‘Fit to Fly’ madness -or- how to hack a ‘COVID travel certificate’ in 20 minutes, persuade an airline to let you on a plane, and convince Border Force(s) to let you travel. Welcome to ‘The Identity Black Hole’

TL;DR: Random Certificates Issued by Unregulated / Unverified Bodies, Unable to be Checked for Accuracy or Authenticity by Airlines and Border Forces *who then make decisions based on these as to whether a Passenger can a) get on a plane b) enter the country*. The world is stuck in an identity black hole.

This questionable process costs us, the passengers £100s if not £1000s (for a family of 4+). With the UK pre-ordering a vaccine, we are headed for chaos if the broken process of ‘Fit to Fly’ doesn’t get fixed. Fast.

As a CEO of a company with airline clients, prior to COVID, it was essential for me to travel abroad for work. This travel constituted a large portion of my time out of the UK — such as a six-month stint working in Dubai with Emirates. I also enjoyed a frequent European weekend away or a long trip once a year. I offer here 13 points on the mess we now find ourselves in. The views expressed in this post are my personal views, not the views of any company.

1) The end of waiting

Given we will shortly have effective and affordable vaccinations there is hope that we may, soon enough, be able to resume international travel, right? As part of my work, I began researching the entry requirements which myself and my family (of 5) would face in getting on a COVID-‘secured’ international flight and going through newly re-opened borders.

2) New borders

Both Spain and Greece seemed like straightforward short-haul targets. I initially checked the Foreign and Commonwealth Office website for the necessary entry arrangements. I was aware, as part of my work with IBMATA [1], of the wildly varying regulatory requirements on the ground. I found that the latest Spanish regulations include for each passenger to present a negative COVID test result at the border [2]. This means, of course, before flying; much like any ‘right to entry’ needs to be checked by the airlines in advance of boarding (an example of this is an ESTA if you fly to the USA, or a valid visa — checked pre-departure in airports).

I was not surprised that the Spanish government has introduced health regulations. I also expected that the airlines would require us all to comply with these before they would accept us as passengers. But would these persist as a standard for other European border forces? And would different airlines impose different passenger requirements? The confusion and anxiety this adds to the (already complicated) COVID travel experience is immeasurable.

3) Testing, Testing…1, 2, 3.

Understanding the requirements, I considered the types of tests accepted. Through my work with our scientific advisors and connections at my alma mater, Oxford University, I knew that Coronavirus tests can either look for antigens or antibodies. The former looks for an active presence of the virus in the body and the latter identifies if the immune system had a response to COVID previously. Currently, there is not enough knowledge on immunity to make an antibody test acceptable [3].

There are 2 types of antigen tests: PCR (Polymerase chain reaction) and LAMP (loop-mediated isothermal amplification). The LAMP is easier to administer with a simple sip, swoosh, and spit of liquid to collect the sample (this can be conducted using a swab, but is less common), whereas the PCR requires a direct swab of the nostrils and back of the throat. The PCR is also quicker and requires less expensive equipment. In terms of ease and time, LAMP outranks the PCR. The PCR, however — although not 100% accurate in either positive or negative results — has traditionally been considered the gold standard for accuracy due to the RNA load requirement being quite small. The current border regulations seem to reflect this thinking. The PCR also seems to be the test more likely to receive approval by UKAS (the UK’s national accreditation body). Unsurprisingly, the Spanish borders also require that our passenger test is a PCR.

Having decided on a destination, researched the entry requirements and regulations for travel, and learned how to fulfil these requirements … think you’re almost ready to go? Not so fast.

4) How long + how much?

As a UK-based passenger, you now have to dig deep: free PCR tests offered by the NHS are only issued to individuals who are showing COVID symptoms [4]. Any potential passengers must be symptom-free — and in any event, the NHS makes clear that their tests are not allowed to be used for enabling (the ‘unnecessary luxury’ that has become) foreign travel.

