Blog
Covid-19 vaccine certificates: the digitalisation of fraud
Digital solutions have been a recurring theme in the pandemic response, and are regularly proposed as a route to minimising fraud in the vaccine certification process. However, the rise in cyber-crime increases the risks of an over-reliance on these technologies, potentially allowing criminals to infiltrate the Covid vaccine certification space. While QR codes with digital signatures make it far more difficult to falsify vaccine certificates, they are not entirely foolproof.
No global standard for certification
Paper-based certificates are susceptible to alterations and falsification. Developing and deploying digital-based vaccination certificates globally could counter the limitations of the paper-based certificates, allowing countries to reopen more safely. Accordingly, the World Health Organization (WHO) assembled a working group to develop a smart vaccine certificate and build a global trust framework for cross-country validation.
However, these plans changed, and the global trust framework was dropped (at least in the short term), and replaced with ‘guidance documents’. Rather than promoting a global standard, these guidance documents leave it to bilateral and regional agreements to establish cross-border trust and ‘trust frameworks’.
Covid-19 certificates and fraud
Covid-19 certificates that allow people to travel internationally are vulnerable to fraud. The fragmented and rapid changes in policy between nations have made it difficult for border systems to verify certificates, and easy for fake certificates to proliferate.
The black market for fake Covid-19 vaccines and certificates saw the opportunity – and took it. Fraudulent negative Covid-19 test certificates have been found on travellers at international airports in the UK and Dubai. Two men were arrested in Zimbabwe for selling fake negative Covid-19 test results to travellers at border check points, and similar cases have been seen at the border between Mozambique and South Africa.
Covid-19 test forgery rings have been spotted and broken up across South and Central America, raising concerns of the involvement of organised crime in manufacturing, selling, and certifying Covid-19 related products and vaccines.
Certificates, human rights and extortion
Opponents of Covid-19 certification argue that the certificate will worsen global inequities and infringe on the rights of the most vulnerable in society.
In Russia, for example, access to healthcare services has been officially tied to vaccine certification. Organised crime has had a field day, and fraudulent certificates flooded the black market as demand sored.
In Central America, fake negative PCR tests are sold at many border crossings, exploiting the desperation of migrants fleeing abuse and oppression.
The surge in demand for vaccine certificates offers an additional path for corrupt border authorities to make a profit. For example, at the borders in Central America, the pandemic and its certificates have created an opportunity for already corrupt border officials to increase the ‘fee’ demanded from migrants. As border crossings have not been included in pandemic anti-corruption monitoring, the health of migrants and the corruption that they face has gone largely unaddressed in national pandemic responses.
A digital response to fraud – the EU Digital Covid Certificate
Digital solutions are being deployed to mitigate fraud and ensure safe travel. The EU Digital Covid Certificate sets the standard as the first transnational vaccine verification mechanism for public use. The certificate contains a QR code and digital signature to guard against falsification. These can be shown either on a mobile device or on paper. The certificate works as a digitalised proof that a person has either been vaccinated, received a negative test result, or recovered from Covid-19, facilitating safe free movement inside the EU bloc. This data is kept confidential from border personnel, as the QR code only confirms if a person has gone through one or more of the steps, without revealing the details.
The success and shortcomings of this scheme will be monitored closely, especially by low- and middle-income nations who might consider it a model for their own systems.
Fraud goes digital
Whether the European Digital Covid Certificate succeeds in reducing pandemic-related fraud is yet to be seen, but indications so far show mixed results. Fraud cases are on the rise as security concerns around the Certificate mount. The main perpetrators include organised crime networks, corrupt healthcare workers, and anti-vaxxers.
In Italy, several online fraud schemes peddling fake vaccine certificates, with fake QR codes and vaccine batch numbers, were closed down. In France, real certificates, with real QR codes were being sold, allegedly obtained from health workers with official access to the health databases. In Greece, a doctor who was himself an anti-vaxxer and ‘Covid denier’ was caught red-handed, giving fake inoculations to obtain certificates for his Covid-sceptic friends. We are seeing how security flaws in the European Certificate make it easy for those with the know-how and the right connections to forge and obtain fake certificates.
Digitalisation is only part of the answer
The digitalisation of Covid-19 certificates is therefore not a panacea for fraud and falsification. A digital version does little to mitigate fraud and abuse if the certificate does not consider its paper twin’s inherent corruption risks and the human actors who generate or have the responsibility for verification.
Take the example of the digitalisation of the ‘yellow card’ in Africa. In Nigeria, an e-yellow card was created, in the hope of preventing or mitigating fraud. However, the Lancet, and members of a delegation of young Nigerians travelling to Ghana, quickly noted that digitalisation does not necessarily mean ‘fraud-safe’, as both were able to obtain the certificate without showing proof of vaccination.
Minimising fraud in Covid-19 vaccine certification: the way forward
Blockchain technology
Blockchain technology offers safeguards against tampering and falsification. In Zimbabwe, a QR code built on blockchain technology was developed to prevent yellow card fraud. It shows promising results, and discussions on how to scale it up to include Covid-19 test certificates are ongoing.
Blockchain technology may therefore provide a more secure mechanism for Covid-19 vaccine certificates, since it is based on the principles of cryptography, decentralisation, and consensus, making it less vulnerable to fraud. However, the unequal access to digital and blockchain technology in different countries means that it will take a while for its benefits to be felt in eliminating fraud. For example, despite the blockchain initiative in Zimbabwe, news of private laboratory centres issuing fake Covid-19 certificates highlights one of many ways corrupt people can avoid digital safeguards.
E-passports: building on what already exists
The problems with digital vaccination certificates are that the technology is new, the science is uncertain, and international standards to regulate them are in their infancy.
Therefore, bilateral and regional agreements that build on existing identification mechanisms such as the e-passport could be one way to streamline the certification process and make it more secure, while avoiding the need for a whole new global digital architecture. For example, electronic features such as storing e-visa information could be expanded to hold vaccine status information, making it harder for people to create fake vaccine certificates.
E-passports have a number of advantages: they are already ‘out there’, in people’s hands and in everyday use; they are already a requirement for travel and identification; and they are continuously updated to be more secure and fraud resistant. While it is far from a perfect solution, in the short term, building on what already exists will be a more resource efficient, safe, and inclusive way for digital tools to play a role in reopening our societies.
Disclaimer
All views in this text are the author(s)’, and may differ from the U4 partner agencies’ policies.
This work is licenced under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International licence (CC BY-NC-ND 4.0)