Vaccination Passport example

Guide: Vaccination passports & their role in reopening live music

After a year of lockdowns, the live music business still faces as much uncertainty as it did in 2020. One of the solutions under consideration is the use of vaccination passports to make events exclusive to people who have received a vaccination. It’s a seemingly straightforward solution, but politically sensitive and technically complicated. Here’s the MUSIC x analysis, jointly written by Bas Grasmayer and Maarten Walraven.

[Disclaimer: Bas started the daily MUSIC x CORONA newsletter one year ago (now folded into MUSIC x), bringing on Maarten a little while later. Despite having studied Covid-19 and its impact on the music industry daily, we are not policy or public health experts. Furthermore, this is one of the most actively researched topics right now. New insights emerge regularly. Please consult local experts when planning & find the most up to date information.]

What are vaccination passports?

A ‘vaccination passport’ is a government-sanctioned form of evidence that the holder thereof has been vaccinated against Covid-19. The concept started appearing early in the pandemic, for example as part of an ‘immunity passport’ study by German researchers who wanted to find out how lockdown restrictions could be lifted for some people. 

Fast forward to today, plus a five hour flight away, and we find Israel as one of the first countries in the world to use a vaccination passport in order to ease restrictions. The country has already given over half of its population at least one vaccine dose. The plan, called the Green Pass, allows people to visit gyms, hotels, theatres, and concerts by showing a QR code. When scanned, it tells the business whether that person has been vaccinated recently. 

China has launched a similar scheme, which integrates with WeChat and is intended to make international travel possible. The EU will come with a similar proposal this month, dubbed a Digital Green Pass. Now, international governments are opening talks about mutual recognition of each others’ certificates in order to allow a return of unrestricted travel – or at least travel with less limitations.

Travel

This is where the topic of vaccination passports gets hairy. The World Health Organisation has cautioned against such certificates for international travel, due to the still limited global availability of vaccines. This leads to practical and ethical concerns, the latter stemming from the fact that existing inequalities get reinforced and amplified due to the unavailability of vaccines in large, mostly poorer, parts of the world.

This is not the only ethical concern.

Ethics

For a year now, we’ve all craved to ‘get back to normal’. Therefore there are justified concerns that certain vaccination passport schemes may get rushed. This would leave a number of ethical challenges unaddressed:

People who can’t or won’t get vaccinated. Leaving aside that not everyone might be able to get a jab as soon as they want it, there are people who, for health reasons like pregnancy, immunodeficiency, or allergies, can’t get vaccinated. In some places in the world, certain ethnic minorities are vaccine hesitant. That goes not just for developing countries, but even the UK. How is this dealt with? What aspects of public life are they excluded from? What accommodations are made for them? For how long? Can employers require proof of vaccination?

Privacy & security. Throughout the past year, a lot of expertise has been built up around this topic. One of our favourite examples of a privacy-friendly contact tracing app is closecontact, born out of Berlin’s club culture. Unfortunately, there are also examples of security fuck ups, like in The Netherlands where its national ‘municipal health service’ (GGD) had a data leak with millions of data points, which was then sold online (not by hackers, but by call center employees who could export everyone’s private data with a single click). In the same country, a provider of corona tests also had a data leak that exposed thousands of people. So the question is: how do these systems get designed in a way that respect privacy and don’t accidentally end up exposing sensitive information, like medical history, contacts, passport numbers, bank info or social security numbers?

Immunity

The next difficult question is how long immunity actually lasts and how different vaccination passport schemes account for that. The big question since the early days of the pandemic was: can you catch it twice? The answer to that is complicated.

While it is currently uncommon for people to catch Covid-19 twice, it is possible, as scientists in Hong Kong recently confirmed. A key word in the preceding sentence is currently, since it’s not yet known how long immunity lasts which is likely to differ from person to person. It is also unclear whether being protected by antibodies means you can’t harbour and transmit the virus to other people.

Oh, and there are open questions around the various mutations.

That’s all fine & dandy, but…

Yes. The upsides. 

We are so close to finally being able to work towards the recovery of so many sectors of our lives and societies. Patience is running thin, especially in countries where many people haven’t been able to count on any significant financial support from employers or governments.

Vaccine passports are happening. They’re already a thing in Israel and China, whereas the EU & many other countries will likely have their own schemes in place by summer. While we depend on our governments for guidance and support, it’s also up to all of us to take responsibility. Governments don’t always act in everyone’s best interest, e.g. in the case of Tanzania, where the government has been falsely claiming they’re Covid-19 free. 

So, don’t be a Villalobos and fly to Zanzibar for a plague rave. If you’re planning a tour in a country where venue wheelchair access isn’t government-mandated, do you just say “too bad” and exclude part of your fanbase? It’s a complicated topic and we don’t intend to put things in black/white terms: there is plenty of room for nuance and hard trade-offs. The point is: our responsibility doesn’t end where the law ends.

