Vaccine Passports Are Destined to Fail
Contact tracing apps didn’t protect us from COVID-19, and vaccine passports don’t look much more promising.
By Max Eddy
About a week ago, after sitting on the floor of a Walgreens for three hours, I was finally injected with a tiny amount of Pfizer’s COVID-19 vaccine. It was a triumph for me to have remained healthy to this point, and a much larger triumph of medical science to have created, tested, and distributed vaccines for a completely new disease in such a short time. This is in stark contrast to the tech sector, which failed the world once with contact tracing apps and seems poised to fail us once again with vaccine passports.
An App to Keep Us Safe?
You could be forgiven for having forgotten about contract tracing apps. The idea was that our phones would silently keep tabs on every other person (with a phone) who came close enough to spread COVID-19. If one of those people tested positive for the virus, they could tell the app, which would alert all the potentially exposed people. Apple and Google famously joined forces to create a framework that, using clever encryption and Bluetooth sorcery, managed to deliver the experience while apparently protecting individuals’ privacy.
It looked good on paper, but there were oodles of problems. Beyond a general lack of national leadership support, the whole scheme hinged on people having access to expensive smartphones and using them correctly. But there was also the issue of privacy: Is it safe to use an application (ostensibly connected to state governments) that constantly tries to communicate with nearby devices?
Bewilderment and skepticism reigned. There wasn’t a consensus on whether the apps were safe, probably because there was no single solution to analyze and because the efforts to deploy the apps were half-hearted at best. There was also the concern that police or immigration agencies could somehow use the tracking data. These issues hung over every discussion, especially as the summer of 2020 birthed the largest protest movement in recent American history.
In fairness, Apple and Google’s solution appeared to put privacy first and did a good job of insulating individuals from any sort of data collection by the contact-tracing apps. That said, the nagging thought that someone else could monitor these apps communicating with each other never sat well with me. Still, it would have been an easy call to endorse apps that, even if imperfect, would have prevented more people from dying. But even the efficacy of this patchwork effort was in question. The upshot was that these apps failed to catch on.
While we still haven’t solved contact tracing, we have a new problem: how to quickly and easily confirm that someone has tested negative for COVID-19 or has received a full vaccination. One could argue that such a system is necessary only when opening an economy too early and too fast to prevent yet another surge in preventable deaths, but I digress. The solution being pushed to the forefront are vaccine passports.
Like a Boarding Pass, but for Staying Alive
You may not be familiar with the idea of a vaccine passport, but you likely will be soon. Bloomberg reports that many travel companies are investing in technology that will verify if you are low-risk enough to enter certain spaces or, say, board an airplane. The US and the EU are also pushing for similar technology. Last week, New York State unveiled the Excelsior Pass, the first vaccine passport in the nation, which it developed with IBM.
In everything you read, vaccine passports are compared with digital airline-boarding passes. You sign up online and a central, state-run authority will generate a pass that says you’ve been vaccinated or were recently issued a negative COVID test. This lives on your phone (like digital boarding passes) inside of a custom app.
In the case of New York State, you can receive a pass 14 days after your final COVID-19 vaccination, if you passed a COVID test in the last three days, or if you’ve received a negative antigen test in the last six hours. None of those apply to me (yet), so I wasn’t able to try it out. From the photos I’ve seen, the pass contains a scannable QR code, the name of the passholder, and their date of birth. Businesses and venues can use a separate app to scan the QR code to verify it and could potentially request to see ID to verify that you are authorized to carry the pass.
That sounds simple enough, and perhaps—dare I say it—sensible. Excelsior even supports a low-tech printable pass, which solves the problem of requiring a smartphone. But the privacy concerns that dogged contact tracing apps have not been resolved here. The privacy policy of the Excelsior app is sketchy and ominously notes that it is under no obligation to be HIPPA-compliant. Even worse, the press release announcing the effort says the Excelsior Pass will be built on (shudder) “blockchain technology.” Why? I have no idea. Something to do with NFTs? Who knows?
Privacy watchdogs have been critical of New York and IBM’s efforts. Albert Fox Cahn of the Surveillance Technology Oversight Project told Gothamist, “it’s really just high-tech hydroxychloroquine,” a reference to a dubious-at-best debunked treatment for COVID-19. The Intercept separately quoted cryptologists Matthew Green and Bruce Schneier questioning the utility of blockchain in this context. In my experience, blockchain has become the poster child for overpromising and underdelivering.
Privacy Builds Trust
It doesn’t have to be this way, again. There’s plenty of time for the federal government to step in and require a single system that can be vetted by experts and usefully critiqued by everyone else. The companies that help develop these apps and create the platforms on which they run can push for the best privacy protections. It doesn’t even need to be perfect, but it can be clear about how it works and what risks it presents, and it can be the same for everyone. And it really doesn’t need blockchain.
If we’re really going to use vaccine passports, these apps and services must protect an individual’s privacy so people can use them without a second thought. People are rightly skeptical about law enforcement and government intrusions into privacy, and increasingly, they have the same skepticism about big tech.
Even if these apps aren’t legally required to be HIPAA-compliant, they should offer privacy assurances that go beyond that baseline standard, because they’re adoption hinges on people being able to trust them. The privacy policies that support them should be clear and understandable (Excelsior’s is not) and focus on protecting individuals rather than complying with the letter of the law or covering the asses of contractors and the state. Law enforcement, ICE, and US intelligence agencies should also explicitly and publicly exempt data from these services from investigation and interception. It should be sacrosanct, like US census data, because it is for a higher purpose.
Contact-tracing apps failed for many reasons, but the inability to point to them and say they were safe to use was one. Smartphones couldn’t protect us from the coronavirus, and perhaps that was too much to ask of Big Tech, but vaccine passports don’t need to share that fate. They might not be our ticket out of this misery, but they should, at the very least, aim to do no harm.
Originally published at https://www.pcmag.com.
