Any proposal for vaccine credentials must be primarily paper-based, decentralized, and protect privacy.

With COVID-19 vaccination rates accelerating, governments around the world have begun to consider implementing a standardized credential or “vaccine passport” that would let people prove that they’ve been vaccinated. And the idea became more real when the Washington Post reported on Sunday that the Biden administration was working with companies to develop such a structure.

Our nation’s primary push right now should be equitable vaccine distribution that gets as many people as possible vaccinated and reaching herd immunity. If we can do so, epidemiologists say, we’ll reach a point where COVID no longer has enough vulnerable hosts to circulate within our communities. This means that most people most of the time — even those who can’t get vaccinated — won’t have to worry about the disease.

When that happens and COVID comes to resemble other dangerous diseases where there are occasional flareups but little spread, such as measles, the need for a COVID passport will seem much less urgent. Nobody is demanding we provide proof of measles vaccination everywhere we go. And in the limited circumstances where such proof is required (school enrollment, some medical jobs, and some overseas travel), it’s far from clear that the existing system of paper documents is somehow deeply broken and in need of fixing. That’s especially true given that creating a passport system would be a herculean task.

As privacy advocates and civil libertarians, there are several factors to consider on vaccine passports.

There is a difference between a standardized system for presenting proof of vaccination, and a digital system for doing so. With more and more of our credentials being displayed through apps on our phones — from airline boarding passes to concert tickets to gym memberships — it strikes many people as an obvious and overdue step to create a similar digital credential for those occasions when a person has to prove that they’ve been vaccinated. But digital credentials present a number of new potential problems, and we would oppose a vaccination credential system that does not meet three crucial criteria:

1. It is not exclusively digital. A system that is exclusively digital, whether by design or as a practical matter, would be a nonstarter because it would increase inequality. Many people don’t have smartphones, including disproportionate numbers from some of our most vulnerable communities, such as people who are low-income, have disabilities, or are homeless, as well as more than 40 percent of people over age 65. As a result, any vaccine credential system would need to include a paper-based version for those who don’t have a smartphone or simply don’t want to use one. The paper option should not be a difficult or disadvantageous afterthought; a standardized credential should be primarily a paper-based system with an optional digital component, not the other way around. Our health care system is already ridden with inequities from top to bottom; we don’t want to worsen that situation by closing off even more societal benefits from those who can least afford it, or who have reason to fear such a system — including immigrant communities and communities of color who are already subject to over-policing and surveillance.

2. It is decentralized and open source. The quest for a digital identity and credentialing system has become an entire field unto itself. Numerous companies, technologists, and academics have already generated a variety of concepts, standards, and products that would let us use cryptographic files or “tokens” on our phones to prove things about ourselves across our lives. The best of these schemes — and the only ones that should be considered for any digital elements of a vaccine credential system — take a decentralized and open source approach that puts individuals in control of their credentials and identity data, which they would hold in a digital wallet. But given the difficulty of creating a digital vaccine passport, we could see a rush to impose a COVID credential system built on an architecture that is not good for transparency, privacy, or user control. That could lock us into a bad standard as other parties that need to issue credentials piggyback upon it to offer everything from age verification to health records to hunting licenses to shopping accounts, memberships, and web site logins.

3. It does not allow for tracking or the creation of new databases. Unless a vaccine credential system is completely decentralized and user-centric, it creates the potential for amassing new personal data. If some big company is getting notified any time someone reads one of your credentials, that would let them track your movements and interests — the stores, concerts, and transportation venues you visit, and much more. In the absence of airtight legal protections for privacy, any such information could then be sold for commercial purposes or shared with law enforcement. That would affect all of our freedoms, but will have a particular chilling effect on communities of color, including immigrant communities, that are already over-policed. Fear of tracking could lead people to opt out of participation, resulting in further marginalization as they are denied access to certain public spaces. Worse, without privacy protections strong enough to create public confidence, it could even deter people from getting vaccinated in the first place.

Although those are the three most significant issues we see now, the devil is often in the details, and any proposed system will have to be examined closely. Another issue is the handling of people who can’t get vaccines because, for example, they have certain medical conditions or simply don’t have access to the vaccine. Will the system distinguish between such people and those who have simply decided they won’t get vaccinated? If so, how will people obtain a certification that they are medically contraindicated? One of the reasons it’s important to reach herd immunity is precisely because there are some people who can’t get vaccines that protect them personally. Those people shouldn’t get shut out of full participation in our society.

We also worry that a vaccine passport will encourage over-use. The issues around passport design are separate from the question of where and when people can be required to furnish proof of vaccinations, but if a passport system makes it very easy to ask for and to provide proof of vaccination, it’s likely that such requests will become over-used as people get asked for credentials at every turn. While there are legitimate circumstances in which people can be asked for proof of vaccination, we don’t want to turn into a checkpoint society that outlasts the danger of COVID and that casually excludes people without credentials from facilities where vaccine mandates are not highly justified.

We were heartened to see that the Biden administration appears to be aware of many of these concerns: White House coronavirus coordinator Jeff Zients declared earlier this month that “any solutions in this area should be simple, free, open source, accessible to people both digitally and on paper, and designed from the start to protect people’s privacy.” The administration has also repeatedly stated that vaccines must be accessible to people regardless of immigration status, and therefore any unintended deterrence must also be considered. Such statements show a thoughtful awareness of the landscape here.

We don’t oppose in principle the idea of a requiring proof of vaccination in certain contexts. But given the enormous difficulty of creating a digital passport system, and the compromises and failures that are likely to happen along the way, we are wary about the side effects and long-term consequences it could have. We will be closely watching developments in this area.