A new report is warning that apps to track the coronavirus vaccination status of Americans are ineffective, amplify existing inequalities and pose thorny privacy issues.
“As the [Centers for Disease Control and Prevention (CDC)] guidance evolves and we start to see increasingly different recommendations for those of us who are and aren’t vaccinated it puts greater pressure on the public, businesses and governments to figure out who has got a shot,” said Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project (STOP), which released the report. “It’s kind of alarming that so much faith is being put in such an unproven technology.”
With vaccination rates steadily climbing and businesses reopening their doors, some governments and companies have proposed digital credentials to make sure only inoculated Americans can enter. While documentation for international travel — like the World Health Organization’s “Yellow Card” — is commonplace, some of the methods in development domestically have alarmed the public and experts alike.
The watchdog’s report released Wednesday focuses on New York state’s Excelsior pass, the country’s first government issued vaccine passport. The tool, which can be downloaded on either phones or computers, generates a QR code that businesses and venues can scan to verify proof of vaccination or a negative test.
The Excelsior Pass, developed by IBM and Salesforce, has been downloaded over a million times since the voluntary program was launched in March.
The nonprofit’s report cautions that the passes can easily be forged, greatly diminishing their effectiveness. Cahn said he downloaded another New Yorker’s pass using only information available on social media in just 11 minutes.
Projects like the Vaccine Credential Initiative spearheaded by Microsoft and the Mayo Clinic and Walmart’s vaccine app developed in collaboration with Clear will likely have similar vulnerabilities, Cahn predicts.
“This is something that we’ve seen time and again in American online credentials — it’s very difficult to have a system that is accessible to everyone and is still robust against fraud,” he told The Hill.
A spokesperson for New York Gov. Andrew Cuomo’s (D) office stressed that the state’s Excelsior program is voluntary and that businesses and venues must also accept printed proof of vaccinations.
“The entire system was created with privacy and security in mind, however, those who post personal information online such as their CDC card, risk having someone use their information to create a false record, which is why every Excelsior Pass has to be cross-referenced with photo ID when you enter a venue,” they added in a statement.
A spokesperson for Walmart told The Hill that the company’s “goal is simply to give people digital access to their health record, so they are empowered to use it how and when they want.”
The Vaccine Credential Initiative did not immediately respond to a request for comment on the report’s findings.
Digital vaccine credentials also risk exacerbating existing inequalities, the STOP report argues.
Vaccination rates for Black and Hispanic people across the country continue to lag behind national averages. And working-class Americans more broadly face a litany of challenges — transportation, child care requirements, inability to take time off — to getting the shot.
“If vaccine passport requirements are implemented, individuals who struggle to get the vaccine may lose their job or find themselves barred from stores, transit, and public life,” the report reads.
The roughly 15 percent of Americans who don’t have a smartphone may be unable to use the apps even if they are vaccinated.
Domestic vaccine passports could also infringe on Americans’ privacy. Developers have publicly claimed to limit location data collection and retention, but independent researchers have struggled to verify those commitments.
If Americans are required to provide vaccine certificates to be scanned at entrances to stores, schools or transportation, that could create movement logs that could be misused by law enforcement or immigration authorities.
“Currently, there is no legal protection against police subpoenaing or requesting voluntary production of vaccine app data, a tactic used with many other smartphone apps,” the report argues. “The difference is that users are not required to install other apps as a condition of accessing public life.”
STOP’s report is careful not to condemn all efforts to track vaccination status and does not criticize the use of paper records and school registries, both of which have come under fire from conservative lawmakers.
Republican governors Greg Abbott (Texas), Ron DeSantis (Fla.), Brian Kemp (Ga.) and Kay Ivey (Ala.) have all issued executive orders barring public institutions from requiring proof of vaccination.
States will likely continue to lead in this space as the White House earlier this year ruled out the Biden administration playing a role in a vaccine passport system.
–Updated at 12:25 p.m.