The return of pre-pandemic concerts, sporting events and travel appears to be nearing, but we may need a new accessory to participate.
So-called vaccine passports, or digital passes that prove the owner has been fully vaccinated from COVID-19, are gaining momentum as a safe way to stop the spread of the virus as state-wide stay-at-home measures begin to loosen.
The effort is still in its infancy, and is largely being driven by the private sector: The Biden administration will provide guidance and recommendations, but won’t institute a federal mandate, White House Press Secretary Jen Psaki said in a press briefing Monday. Meanwhile, private companies and nonprofits are quickly making progress: there are at least 17 initiatives already underway, including a Vaccination Credential Initiative (VCI) led by companies like Microsoft and Salesforce, and another helmed by the World Health Organization, according to a document from federal officials obtained by the Washington Post.
In the interim, there are lots of details that still need to be hammered out. Research is still emerging around vaccines, so scientists can only make educated guesses about how long they’ll protect against the virus and its emerging variants. Plus, health officials say, underserved populations have been receiving vaccines at a slower rate than affluent communities; requiring digital vaccination passports for entry to public and private spaces will only exacerbate these inequities.
One of the biggest issues being discussed is the potential threat these passports could pose on a user’s privacy. From privacy scandals at social media outlets like Facebook to data breaches at companies like Equifax and Yahoo, we’ve been inundated with headlines about the risk we take by handing over our personal information to companies. Should we be worried about vaccine passports, too?
What is a vaccine passport?
If you’ve ever scanned your phone to get the menu at a restaurant or into a concert venue, you’re probably familiar with those square, black and white QR codes that pop up. The companies creating health passes are using the same idea: a scanned code would pull up verification that you’ve been vaccinated. People without smartphones would be able to print out the QR code, just like a boarding pass or event ticket.
Right now, New York City is testing out a vaccine pass system at two popular arenas: The Barclays Center and Madison Square Garden. The city is using a system called Excelsior Pass, which can show if a guest has received a negative COVID-19 test or vaccine before entering a basketball game.
Some vaccine providers are also working to make those records available digitally — Walmart, for example, plans to use the standard developed under the VCI coalition for people vaccinated at Walmart and Sam’s Club locations.
A properly designed health pass with a QR code could prevent people from having to actually share any health records from their paper vaccination cards or via a digital copy of the card, says J.P. Pollak, a co-founder of The Commons Project, which is part of VCI. So while today, you can walk into a Krispy Kreme and get a free donut by showing a vaccination card, a pass on an app could just show that yes, you’ve been vaccinated or no, you haven’t.
“Do I really want Krispy Kreme to have my raw health information?” Pollak says. Probably not.
What are the privacy concerns?
The fact that the apps created to “hold” these digital passports will have access to information from vaccine providers or health agencies concerns security experts.
“Once private companies, instead of just the government, have a hold of your data, you don’t have a whole lot of management or restriction on how a company can use that data,” says Jeff Gary, policy director of Georgetown Law’s Institute for Technology Law & Policy.
Giving these companies direct access to medical records also raises questions about whether a third-party company will keep the data, says Gavin Reid, chief security officer at cybersecurity firm Recorded Future. Depending on that data that is captured, it could be a huge target for hackers.
The White House seems to be taking these concerns into consideration. At a press briefing in March, Jeff Zients, the head of Biden’s COVID-19 taskforce, said the administration’s main role in the development of these solutions is to ensure they protect people’s privacy, and are free and accessible.
The pass being used in New York, for one, has “robust privacy protections,” with user data kept confidential via encryption, according to a press release from the governor’s office.
Will people actually use these passports?
Many Americans don’t trust the government with their data, as evidenced by the abysmal adoption of contact tracing apps in some parts of the country. (And probably for good reason: It was just last year that the New York Times reported that the government buys location data from our smartphone apps.)
One way to ease concerns is to make apps open-source, Reid says. This would make all the code behind these passports readable, allowing coders and security experts to comb through the code and verify what the app does. (In the March press briefing, Zients said the White House will make sure the passes are indeed open-source.)
Still, Reid says the government should go a step further, and provide transparency around specific exact data is being collected, how it’s being used and who has access to it.
As of now, this isn’t a standard procedure in the app development world.
“Often in creating apps, application designers just give the apps full access to everything that’s on your phone because it’s easier than [designing] really compartmentalized access,” Reid says. “The devil’s in the details.”
Overall, experts say these passes could help safely re-open the country. But their success hangs on transparency, and whether people see the passports as just another app on their phone or a government tool designed to infiltrate their personal data.
So should I get a vaccine passport or not?
In all likelihood, vaccine passports will be a crucial step in the slow trudge towards normalcy.
When it comes to disease-mitigating behaviors, it’s always best to follow the latest advice from public health organizations like the Center for Disease Control (CDC), which has yet to issue guidance on these specific measures.
For now, it’s worth keeping some tried and true safety tips in mind.
Always be smart about the info you agree to share with new apps. Ask yourself if the information it coaxes out of you is truly necessary, or if the app will function just fine without it. (Does it really need to access your location, or banking info, in order to do its job?) In general, people should be wary of linking disparate data sources, Gary says. You don’t want your financial data linked with your travel information, for example, because if one is compromised so is the other.
It’s also important to keep your phone’s operating system up to date, as well as each individual app that’s on it. Manufacturers like Apple and Android will fix security-related bugs, but if your phone isn’t updating, it may not get those fixes. (You can enable automatic updates for both.)
Finally, don’t download a ton of apps willy nilly from all over the internet. Even better: learn how to spot fake ones by checking the name of the developer, reviews, description and the number of downloads it has.
“Limiting what you install in the phone in the first place is probably the best advice I could give you,” Reid says.