We’re not getting a national vaccine passport. Here’s why it never stood a chance
Political arguments about vaccine passports have been raging for months: whether we need them, if they could be built equitably, and if they are ultimately an infringement on Americans’ rights to keep their health information private. But while other countries experiment with rolling out digital vaccination credentials, the U.S. national effort was doomed before it ever began.
Security experts had hoped that the government would develop a national system for credentialing vaccine recipients. A national vaccine passport would create a single standard that could be used everywhere and would be potentially difficult to fake. But on Tuesday, the White House announced the federal government would not be “supporting” a vaccine credential system. Part of what that means is that there will be no centralized database where all vaccination records live—a crucial feature of vaccine verification systems in other countries like Israel and Estonia.
“Unless there was a major change in how health data is viewed from a public and government perspective, it wouldn’t even be possible to create the database,” says JP Pollak, cofounder and chief architect of the Commons Project, which has developed a globally available mobile app for storing COVID-19 testing results. “States have the mandate for maintaining vaccination registries and states are required to report things like how many people have been vaccinated for COVID-19, but they actually are not permitted to transmit the personal information of people back to the CDC [Centers for Disease Control and Prevention].”
.@PressSec Jen Psaki on possibility of the federal government supporting vaccine passports: “The government is not now, nor will we be supporting a system that requires Americans to carry a credential.”
Full video here: https://t.co/TLFF718hVo pic.twitter.com/jJP0Ph95jH
— CSPAN (@cspan) April 6, 2021
Since states are charged with maintaining vaccine registries, some, like New York, are creating their own credentialing systems. The state, in collaboration with IBM, has developed an app called Excelsior that gives residents their vaccination credentials with a QR code. Ideally, users would be able to swipe this quick response code at venues to prove they’ve been vaccinated. How useful this application will be depends on how it’s accepted outside of New York.
But there are a host of problems with vaccination credentials. Because U.S. states have focused on getting shots in arms as a way to beat back COVID-19 and its impacts on the economy and our mental health, the process of documenting those shots has not been standardized or designed with security in mind. That has opened up a huge opportunity for people to fake their own credentials.
While pharmacies and health systems may do a good job of properly identifying and vetting who they are vaccinating, largely so they can get insurance reimbursements, massive state vaccination sites may not. In Texas, residents and out-of-towners alike can drive up to mass vaccination sites, receive a shot, and walk away with a white piece of paper confirming their new protected status. Texas officials admit there aren’t major requirements for proving identity or even residency. “We’re not asking for a lot of documentation,” Katherine Wells, city of Lubbock public health administrator, said explicitly.
Such protocols are not unique to Texas. Other mass vaccination sites around the country are similarly focused on distributing vaccines over developing a verifiable list of who has been vaccinated. For most people in the U.S., that little white paper, which is easily forgeable, will become the default proof of vaccination.
There are problems with digital proofs too. As Washington Post writer Geoffrey Fowler notes in his review of New York’s Excelsior vaccine passport, it is easy to steal someone else’s credential simply using publicly available information, including tweets. “It’s definitely one of the open concerns about the whole system,” the Commons Project’s Pollak says. “With those kinds of limitations there’s only so much that we’re going to be able to do. . . . For those and other reasons, the use of these kinds of credentials or this information to get you into venues and on flights really needs to be viewed as a public health effort rather than a complete safety effort.”
We will still have passports
If vaccine passports are not required nationally and can so easily be faked, why have them at all?
Several states—Idaho, Florida, Texas, Nebraska, Georgia, Missouri, and Tennessee—have already taken steps to ban vaccine passports over concerns about individual privacy. “I have serious concerns that implementing COVID-19 vaccine passports will violate Idahoans’ medical privacy rights, prejudice those unable to receive the vaccine, slow our economic recovery, cause division among our populace, and, ultimately, be counterproductive to the widespread administration of the COVID-19 vaccines among Idahoans,” Idaho Governor Brad Little said Wednesday.
For different reasons, the World Health Organization has also pushed back against vaccination passports over fears of inequity, especially for regions of the world that have not been able to access the new vaccine. There is a separate concern that digital vaccine passports leave out those who don’t have a smartphone. Therefore, it is likely that the best proof of vaccination that most people will have is their shot card.
Even though the U.S. hasn’t managed to create a government-led, centralized system of vaccination proof, there is still a tsunami of vaccine passport apps coming, and those apps may be important to the future of our health information.
The vaccine credential initiative (VCI), which the Commons Project is participating in, aims to at least create a common, hard-to-fake digital standard for apps to use, removing some of the security concerns. Its digital vaccination credential should debut in May. A group of technology companies, healthcare providers, and electronic health record companies, including Epic, Cerner, Salesforce, Microsoft, and Walmart have agreed to use VCI’s common framework.
With such big players adopting the VCI, there is some pressure for digital passports to use the standard. The more buy-in there is across apps, the less opportunity there is for fraud. And while some people may be resistant to getting a vaccine credential, certain new realities may coax them into signing up for one of the many apps. Travelers going to other states or foreign countries may want to have proof they were vaccinated and tested for COVID-19 to avoid quarantining requirements. While vaccine passports may not prove beyond a shadow of a doubt that any one person has actually been vaccinated, they will still put a lot of people at ease about reemerging into the world.
“Personally, I’ve had one shot and I am eager to show anyone, tell anyone, that I’ve had this one shot to show that not only am I safe, but that you are safe in my company,” says Laura Hoffner, chief of staff at Concentric Advisors, a security consultancy firm. “I think on a broader scale companies, restaurants, airlines [are] all going to want a similar sentiment.”
For now, in the U.S. vaccine passports may provide more peace of mind than actually proving that someone has been vaccinated. But the real power of these passports may be yet to come. Apps are striving to become private repositories for validated health data—whether that’s tests, COVID-19 vaccines, or other important information about your health. The ultimate goal of many passport makers is to put health data in the hands of patients so that it’s easily accessible.
“There is a future where everybody has a fully verified digital ID that lives with them on their phone, and when you go and sign up for your vaccine appointment, you use that digital ID. And when you go show up and you get vaccinated you do a little [token-based] transfer like you’re paying at Whole Foods. . . . Then it’s completely bound to you,” Pollak says. “That is a future we will get to but we’re nowhere near that reality today.”
(33)