IE 11 is not supported. For an optimal experience visit our site on another browser.

Privacy and efficacy concerns remain for New York's vaccine passport apps

“People are going with something that is completely unproven and potentially harmful,” said one privacy expert.
The new \"Excelsior Pass\" app, a digital pass that people can download to show proof of vaccination or a negative Covid-19 test.
The new "Excelsior Pass" app, a digital pass that people can download to show proof of vaccination or a negative Covid-19 test.NY Governor's Press Office

As New York becomes the first major U.S. city to mandate proof of vaccination against Covid-19 for indoor activities, like going to restaurants and theaters, technology experts are raising concerns that the apps have accuracy and privacy problems, to the point that they are advising New Yorkers to revert to using their original paper vaccine cards.

Some New York legislators have even gone so far as to propose a bill that would mandate that such “immunity passports … only collect the minimal amount of information required to verify an individual’s vaccine or test status” and that “they delete this information within 24 hours.” It would codify into state law that paper cards would be accepted.

“People are going with something that is completely unproven and potentially harmful,” said Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project, a nonprofit privacy advocacy organization, who relies on his paper card.

Cahn demonstrated this week that the city’s smartphone app, known as NYC Covid Safe, will accept literally any picture as proof of having had a vaccine shot by showing that it accepted a photograph of Mickey Mouse as a vaccination card. (NBC News replicated the test, uploading a menu of a San Francisco barbecue restaurant, which was accepted as proof of a vaccination.)

“The city built their own new app. But instead of doing anything to verify [a vaccination] and store it in the app, basically they reinvented the camera app,” he said.

Laura Feyer, a spokesperson for New York Mayor Bill de Blasio, said the city’s new app is not meant to verify status but rather is simply a place to save a digital image of one’s vaccination record.

“The vaccine is the Key to NYC,” she said by email, using the official name for the city’s vaccination mandate. “The NYC COVID Safe App was designed with privacy at the top of mind, and allows someone to digitally store their CDC card and identification. Someone checking vaccination cards at the door to a restaurant or venue would see that those examples are not proper vaccine cards and act accordingly.”

National problem

The challenges New Yorkers face with their apps are starting to play out in other cities, as well. New York state’s app, known as Excelsior Pass, states that it will provide “secure, digital proof of COVID-19 vaccination or negative test results.” The app, which interfaces with state records, generates a digital QR code that demonstrates vaccination status. The San Francisco Chronicle reported Tuesday that San Francisco is “exploring” a similar measure to show proof of vaccination. The next day, Nury Martinez, a Los Angeles City Council member, introduced a motion that would follow suit.

In June, California rolled out a similar online system in which Californians can access the state’s vaccination records, which will generate a QR code. But like New York’s app, the California version is state-specific, meaning it is available only to people vaccinated in state and accepted only by in-state venues. The paper card from the Centers for Disease Control and Prevention, meanwhile, is accepted universally. Other commercially made vaccination apps exist, including V-Health Passport and CLEAR’s Health Pass.

“This whole ecosystem is a house of cards, built ultimately on top of the CDC paper card, which we know is difficult to verify and easily forged,” Ashkan Soltani, an independent privacy researcher based in Oakland, California, who formerly was chief technologist at the Federal Trade Commission, said by email.

“The reliability of these systems hinge on the accuracy of the underlying data — and given the speed, distributed nature, and politicization of how COVID vaccinations have been deployed — that underlying data is often unreliable or incomplete.”

Broader concerns

One of the major problems with the two New York apps is access. About 16 percent of U.S. households do not have smartphones, a lack of connectivity that Cahn said “disproportionately affects low income and BIPOC communities.”

Privacy advocates also fear that with time, law enforcement agencies could use the apps to track people. Allie Bohm, a privacy lawyer with the New York Civil Liberties Union, raised concerns that a vaccination app could be expanded to include other personal information over time, somewhat similar to how driver’s licenses have become the de facto identification document nationwide.

“We set up these systems in response to one emergency, and if we’re not deliberate, they become facts of life,” Bohm said.

The New York State Office of Information Technology Services declined to respond to specific questions about the Excelsior Pass. Scott Reif, a spokesperson, wrote: “Excelsior Pass provides a free, fast and secure way to present digital proof of an individual’s COVID-19 vaccination or negative test result – allowing us to safely reopen and get back to normal as quickly as possible.”

New York state has spent $2.5 million of federal funds on the app, which is a rebranded version of IBM’s Digital Health Pass, a commercial product for vaccination records.

IBM forwarded requests for comment to the office of New York Gov. Andrew Cuomo.“Excelsior Pass is currently available in more than 10 languages,” Jason Gough, the governor’s spokesperson for economic development, said by email. “In short, it’s easier and more secure to use and you don’t have to worry about losing it as you could a paper card.”

Eric Piscini, the vice president of emerging business networks at IBM, told The New York Times in June that the company was discussing how to possibly expand the product’s use to people from out of state.

An announcer says in a promotional video on IBM’s website, “Because the solution is built on IBM blockchain technology, COVID 19 health data is not aggregated by IBM, nor stored in a central database.” However, the company has yet to explain in detail how any blockchain, the digital ledger at the core of Bitcoin and other digital cryptocurrencies, among other applications, is involved.

The Excelsior Pass also could have problems with fraud. Cahn showed two months ago how easy it was to fraudulently gain access to another person’s vaccination records with that person’s name and a few Google searches, conceivably enabling him to get into a vaccination-only venue under false pretenses.

“If I could forge the city pass in 10 seconds and I could forge the state one in 11 minutes, just how much protection are we getting?” he said.

Privacy tradeoffs

In the end, other privacy experts say, most people will gladly trade some amount of privacy for the chance to dine out, work out at gyms or attend sporting events.

“People are going to do whatever is the most convenient and has the least friction,” said Lorrie Cranor, a professor of security and privacy technology and the director of Carnegie Mellon CyLab Security and Privacy Institute. She also previously was the chief technologist at the FTC. Cranor keeps a digital picture of her paper card on her phone, but she has rarely been asked to show anyone other than her university that she has been vaccinated.

“If everybody is fine with just the picture of our paper card, then why would we do anything else?” she said.

Jill Bronfman, privacy counsel at Common Sense, an advocacy group in San Francisco, said some form of nationwide digital vaccination standard — in addition to the paper CDC card — is likely to take shape. But privacy concerns are unlikely to outweigh what may soon become a necessity to engage in modern urban life.

“Yes, I’m worried” about potential privacy abuses, she said. “But if it’s balanced against a life-or-death situation, I think we don’t count privacy as strongly in this situation. If we can save some lives by encouraging people to be vaccinated before they go into a theater or work or whatever, I think we may be sacrificing a little bit of privacy for this. I think that’s just what’s going to happen.”