I found a well-researched article in The Independent [3], with a comprehensive list of non-NHS, private sector providers — and their eye-watering pricing.

Fleet Street Clinic [5]

Same day COVID-19 rt PCR testing, returned in 2–6 hours: £495
Standard Covid-19 rt PCR testing, returned in 2–3 days: £295

Nomad [6]

Express PCR self-test, returned in less than 48 hours: £195
Express PCR in-clinic, returned in less than 48 hours: £195

Masta [7]

PCR test in-clinic, results in 2–3 days: £145

Doctap [8]

Randox PCR, results in 2 days: £134
Salient Bio PCR Express, same day results: £134

Some quick maths reveals that testing alone would cost our family of 5 anywhere from £650 to £2475.

It seems that in 2020, overseas travel has reverted to being an aspirational 1960s style dream, and once again become a luxury for the few, not the many. Are the days of a weekend short-haul getaway a thing of the past? If so, the travel industry is heading for disaster. But fortunately, an effective, affordable vaccine is on its way…. that will solve it right? No, we’ll get to them later.

In the meantime, it’s a price war. A single PCR test result can be returned in 65 minutes from the moment the sample enters the machine [9]. Yet, many providers do not guarantee the test results will arrive within the 72-hour prior to the travel window needed for permission to travel, and when they do return the results — they are relying on self-asserted data from the person who took the test.

The question is: how do you prove to the airline or the border force that a passenger has indeed legitimately had either a test or a vaccine?

5) Whose test is it anyway?

A test result currently ‘belongs’ to whoever claims to be taking it. There appears to be no token assigned or identity checks conducted at all in the process. Most testing websites say that you need to bring your passport and ask reception for these details to be added. But only if you want to.

The results are then sent to the person paying for the test. What barriers are in place to stop an infected passenger from throwing money at the problem and paying for someone else to take the test for them? We can hardly expect staff to scrutinise passport photos at the reception of a pop-up testing facility in a car park (Gatwick’s Long Stay car park is featured below)

We also can’t expect receptionists to be adequately trained in identity-checking everyone coming into their test centres. The system appears to be set up to commercialise the test, not to identify the person taking it.

The pricing structure is clear: you aren’t just paying for a test, you are paying for its urgency, too. The risks of financial strain and identity fraud don’t stop there. This complexity adds up even before deciding whether to take the risk of purchasing tickets or accommodation in advance, all the while balancing the elusive 72-hour window for a negative PCR test… And the fact that you can not prove the accuracy of that test in any way or that the result was indeed YOURS — and no one else’s.

Travel seems to have become a maze of confusion, bad data, and questionable practices. Testing makes it an unaffordable endeavour for most, killing individual spontaneity and punishing those who may need to travel — to make it home to say goodbye to a loved one abroad, or those who must urgently travel for other reasons.

6) Trust me, I’m a doctor

There seems to be a surge in testing companies appearing to meet a consumer demand. Many are recently registered (more on that below). Will they still be here next year? Who knows. It does seem that some of these testing companies are exploiting (is that too harsh a word?) the consumer at a time of dire need. Identity questions aside, let’s consider what it is you would actually be getting for your money. And whether you — or the airline and border force — can trust the outcomes of that PCR test at all.

Many of the PCR testing providers which were highlighted in the Independent article claim to be regulated by the CQC — Care Quality Commission on their websites. The CQC is a regulating body responsible for monitoring and rating medical sites around the country [10].

Other PCR test providers claim to offer “GMC medical issued certificates” [11](aren’t all UK medical doctors GMC certified?)

