Vaccine mandates are becoming increasingly urgent from public health officials and various governments. As they roll out, we must protect users of vaccine passports and those who do not want to use—or cannot use—a digitally scannable means to prove vaccination. We cannot let the tools used to fight for public health be subverted into systems to perpetuate inequity or as cover for unrelated, unnecessary data collection. 

Over the past year, EFF has been tracking vaccine passport proposals and how they have been implemented. We have objections—especially when rolled out by opportunistic tech companies that are already creating digital inequity and mismanaging user data. We hope we can stop them from transforming into another layer of user tracking.

Paper proof of vaccination raises fewer concerns, as does a digital photo of a paper card displayed on a phone screen. Of much greater concern are scannable vaccination credentials, which might be used to track people’s physical movements through doors and across time. Thus, we oppose any use of scannable vaccination credentials. At a minimum, such systems must have a paper alternative, open source code, and design and policy safeguards to minimize the risk of tracking.

Last year “immunity passports” were proposed and sometimes implemented before the science was even well-developed on COVID-19 immunity and vaccination. Many governments and private companies apparently were driven less by informed public health and science, as by the need to promote economic movement. Some organizations and governments even took the opportunity to create a new, digital verification system for the vaccinated. The needed transparency and protection has been lacking, and so have clear boundaries to keep them from escalating into an unnecessary surveillance system. Even though we recognize that many vaccine credentialing systems have been implemented in good faith, there are several examples below of dangerous missteps that we hope will not be repeated.

New York State’s Excelsior Pass

Launched in April, this optional mobile application has had gradual adoption. Three key issues appeared with this deployment. 

First, IBM was not transparent on how this application was built. Instead, the company used vague buzzwords like “blockchain technology” that don’t paint a detailed picture on how they are keeping user data secure.

Second, the Surveillance Technology Oversight Project (S.T.O.P.), a member of the Electronic Frontier Alliance, uncovered a contract that New York State had with IBM, outlining a “phase 2” of the passport. It would have not only a significantly higher price tag ($2.5 million to $27 million), but an expansion on what Excelsior can hold, such as driver’s licenses and other health records.

Third, a bill was introduced to protect Covid data a month after the Excelsior Pass was launched. It passed the NY State Assembly, but was never taken up by the NY State Senate. The protections should have passed through before the state rolled out the Excelsior Pass.

A “Clear” Path to Centralizing Vaccination Credentials with Other Personal Data

CLEAR displays a company slogan at San Francisco’s airport.

CLEAR already holds a place in major airports across the United States as the only private company in TSA’s Registered Traveler program. So this company was primed for launching their Health Pass, which is intended to facilitate Covid screening by linking health data to biometric-based digital identification. CLEAR’s original business model was born out of a previous rush to security, in a post-9/11 world. Now they are there for the next rushed security task: vaccination verification for travel. In the words of CLEAR’s Head of Public Affairs, Maria Comella, to Axios:

“CLEAR’s trusted biometric identity platform was born out of 9/11 to help millions of travelers feel safe when flying. Now, CLEAR’s touchless technology is able to connect identity to health insights to help people feel confident walking back into the office.”

A restaurant reservation app, OpenTable, just announced plans to integrate CLEAR’s vaccination credentials into its own system. There is no logical limit to how centralized digital identifications like those created by CLEAR might spread into our lives by facilitating proof of vaccination, and with it new vectors for tracking our movements and activities.

Of course CLEAR is not the only company openly luring large government clients to merge scannable proof-of-vaccination systems into larger digital identification and data storage systems. For example, the National Healthcare System in the U.K. contracted with Entrust, another company that openly contemplated turning vaccination credentials into national identification systems (which EFF opposes). With no federal laws adequately protecting the privacy of our data, we are being asked to trust the word of profit-driven companies that continue to grow through harvesting and monetizing our data in all forms. 

Likewise, U.S. airlines are using vaccine passports, subject to policies that reserve the corporate prerogative to sell data about customers to third parties. So any scan of passengers’ health information can be added to profiles of the thousands that travel each year.

Illinois’ Approach

In Illinois earlier this month, the state’s “Vax Verify” system launched to offer digital credentials to vaccinated citizens. A glaring flaw is the use of Experian, the controversial data broker, to verify the identity of those accessing the portal. The portal even asks for Social Security numbers (optional) to streamline the process with Experian.

Many Americans have been targets of Covid-based scams, so one of the main pieces of advice is to freeze your credit during this turbulent time. This advice is offered on Experian’s own website, for example. However, to access Illinois’ Vax Verify, users must unfreeze their credit with Experian to complete registration. This prioritizes a digital vaccine credential over the user’s own credit protection. 

The system also defaults to sharing immunization status with third parties. The FAQ page explains that users may retroactively revoke so-called “consent” to this sharing.

A New Inequity

We have had concerns about "vaccine passports" and "immunity passports" being used to place company profit over true community health solutions and amplify inequity. 

Sadly, we have seen many take the wrong path. And it could get worse. With more than one hundred COVID-19 vaccine candidates undergoing clinical trials across the world, makers of these new digital systems are advocating for a “chain of trust” that marks only certain labs and health institutions as valid. This new marker will deliberately leave behind many people across the world whose systems may not be able to adhere to the requirements these new digital vaccine proof systems create. For example, many of these new systems entail elements of public key infrastructure governance for public key cryptography, which creates a list of "trusted" public keys associated with "trusted" health labs. But the definition of technical “trustworthiness” has not been agreed upon or enforced pre-Covid, raising concerns that imposing such systems on the world will lock out hundreds of millions of people from being able to obtain visas or even travel—all because their country's labs may not clear these unnecessary technical hurdles. An example would be the EU’s Digital COVID Certificate system. That requires a significant list of technical requirements to achieve interoperability that include data availability, data storage formats, and specific communication and data serialization protocols.

Overview of EU’s Digital COVID Certification System that lays out backend and gateway communications for verifying a vaccine

Overview of EU’s Digital COVID Certification System. Source: https://ec.europa.eu/health/sites/default/files/ehealth/docs/digital-green-certificates_v5_en.pdf

This primary reliance on digital passports effectively pushes out presenting paper options for international travel, and potentially domestic travel as well. They devalue paper as a proper check of vaccination proof because the verifier can’t scan a public key. The only viable paper option is printing out the QR Code of the digitally verified credential, which still locks people into these new systems of verification. 

These new trust-based systems, if implemented in a way that automatically disqualifies people who received genuine vaccinations, will cause dire effects for years to come. It sets up a world where certain people can move about easily, and those who have already had a hard time with visas will experience another wall to climb. Vaccines should be a tool to reopen doors. Digital vaccine passports, as we've seen them deployed so far, are far more likely to slam them shut.

This post was updated on 9/2/21 to reflect the more recent discovery of the potential cost for the NY Excelsior Pass. Source: https://www.nytimes.com/2021/08/19/nyregion/new-york-excelsior-pass-cost.html