The return of live

So what’s next for live music? Are we heading into a period where live concerts and festivals start up with access restricted to those who can prove they have either been vaccinated or have a recent negative test result? It’s not a straightforward decision. In the UK, after the government announced its roadmap towards opening up society after 21 June, Reading & Leeds and Creamfields festivals sold 170k tickets in three days (whether this number includes those tickets punters kept from the previous year is not something we’ve been able to verify through their public statements). The optimism of the UK government’s roadmap isn’t shared across the European continent, let alone the rest of the world. Festivals such as Rock am Ring & Rock im Park in Germany have just been cancelled. Other organizations have moved their festivals to the fall (see: Bonnaroo, Slam Dunk, Aftershock) or are still postponed from 2020 for later this year, such as Wonderfruit. It’s all up in the air, it seems, which is one reason why organisers are keen on certainty and a Covid passport can provide it. 

Responsibility

A concert promoter, festival organiser and even artists themselves work with varying levels of insurances surrounding concerts, festivals, and tours in 2021. Whether any future cancellations are covered by insurance depends on many variables. In one landmark case in the US from last year where the venue The Raven & the Bow took their insurer to court, it seems that the parties worked out their differences outside of the courts. In other words, no precedent has been set there. In countries such as the Netherlands and Germany (but not yet the UK) governments have set up insurance schemes to secure organisations for their losses should they need to cancel because of variants or other unexpected pandemic-related changes. 

Similar to these insurance schemes, putting in place a Covid passport is something that governments will have to take the lead on. Søren Eskilde, of Danish festival Smukfest – due to take place early August – puts it as follows:

“The government has to provide a phased plan with certain criteria that must be met for us to hold a festival. For example, a dialogue about the possibilities of the quick test and what the corona pass will be able to do to get as safe and sound on its feet as possible.”

Similarly, Eric van Eerdenburg, director of Dutch festival Lowlands – scheduled for late August – firmly told NME [ed. note: emphasis ours]: 

“As long as there are restrictions then there will be a need for testing and maybe vaccination passports. It’s not something we’ll push upon the people, but if the government says we have to then we will. We won’t make it up ourselves because it’s a hell of a lot of work. It’s a government that should impose that upon the people.” 

Concert and festival organisers alike have made their day-job out of problem-solving, but they need clear guidance from their governments. If that guidance includes a vaccination passport, organisers will move forward and implement that solution to bring big crowds together. In other words, this means that responsibility for whether big and small music events can go ahead lies squarely with those same governments. Give a mouse a cookie… and they’ll put 50,000 people together in a field. 

Effectiveness, or what’s possible

Will a vaccination passport even be effective when it comes to visiting a concert or festival? Can you completely exclude Covid-19 from your event this summer with rapid testing and vaccination passports? Two questions that probably get two very different answers from the promoters of concerts and organisers of festivals versus the epidemiologists and public health experts. The reason for that lies with the risk involved. Is, to put it bluntly, a little bit of Covid at your event manageable, or a risk that should be completely avoided? There are festivals that aim to go ahead with rapid testing, like Albanian festival Unum which has its government’s blessing, even though there’s the issue of false negatives. Furthermore, talk of variants gets everyone’s hair to stand up on the back of their necks. Especially when it comes to the question of a vaccine’s effectiveness against them. It’s in the nature of a virus to mutate so it makes sense that vaccines will need upgrades in the future in the form of booster shots. But as Dr. Michael Head, Senior Research Fellow in Global Health at the University of Southampton, told NME: “we’d rather that didn’t happen this year and that we could have a bit of time to prepare for that kind of thing.” The message there is clear, do not rush anything this summer, or even this year. There are so many unknowns and to invite those to play havoc would be a bad idea. 

Where to draw the line then? It makes sense to think about a couple of things when it comes to events this summer and fall. 

  • Think local, both in terms of line-ups and in terms of visitors. The risks around international travel are greater than those on the national, or even better, regional levels. This also includes the rules around quarantines for artists travelling around, or sudden lockdowns and travel restrictions. 
  • Focus on scientifically backed trials that help set boundaries on how to operate a large event within a pandemic. Remember that trial in Germany and their advice:
    • No full capacity concerts
    • Only seated concerts
    • Increased number of entry points
    • Mask-wearing mandatory
    • Consume food and drinks while seated
    • Adequate ventilation systems (for indoor events)
    • Hygiene stewards to enforce rules
  • In light of the previous point, focus on a steady return to full capacity shows. It’s great to finally be able to put concerts and festivals back on, but they don’t necessarily need to be at full capacity immediately. Let’s wait until, for example, we move from a pandemic to an endemic situation. 
  • Think about hybrid events. Livestreaming is here to stay and offers both a different dynamic and a way to engage a broader geographical audience. One example is Montreux Jazz Festival who are still hoping for a live and in-person festival in July, but have also prepared for the music to stream live and reach people regardless. 

