While the Biden administration is reportedly coordinating with corporations to develop a so-called “vaccine passport” for Americans to prove they have received the COVID-19 vaccine, there are clear privacy risks external to the dubious constitutionality of such a project.
Republican Florida Gov. Ron DeSantis addressed the idea of vaccine passports in a Monday press conference, noting that the plan would have “huge privacy implications.” DeSantis also said he would take executive action through emergency function, in addition to urging the GOP Florida Legislature to propose a bill banning vaccine passports.
Albert Fox Cahn, an attorney and founder of the Urban Justice Center’s Surveillance Technology Oversight Project, wrote in Wired in early March that government-funded vaccine passports “could turn into a dystopian nightmare for millions.”
“A very appealing vision for some could turn into a dystopian nightmare for millions,” said Cahn. “For vaccine passports, this all means reason for caution. Yes, maybe it is time to update those yellow pieces of cardboard with something more secure, but that is a far cry from creating another permanent layer of surveillance infrastructure.”
The report from the Washington Post that the White House is developing a vaccine passport with the help of corporations comes after the state of New York said it plans to roll out an “excelsior pass” on April 2 that forces residents in New York City to provide proof of a negative COVID-19 test or vaccination documentation to gain access to entertainment and arts venues.
According to the International Air Transport Association, 17 airlines have registered to participate in a COVID-19 test or vaccination proof program for people flying. The “Travel Pass” is being sponsored by governments worldwide, as well as corporations. IBM likewise introduced a “Digital Health Pass” that is blockchain-reliant, and Microsoft, Mayo Clinic, and more than 225 companies have pledged to use an app being produced by the Vaccination Credential Initiative.
Data Breach Potential
“Of course, to demonstrate that you’re tested, vaccinated, or otherwise immune, these various passes need access to relevant health data. All of the systems promise tight security for users, but they still need potentially sensitive information,” writes editor J.D. Tuccille in Reason Magazine.
While the International Air Transport Association has claimed its planned Travel Pass will not store data in a central location, Member of British Parliament David Davis harped on the supplementary issue due to the fact that additional health records could be stored in the same place as the vaccine passport.
“If you have your health records attached to something you have to carry that has to be verified, you have created an opening into the most private data you have,” Davis told British lawmakers last week. “It is straight away a problem and it will grow because, inevitably, once we have the mechanism, it is common sense that people will try to use it for other uses and it will grow and grow.”
The British Computer Society’s Chartered Institute for IT says vaccine passports come with clear data privacy concerns, specifically the potential grouping of data and using of unrelated data by corporations to make decisions about people’s futures.
“[Y]ou can easily imagine how this data might be joined with other information, such as address, or key worker status. All with sensible intentions, but care needs to be taken that this data is not misused. One example of inappropriate use could be calculation of a risk score, and denial of rights or services to someone because of an algorithmic decision,” said Adam Leon Smith, chair of the British Computer Society’s Software Testing Group.
There is also the issue of timeframe. While governments might attempt to frame vaccine passports as moral based on accessibility, it is unclear how long those in power — in addition to private corporations that already store copious data through social media — will be able to access such health records. Coupled with the potential for unrelated data to be grouped in with vaccination data, we are looking at a situation where a centralized authority can willfully reference confidential health records wherever and whenever.
“Meanwhile once these passports have been created for one purpose — like travel — it would be all too easy for their use to be extended and abused. This would result in a two-tier system in which some people can access freedoms and support while others are shut out — with the most marginalised among us hardest hit,” the largest civil liberties organization in the United Kingdom, Liberty, said in a statement.
The Blockchain Question
The excelsior pass plan, instituted by Cuomo and built by IBM, has resulted in questions flooding into the governor’s office on how exactly the blockchain-based application operates. Blockchain is a decentralized technology, like Bitcoin, but few details have been provided by New York on the specifics so residents can comprehensively understand where their data is and how it is being used.
In the press release put out by Cuomo’s office, the administration claimed that “robust privacy protections are woven throughout the digital health pass solution,” but did not say what precise protections are being instituted to protect confidential information.
“Gov. Cuomo gave us screenshots of the user interface, but he never even published a privacy policy,” said Cahn, whose company is based in New York. “We have no idea how this data can be tracked and if it’s accessible to police.”
Matthew Green, an associate professor of cryptography at Johns Hopkins University and the founder of a privacy software called Zerocash, told The Intercept last week that blockchain technology should not be used for supposed vaccine passports. He argued blockchain is complicated and not the proper software to make people feel comfortable about their data. Further, Green says blockchain technology aims to solve a problem of trust, whereas there is an expectation with vaccine passports that the information is fundamentally accurate.
“Blockchain solves a very specific problem around not trusting people, and the problem with this vaccine stuff is you do trust people; you have to trust the data being entered into the blockchain is an actual trusted reflection of who’s vaccinated or not,” Green said. A COVID-19 app requires “a lot of policy thinking, it requires a lot of hard software and user experience work, and all of those problems have nothing to do with blockchain.”
Sharing Unauthorized Information
Ann Cavoukian, who is the former privacy and information commissioner in Ontario, Canada, told iPolitics that “nobody” except the individual whose data it is should have the ability to access health records.
“You should be the one to control who you choose to reveal that to: so if you’re at the airport, you’re going to have to reveal it to the attendant, but that should be the extent of it digitally,” Cavoukian said.
“We’ve seen in other jurisdictions that are advocating for [vaccine] passports, where ministers are saying, ‘this is about life and death, forget about privacy,’ but it’s not just about privacy,” Karen Eltis, a law professor at the University of Ottawa who specialized in privacy law, said.“The information that we give — the data that we’ve gave — we didn’t think, for instance, would be shared as it is now and we’re turning to this situation where information is being repurposed in an era where we don’t have proper legal frameworks for information.”
The COVID-19 vaccine passport debate is occurring on an international level, as governments and corporations collude to consider rolling out databases to track citizen records after months of mandates and restrictions. The Washington Post’s report on developments in the Biden administration on vaccine passport rollout comes after the president signed an executive order in January urging government agencies “to assess the feasibility” of forcing Americans to provide proof of COVID-19 vaccination documents.