human rights and global inequities. What is being done to prevent the certificate from further contributing to racist, classist systems, to a multi-tier society and increasing levels of violence at ever expanding borders? How does the regulation consider people from outside of EU and the way their human rights might be affected by the introduction of digital certificates?

A neverending infrastructure

The recent renaming of the certificate from a generic 'Green Digital Certificate' into 'EU Digital COVID Certificate', seemingly limits its scope to the COVID pandemic. But as we know from the USA PATRIOT Act that was introduced short after 9/11 and never fully retracted, or anti-terrorism measures in France that were extended five times, once in place––when dependencies are created, "crisis measures" risk becoming permanent. Although the Regulation has attempted to address this concern by including a clause that deals with rollback by stating that it "should be lifted as soon as the epidemiological situation allows", this does not guarantee it is just a temporary measure. With multiple industries and countries depending on the relaxation of the lock downs, and technology companies of all sizes entangled in this digital-administrative-infrastructure, what force will it take to remove it? Is the 12 month sunset clause still valid when the COVID-19 pandemic has not been overcome by that point? What prevents its application be resumed in case of another pandemic due to an outbreak of SARS-CoV-2, a variant thereof, or similar infectious diseases with epidemic potential?

Shifting grounds

The fact that this certificate is in essence digital, makes it possible to introduce regular updates. This will make the infrastructure responsive to changing understandings of the effectivity of vaccines, and new test methods to be integrated. The Regulation limits clearly what can be certified: vaccine, test result, and recovery, but it does not regulate what policies can be applied based on checking the information carried on the certificate. The policy determines whether a given vaccine or test is sufficient for movement, or whether there are exceptions or updates to policies that should be applied. The certificate is promising to not discriminate between recovery, vaccination or a negative test. How is the equivalence between the three, vaccination, testing and proof of recovery maintained? Who decides what prevails or what happens when scientific insight changes?

This bugreport ended up in the Github repository of the Digital COVID Certificate, because we have not found another platform to place it. The promise of a timely digital solution for re-establishing freedom of movement before the start of the summer holidays has erased the space for due diligence and public consultation. Given the concerns we raised above, and those raised by many other people and institutions, we are concerned that instead of a benign and 'safe' way out of a difficult situation, the EU Digital COVID Certificate will do immediate and long-lasting damage, especially since it is being rolled out as nationalism and fascism are on the rise in the EU and elsewhere.

We urge people in different communities, movements, professions, and institutions to consider extending the questions above, because absent of public consultation, and considering the potential impacts listed above, our main questions are: Can we afford this digital-administrative-infrastructure? Can we allow it? Is it really an option?

The Institute for Technology in The Public Interest,

Miriyam Aouragh
Nishat Awan
Gwendolin Barnard
Yasmine Boudiaf
Seda Gürses
Clareese Hill
Infrastructural Manoeuvres
Martha Poon
Helen Pritchard
Femke Snelting
Eric Snodgrass
Cassandra Troyan
Magdalena Tyżlik-Carver

Bugreport posted on GitHub (screenshot)