Considering the above three points, a vaccination passport would not make too much of a difference. Of course, if you take a strict policy that only vaccinated people can attend your event, that will exclude a bunch of non-vaccinated people (whether by choice or circumstance). It could be an option this summer, whether it’s one to take is another question. And as shown in the above quotes by festival organisers, the tendency in the industry will be to jump headfirst into problem-solving mode and to get your festival, or concert, up and running with as many visitors as possible. There is a responsibility at the government level to set expectations that are realistic and, preferably, will take into account various scenarios. 

Will an event’s target audience actually be vaccinated by the time planned events occur? Most vaccination schemes are prioritized by age group, so might classical music, the audience of which tends to skew older, be one of the first genres to return to normal? To what degree will we be able to count on international and especially intercontinental travel?

Even with vaccination passports, 2021 is shaping up to be a year with much uncertainty and pioneering.

Photo by Lukas on Unsplash.

Is killing privacy the best we can do against secondary ticketing?

In its push to become a data-driven business, event organisers smell opportunity by connecting ticketing to real identities.

It’s estimated that the market for secondary ticketing is worth $1bn in the UK alone. It’s a problem for fans and artists, since tickets are often bought in bulk by resellers and sold at a much higher rate to fans. None of that added margin goes to the artists (although there are some allegations…).

Recently, Iron Maiden opted to go ‘paperless’ for their UK arena tour in order to curb ticket touting. With success:

“In 2010, 6,294 tickets appeared overnight on three of the major resale platforms — Viagogo, Seatwave and Get Me In! — on the day of sale. In 2016 this had dropped to 207, all on Viagogo, as Live Nation/Ticketmaster had agreed delist the tour at Iron Maiden’s request.”

The tour didn’t go fully paperless, and paper tickets were available, but came with strict requirements towards the fans:

  1. Tickets must carry the name of the purchaser;
  2. Ticketholder must present ID and credit card at the door.

While effective, this is worrying and certainly not a “victory for concertgoers” as Iron Maiden manager Rob Smallwood called it.

It’s not just ticketing: privacy is under attack from all fronts. Many events have decided to go ‘cashless’, requiring people to top up chips in special event wristbands. This way, you know exactly who is ordering what, where, how much, and at what time of the night. If you’re a large organisation like Live Nation, you can build up an extensive profile of users over time.

Valuable data, which may help secure sponsors for alcoholic beverages and helps you to target fans with specific offers, but that data comes with a great responsibility.

Privacy in the age of artificial intelligence

The first multi-day conference and festival I attended that was nearly completely cashless was Eurosonic Noorderslag, earlier this year. It’s a music business conference and showcase event, and has lots of bands playing every night in nearly every bar and club in its host city, Groningen, in The Netherlands. It presented cashless payments as a convenience (ie. to reduce queues at bars).

I immediately researched ways to opt-out and found no good way. It was possible to ‘anonimize’ your chip, but you still have to charge it with your bank card, which ties your identity to it through the transaction records. I had good reason to opt-out and so do you.

On its own, “Bas entered venue X at 21:03 and drank a beer at bar Y at 21:24” seems like useless information. And it probably is. I’m not from a country or culture that frowns upon alcohol, so I’m unlikely to be blackmailed with such a bit of information. However, it is possible for someone to claim they met me there and try to pull some sort of scam. Or worse, for someone to claim they are me by using anecdotal evidence based on these random bits of data, and then scamming someone else.

Criminals are moving from the higher risk ‘traditional crime’ into ‘cybercrime’ which is perceived as lower risk.

More than how someone might use a specific data point, what we should really be worried about is larger data leaks. There are parties that try to collect all information from big leaks. Some use it for good, like Have I Been Pwned, where you can search your email address to see if your login info of any site has leaked. But some people store it for more malicious purposes.

Over time, patterns can emerge in these data sets. These become easier to identify through machine learning algorithms, which can go through large datasets faster than a person could, and can get better over time at making sense of data. Many great ones are open source, like Google’s TensorFlow.

Now, your attendance of live events and what exactly you do there can be tied to your hacked LinkedIn or Dropbox account. Whoever holds that data has power over you.

Artificial intelligence could be trained to send hypertargeted scam emails, which use all the data available about you to trick you. This could result in ransomware being installed on your computer, which often means your hard drive is encrypted and locked and the key to decrypt your data is only turned over after paying a certain fee (usually done through Bitcoin, which makes it harder to track the perpetrators).

This could happen to your phone, but also to your car, or any other devices which are likely to be connected to the internet in a few years from now.

