The Privacy Impact of Electronic Vaccine Passports

COVID19 sure is adding a ton of complexity to our lives. It’s no wonder we are having a mental health crisis. Too much, too fast.

Back last summer, I was on a radio show talking about covid tracking apps and whether or not to trust them with your data. Now, we are talking about electronic vaccine passports. Being a self proclaimed privacy and cybersecurity expert, I decided to go sleuthing again. This article explains my research and, as usual, I give you my opinion.

First, I want to start with the absolutely, colossal failure of vaccine appointment sites in the United States, and, specifically, in New York, where I live. In order to book a vaccine appointment, every person was directed to the NY “Am I Eligible” website. From there, you had to answer a bunch of questions about whether you were eligible under the current guidelines. If yes, then you were permitted to see which vaccination sites had openings.

Except you weren’t.

Because the site never actually listed all the NY vaccination sites. I know this because my county published a weekly report of where all the vaccines they received were distributed. Each week, a nearby hospital received about a thousand doses, but that hospital was never on the NY Eligible list. Ever. And I checked about 100 times.

You might argue that they weren’t on the list because they were always fully booked. But that was not how the listing worked. It showed you a list of sites and once you clicked on the site, it would then tell you if that site had any available appointments or not.

As NY opened up vaccine eligibility, the tech got even worse. Once anyone over the age of 16 was eligible, almost every vaccination listed site would force you to go through a captcha before showing you whether they had available appointments. I had to go through hundreds of captchas over several days before I found an appointment. It was so annoying. Clearly, no one was thinking about the user experience.

I suspect the websites were developed very quickly and with minimal staffing. It makes sense because they will be taken down once the pandemic is declared over or the vaccines start to circulate like normal vaccines do, at pharmacies and your doctor’s office.

But here is my point, if the websites for booking vaccine appointments are this bad, then how can I trust the electronic vaccine passport?

The short answer is, I don’t and I won’t.

According to my research, the electronic vaccine passport works something like this: You visit the website which will verify your identity and your current vaccine status (or Covid19 health status) by asking you a series of questions (I am thinking this is similar to the “Am I Eligible” site). Once you have verified, it sends you an electronic pass. You can store the pass in an app that you download through the app store on your phone (or you can take a picture of it and store the picture on your phone or you can print it). When you visit a business, they have a scanner that scans the pass (now in a QR code format) which will tell them your name and date of birth that they will verify with your I.D. and whether you “pass” or not. To display a “pass,” the app reaches out to the NY state database to look at your health records. One benefit that they advertise is privacy, that your medical records are kept private since it doesn’t show your test results or vaccine info, just a pass or fail.

Frankly, I am not really sure what is sensitive data on a vaccine record. All it confirms is the date, the location and which vaccine was received.

I also don’t see why I can’t just take a picture of my vaccination card and show it to whatever business I am visiting. In short, I don’t get the value proposition of the electronic vaccine passport.

Getting back to my privacy sleuthing of the apps, another thing they claim is that they aren’t collecting location data, but what about other data that is being created by this process?

For example, the double verification means that both the passport app and the scanner app know what business I am visiting. On the individual level, the business would like to know that I visited so they can send me emails and other personalized advertising or marketing. Imagine how useful it is that they got my name, address, time of visit, date of visit and my vaccine status (so they know I can shop)? On the aggregate level, it can show how well a business is doing relative to its competitors or nearby stores i.e. the traffic it is getting. The app could also track how many stores I visited on that date and in what time frame. All very useful data! And data that can be quite intrusive.

From my work in privacy, many government agencies publicly publish their privacy impact assessments, but no luck here, so I cannot see if they developed with privacy in mind. Although, they did publish FAQs.

Knowing a little about development and being extremely suspicious, I think it is just another database of information. I have very little trust in the security based on that whole captcha debacle getting vaccine appointments. Add to it that the apps will likely be decommissioned after many months and my trust in the security goes down even further. I also have very little trust in the user experience.

So, sorry NY, I won’t be using the vaccine passport app if I don’t have to. Years ago, we all carried little yellow vaccination cards around when we traveled. I have no problem doing that again. Besides, I can have a backup picture locally stored on my iPhone which puts me in complete control to restrict other data collection or analytics.

Yes, I am a paranoid person and, in this case, where privacy alternatives exist, I choose not to be an adopter. How about you? Are you going to give your trust to electronic vaccine passports?

I am a lawyer, which makes me an advocate. Now, I am an advocate for individual privacy rights. In today’s business culture, the burden of any data breach is borne by the individual, even though the fault is not theirs to bear. I aim to change that by improving the system from within.

ClearOPS is my company. ClearOPS is a privacy tech company. Want to hear a recent podcast where we talk about privacy tech? Listen here.

You’re the best, Caroline

P.S. If you read the FAQs, you will note, as I did, that the antigen test will only give you a “pass” for 3 hours. What is the point of that?

None of this constitutes legal advice. None of my opinions reflect the opinions of my employer. All disclosures apply. All disclosures are my own. Don’t sue me. I am just trying to be helpful. Small print is done on purpose.