On examination, I noticed that the CQC logo was being used both by the clinics that have been inspected by the CQC, as well as those clinics that have only been registered with the CQC — but have not been inspected. Some of the ones listed in the Independent were only registered earlier this year, 2020

One would ask whether the CQC logo or GMC might be displayed to lure consumers into a false sense of security? Once we have paid and waited for a test, there is no standardisation or regulation to ensure that these PCR tests are performed in a medically legitimate manner. Nor can we tell, in any way, that they have been accurately processed. Importantly, we also can’t check that these tests were not assigned to the wrong person — in absence of any identity verification or ID persistence. And the world’s borders are relying on this mess to make judgments on people entering their countries? But, hey — if you get one of those results — at least you can rely on them to fly. Or can you?

7) Data and decisions: Rubbish in = Rubbish out

The range of veracity and accuracy of the test outcomes seems to be entirely insecure. It turns out that, with most of the PCR test providers, the ‘result’ arrives to you in the form of a PDF: no password, no firewall, no identity verification, no two factor — nothing. It is an unsophisticated document — easily editable by anyone. It is not secured in any way.

And, most importantly, it can belong to absolutely anyone (how many John Smiths could share one certificate?). It can be easily changed with the most basic skills to fill in any passenger’s personal details. Within 5 minutes of searching, I even found blank examples — pre-signed by the doctoravailable to download [12].

Is this the secure data that airlines and border agencies are basing decisions of (national) security on? In choosing who gets to access international flights or enter their borders?

I reached out to my contacts in Spain to find out more. I learned that the Spanish border authorities have yet to operationalise a secure way to verify the authenticity of test results. I understand that entry is permitted on the basis of the passenger having a PDF of a certificate on their mobile, which they simply have to show to the Border Authorities. And that the only ‘authentication’ check performed by the border agent is to ask the passenger to click on the address of the email to which the PDF certificate was sent from. This is used as a ‘check’ to see that the domain name from which the email was sent is not a Gmail / Hotmail address. And that it is (or appears to be) an ‘official source’ and corresponds to the PDF ‘Fit to Fly’ certificate.

8) The hacker’s way

Curiously, some test company websites have also (helpfully!) uploaded a sample of a COVID-19 PCR test results report — also in PDF format [12].

But what of the borders ‘email check’? I am all too aware of how easily domain names can be purchased. You can then send unlimited emails and multiple edited documents — making it appear as if a traveller fits the requirement. A quick search on GoDaddy, for example, showed that I can buy ‘randoxonline.co.uk’ for less than £10 [13](Randox being one of the providers of the PCR test listed in the Independent article).

This means that both Airlines and Border Authorities are potentially making decisions based upon non-verified claims, non-verified sources, non-verified identity, and non-verified documents as a matter of national security in crossing international borders/airspace. Staggering.

9) Where there’s a will, there’s a way

The options and temptations for abuse of this ‘system’ hardly need spelling out. Bizarre practices are popping up in order to meet desperate needs. With no apparent means of anyone validating the integrity of either 1) the identity of the would-be passenger or 2) the integrity of the process they follow. It seems (almost) anything goes in order to travel and meet entry requirements.

https://www.independent.co.uk/travel/news-and-advice/covid-test-gatwick-airport-passengers-b1759006.html

A local source of mine shared that people have been organising team rides to Gatwick to get a test (entirely not in keeping with social distancing). The in-airport PCR test subsidised by Gatwick costs ½ the going price at only £60 [14], making it an attractive option. Even for those who don’t own a car in the capital. And because with four or more passengers (who do not have to be related) you can get a discount, Gatwick long stay car park is where it’s at apparently!

Putting aside dubious practices and profiteering, there is also a worry in ethics around returning a PCR test result solely as a “fit-to-fly” status. There is both an issue of duty of care in managing the result, and duty of care to the individual taking the test… provided, of course, you can identify them!

10) Whose problem is it?

So, what is the protocol for dealing with someone who does indeed test COVID-positive in their PCR? How does the testing centre ensure you are advised of having COVID? How can they assure that the test is yours in the first place? Just because someone showed them a document (which is optional anyway) doesn’t mean identity has been established. Self asserted data won’t cut it.