The important take-away is that the more data someone has about you, the wider their ‘attack vector’ becomes. This means they have more paths to target you. Any data point on its own usually doesn’t have much value, but it’s when large amounts of data get combined that value emerges. Facebook, a data company, has a market cap of nearly $400bn.

Privacy is security

Privacy in music should not be an afterthought

We have learned a lot from events. We’ve learned not to use biker gangs for security. We’ve learned to have first aid staff at festivals that are trained to dealing with the effects of alcohol poisoning and mishaps with drugs. We have come a long way to providing experiences that are exciting and safe at the same time.

Now it’s time to worry about our guests’ safety before they arrive, and after they leave our events. Let me be clear:

  • If you request your guests to sacrifice their privacy for ‘convenience’, and you get hacked, leading to people getting blackmailed or scammed, it is YOUR responsibility;
  • If you request this data from guests, make it clear and easy for them to find out how you’re storing the data, what you’re using it for, and when it will be deleted. Don’t just refer to some boilerplate privacy policy full of legalese;
  • When things go wrong, be honest about it and communicate it immediately, so people can take security measures;
  • Never store data about people for longer than you need it. Not storing data is the best way to prevent it from being leaked.

(small sidenote: if anyone ever sent you a picture or scan of their passport, go delete that file and email now)

What can you do as a fan?

Do whatever best protects your privacy. If it feels like you’re being a pain in the ass by requesting an anonimized wristband, great. You should be a pain in the ass. Pain is a great motivator for change. So by all means, request information about how your data is stored and protected, how long it’s stored, for what purpose, etc.

Perhaps the hardest part is willing to skip concerts that don’t have privacy-friendly options. As a consumer we should understand that solving ticket touting by sacrificing guests’ privacy is not a solution. It just shifts the issue and places an additional cost on the consumer on top of the ticket price.

Event organisers need to find a way to mitigate or at the very least minimize that additional cost. This means ticketing organisations have to take measures to invest in technology which helps protect and secure guests’ privacy. But they need to feel pressure, or pain, in order to that.

Data, for ticketing companies, is the same as it is for malicious hackers: the more data you can get on a person, the more valuable it becomes.

5 Big Ideas for the UK Association of Independent Music

The Association of Independent Music (AIM) recently put out a call for ‘big ideas’ to be discussed at their Annual General Meeting.

“The goal is to produce and publish by the end of this year a manifesto which sets out 10 big ideas to help the indie sector to thrive in the coming years.”

I’m not a member, but not shy to give a bit of unsolicited advice.

Here are my 5 big ideas:

Streaming exclusives

The indie sector needs to widely speak out against streaming exclusives. After years of hard work, we’re now sending music fans back to pirate services. Let’s keep working on sustainability, instead of sacrificing it for short-term gains.

  • Streaming exclusives may be making the music piracy problem even worse >>>
  • Why streaming exclusives are bad for the music business >>>
  • Spotify: Streaming exclusives are bad for artists and fans >>>
  • Why exclusives are terrible for fans, artists, and the streaming music business >>>

Startup license

Establish a framework which allows startups to quickly and flexibly license music from indie labels for a set duration. The prospect of spending years in licensing negotiations stops entrepreneurs and investors from supporting innovation the independent music sector desperately needs. Let’s remove the necessity to negotiate for the most common use cases.

  • The case for a startup license: why startup founders choose to ignore music copyright law >>>

Focus on dance

The Netherlands is stealing the UK’s spotlight as the centre of global dance music with events like Amsterdam Dance Event, major DJs, and a huge global dance event business. The UK has a rich history of dance music and is home to some of the best artist, clubs, and labels in the world. It needs an action plan to assert itself. With Sadiq Khan as London’s Mayor, there has never been a better time.

  • London Mayor Sadiq Khan is looking for the UK’s first night czar >>>

Refugees

Develop an initiative to help artists and aspiring musicians among the refugees arriving to the UK. They bring a unique cultural and musical perspective, which could blend into the UK’s rich multi-cultural musical tradition. They need material assistance in the form of access to equipment and instruments, as well as contacts in local radio stations, venues, etc. Besides the musical benefit, there is also the advantage of contributing to better assimilation of new arrivals.

New anti-piracy research

A research initiative looking into the return on investment of money spent on countering digital piracy. With countless anti-piracy companies popping up, it should help indie artists and labels determine whether their money’s best spent growing their fanbase and making more music. It’s important to know what anti-piracy methods pay off, and what’s just a way to use the threat of piracy to get musicians to pay up.

Foster my ideas

Since I’m not a member of AIM, I cannot officially submit these ideas. If you’re an AIM member and interested in fostering the streaming exclusives, dance music, or refugees idea, get in touch: bas@musicxtechxfuture.com