Interview with Dr Sara Helen Wilford, Senior Lecturer/Senior Research Fellow in the Centre for Computing and Social Responsibility at De Montfort University, Leicester, UK. Dr Wilford’s research interests include the theory and application of computer ethics, surveillance studies and responsible research and innovation, focusing on the impact of new technologies on individuals and society.
This interview was held at the end of May 2021.
What is your overall impression of the regulatory proposal for the EU Digital COVID Certificate?
When I was reading through the first version of the legislative text at the end of May 2021, what struck me is that I couldn’t really find out who was going to create the certificates. The document says that there will be no central depository or register, but it is very hard to guarantee that those actually doing the administrative work are going to uphold this premise. The new statement from the commission and it mentions SAP and T-Systems as development and operational partners. I think the concerns still stand, but now we would want to consider why these partners? Was there a call for proposals? What is the deal? What is the intellectual property situation regarding the system? What future use is being considered (if only for 12 months, what would happen to the system, the data and the infrastructure afterwards?). The statement does not give any information on how these decisions have been made or answer the above questions, so not enough to go on.
I’m a bit concerned about whether all the good intentions – privacy, equality, non-discrimination – can be upheld. I call it ‘the network of networks’: Say you get your EU Digital COVID Certificate on your phone, which is run by a technology company operating in the EU and elsewhere. The information from the certificate is stored in one database, and information from various social media platforms, financial or health-related data and your passport data is stored on another database. All of a sudden, this information is all in one place for the purposes of the certificate, and it can be manipulated by various stakeholders or even governments. This could be problematic, as the technology will not care about the stakeholder’s intentions, and the people running the technology will not care about the privacy implications if it means that they benefit commercially from it. The commercialisation of such systems and data makes companies tending to justify data analytics by citing company secrecy, but ultimately their aim is to generate profits. And there is no indication that the operator of the technical infrastructure is going to disclose what happens to the data or the source code or where the data is stored. Since the EU Digital COVID Certificate is so unique and new, the legislative act does not provide for such specific penalties.
What do you think of the technical infrastructure and data protection in the legislative act?
The legislative act talks about using public key encryption. It doesn’t mention blockchain directly, but I’m assuming it’s going to be that. Blockchain has its issues, not least the fact that you can’t make any changes – if something is wrong, you can’t correct it, which can be a problem in the case of medical records. Blockchain involves chunks of data tied to each other, so the security system is in fact part of the problem – the records can’t be changed or corrected because it is so secure, and the code will permanently store any incorrect information. You may be able to add additional information later, but as this would be stored in different places in the blockchain, it wouldn’t necessarily make the connection that it is related. So, who makes the decision about what is and what isn’t permissible, and about what is and what isn’t secure, and who has the ability to make changes? Who are the gatekeepers?
In terms of privacy, the document provides solid reassurance as the data won’t be stored in a central register, which is very important. However, how can these data protection provisions and the safe verification of certificate issuance be enforced on a local level, say, in a doctor’s surgery in a rural area? How can the replication of health data and potential connections to other personal data be prevented? The data protection provisions only go as far as the EU Digital COVID Certificate specifically, so this could create a gap between the General Data Protection Regulation and the certificate itself that is not yet catered for legally. So, there is potential for misuse and abuse of the connections by governments on the one hand and commercial actors on the other.
The language interoperability is a very good idea. It makes sense to make the EU Digital COVID Certificates available in two languages – the local language and English. The transition period for Member States to implement the certificates and the mutual recognition of certificates between Member States are also good ideas, but we will have to see how feasible they are in practice. I’m lucky to be able to work in ethics evaluation at the Commission, so I know that even though the intentions are the best, things can look very different in practice. I am just concerned that at some point, the EU may find itself being blamed or criticised for some of the less ethical behaviour of some of their more maverick Member States, who are already pulling away from democratic values. From this perspective, the EU Digital COVID Certificate could be a golden opportunity to gather more data and gain more political control. I’m not saying that this is a set direction, but at the moment, this pattern is not very encouraging.
Since the certificate will gather enormous amounts of data, it will essentially create a network of networks between all user data – and that data will need to be stored and owned by an entity. The statement from the European Commission indicating that SAP and T-Systems are the developers and operators still fails to provide sufficient detail about how permissions will be approved, and how to decide what is allowed and how to keep the system secure. Who else will have access to the back-end infrastructure (outsourcing, additional partners etc) and who will ultimately be the gatekeeper of the public key beyond the initial 12 months? These questions are essential to protecting our fundamental rights, but currently remain only partially answered. The EU institutions have good intentions, and I am sure that the partners have provided some assurances, but it is the unforeseen consequences of the further development of the network of networks that concern me. The EU institutions have good intentions, but it is the unforeseen consequences of who owns and operates the infrastructure that concern me.
Overall, the EU Digital COVID Certificate is a great idea, but we have to be careful. I’m not in any way unenthusiastic about the idea. The provisions on equality cover many concerns about technophobia, people without access to technology, underprivileged persons and people living with disabilities, so to a large extent, the EU has anticipated potential problems. However, I believe the real issues could stem from what actually happens under the hood.