A few states are going it alone with proof-of-vaccine systems.
As States Roll Out Digital Vaccine ‘Passports,’ Privacy Concerns Persist
As some states introduce digital “passports” to allow restaurants and other businesses to vet patrons based on their COVID-19 vaccination status, concerns have mounted over whether the personal data stored by the apps is secure.
New York this month became the first major U.S. city to mandate proof of COVID-19 vaccination for indoor dining, gyms and theaters. The announcement came shortly after a federal judge in Florida blocked a law banning cruise ships from requiring proof of vaccination, after cruise liners argued their business was not viable without it.
California on Wednesday became the first state to require proof of vaccination, or a negative COVID test, for any indoor event with more than 1,000 people.
While the rollout of digital vaccine records — whether by state governments or private companies — the measures are raising major concerns about privacy protections.
“Given the difficulty of creating a digital vaccine passport, we could see a rush to impose a COVID credential system built on an architecture that is not good for transparency, privacy, or user control,” Jay Stanley, a senior policy analyst for the American Civil Liberties Union, wrote in an article titled “There’s a Lot That Can Go Wrong With ‘Vaccine Passports.”
“That could lock us into a bad standard as other parties that need to issue credentials piggyback upon it to offer everything from age verification to health records to hunting licenses to shopping accounts, memberships, and website logins.”
New York, California, Oregon and Hawaii, so far, are the only states that have rolled out some form of digital vaccine passport app. All have Democratic governors. Twenty other states, all with Republican governors, have moved to ban proof-of-vaccination records.
Some analysts told Zenger it is possible to create digital vaccine records — if implemented correctly — that protect user data and make available only encrypted information about whether the person has been vaccinated.
“To be effective, digital vaccine passports must provide privacy for users, and data security,” Stephen Davidson, senior manager of governance, risk and compliance at DigiCert, a digital security company, told Zenger. “The best-designed vaccine passports contain only minimum personal information to identify the holder, and only communicate to validate the PKI-based signature rather than transmit the details of the passport.”
Davidson said PKI (Public Key Infrastructure) technology creates an encrypted digital certificate for a user that communicates only whether a person is vaccinated, and from which health authority.
“[It] makes the contents tamperproof,” Davidson said.
California rolled out the model for its digital vaccine record system in June. The system, which is not mandated by the state, creates a QR code that functions as a digital copy of the official vaccination cards issued by the Centers for Disease Control and Prevention.
“This particular digital vaccine record is really for the purpose of empowering individuals to access the official copy of their own immunization records,” Amy Tong, director of the California Department of Technology, said at a June press conference unveiling the system.
The digital certificate is verified against the state’s Immunization Registry, known as CAIR. It stores residents’ entire vaccine history. The QR-code verification is “specifically based on the CAIR system,” Tong said, adding that the system already allows individuals to request copies of their COVID-19 or general vaccine records.
California created the system in partnership with the Vaccination Credential Initiative, a coalition of public and private groups working on a volunteer basis to create vaccine verification systems, and uses their Smart Health Card Framework.
The framework promises that only an individual user is able to share his or her data.
“Any reader that complies with the Smart Health Card Framework is allowed to see the information on the card but is prevented from storing that information,” Rick Klau, chief technology innovation officer at the California Department of Technology, said in June.
California’s system is not compulsory, and has so far escaped the same scrutiny as New York’s, which has been mandated. The “Key to NYC” system requires paper or digital vaccination records for all indoor dining, theaters and gyms.
Unlike California’s system, New York City’s self-developed NYC COVID Safe app relies on users uploading a photo of their vaccine record and does not verify the information against a registry. Some users have noted the app can be fooled with images of restaurant menus in place of vaccine records.
A New York State app, the Excelsior Pass, does verify vaccine status against the state registry. It creates a QR code that confirms only vaccination status. It stores or displays information about the vaccine, such as the manufacturer or dose dates. It is only available for people vaccinated in-state.
There are other issues in play besides user privacy, however.
“Any of these systems will say the same thing: that their system is unhackable,” said Chris Wong, CEO of LifeSite Wellness, a company that helps labs securely share COVID-19 test results. “But you can’t confirm that the data going in is correct.”
While it may be impossible to fully eradicate the risk of personal information leaking, Wong said his business customers are more concerned about whether the records themselves are trustworthy. He said many of his clients have found it safer and easier to create their own digital “passports” for returning workers by using human resource files.
“Vaccination requirements are currently being issued at the state level, but an official government credentialing program does not exist,” Wong said. “The burden falls to businesses and municipalities to determine how to handle validation and verification.”
Wong says the system is imperfect. He favors a nationwide framework.
“The government, for political reasons, can’t create a central system, but if it could, it would work — that’s a driver’s license,” Wong said.
Edited by Alex Willemyns and Judith Isacoff