Organisations offering these services should have a duty of care to accurately identify the individual. Should they also go beyond alerting those who test positive? And ensuring that the proper response is taken? Will they need to notify the track and trace authorities? And acquire informed consent to do so — in a GDPR compliant way? Consent without identity, however, is another challenge — that currently isn’t solved.

11) Identity + health

In practice, there is currently a disconnect between who is taking the test, who is performing the test, and any integrity of valid data flowing through the end-to-end ecosystem to produce a (verifiable) result. That result is then trusted by airlines and Border Authorities. They must make ‘accurate’ decisions based on questionable result data. In the absence of the ability to authenticate and validate the end to end process, you have potentially dubious providers of medical data popping up, claiming all sorts of (unverifiable) results, which may be unethical and/or be connected to the wrong individual — or to someone who is entirely un-identifiable. This would-be passenger could then present themselves — and their dubious results — for international travel, posing a health risk to anyone else on the plane — and also to the country into which they are intending to enter. How is this acceptable to the traveller? And how is this a reasonable process for secure and data driven-decision making at the border?

12) Operationalising the vaccine

A vaccination will provide a cheaper, better way of securing the health of travellers and safeguarding the countries they visit. But precisely the same limitations will apply: operationalising the vaccine will require multiple silo-ed parties to evidence vaccination status, and ensure that this status can be trusted and provided in a way that is reliable, secure, and preferably — immutable. Operationally, it will also need to be deployable ahead of potential passengers arriving at the airport or border — if an individual with dubious results or no vaccine arrives on site, coughing and breathing on passers by, the system will have failed by design. Whether testing or vaccinations, we seem to be far from agreeing common standards, regulations and identity practices required for health status to be created in the first place — let alone common practices or secure standards for validating that status. The risk is we are building not just a house but a whole town on sand.

13) Why do I care?

I’ve made it my life’s work to solve trust + data security. In building Zamna’s persistent identity layer, I co-authored multiple patents on the topic. BC (Before COVID), we were validating over 100,000 passenger passports per day — for a single client. Passengers would self assert their data, and we would validate it against previously seen data from multiple (highly credible) sources — without ever touching or ingesting the data itself. All in a privacy by design, GDPR compliant way. A while back, IBM featured us in their white paper on Blockchain and GDPR. We won awards, and last month — a significant grant from Innovate UK for developing innovative technology to impact the UK economy. And yet, the powers don’t appear to care about the dangers of the current ‘anything goes’ ‘Fit to Fly’ testing system with manual processes and questionable practices across multiple parties.

Zamna currently solves exactly this problem for a range of clients beyond airlines — empowering them to connect siloed data sets in a hyper-secure way, with no rip and replace and no heart surgery. This allows good data to flow in the end-to-end systems, and good decisions to be made. Based on good data. Connected to trusted identity attributes.

Seeing the reality of ‘Fit To Fly’ and PCR testing today, I despair that even with a vaccine we evidently haven’t solved the inherent problem of proof and trust. Operationalising how an individual can self assert the validity of vaccination status, and how third parties can make decisions to trust such assertions, without highly sensitive personal data being pushed around multiple organisations in open form is a hard problem to solve…. but one which Zamna already have.

I feel a cold chill like the tower lookouts on the Titanic, ringing the panic bell too late. We are all headed for an iceberg. With millions about to restart travel and crossing borders, unless someone listens to what we have to say, we are headed for chaos.

Irra Ariella Khi is CEO at Zamna, a company pioneering identity management for the travel industry via award-winning & patented blockchain technology. She believes the industry will thrive post-pandemic if it can transform the way it interacts with people in their various guises as customers, travellers and passengers. Highly secure, easy to use identity management is critical to that effort. She’s a serial entrepreneur and has won several professional awards, including being named in Management Today’s 35 Women under 35 awards. Zamna is based in London.

Zamna is an award-winning VC-backed software company building GDPR compliant identity platforms for the aviation industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store