Digital “vaccine passports” are now the subject of large-scale discussions and debates. New York has recently released its own app, and governors in Florida, Texas, and Montana have given orders prohibiting the use of vaccination passes.
You can take your CDC vaccination card or new test results with you everywhere you go, but this isn’t always practical or secure. If you want to remain analog or go digital in light of the new situation, these applications will be available soon, and their user bases will likely expand rapidly.
Digital “vaccine passport” applications raise a slew of privacy and security concerns. If you’re anything like us, you just trust one or two apps in the entire world. But you’re worried about some random app getting your medical information so you can go to a music festival? You’re not alone. That’s possibly why New York’s Excelsior Pass, which runs on IBM’s Digital Health Pass network, received negative press coverage when it first launched due to unresolved privacy and security concerns.
New York is the first state to issue a digital vaccine “passport” used at various locations. It’s a kind of virtual boarding pass for vaccinated citizens who want to go to concerts, baseball games, and other activities without having to provide evidence of vaccination or “all clear” test results.
The Excelsior Pass boasts about its privacy and security features but glosses over essential information with buzzwords like “blockchain.” One reviewer expressed concern that the app is “complicated to use and easy to fake.” Since these applications will soon be used in the United States and worldwide, IBM’s Health Pass needs to be scrutinized before we put our faith in it.
The Excelsior Pass in New York is operated by IBM’s platform.
Only basic information is shared via the app.
When evaluating the privacy and security of most applications, the first thing to remember is to ask these two questions:
– How is my data protected when it is “at rest”? To put it another way, where is it kept? How does the app get the information, and where does it go?
– How is my information protected as it is being transferred between these three locations?
You’ll probably want to know who is in charge of securing these data-security issues.
For example, you are partially responsible for the protection of your app. It will always be essential to use a good password and be careful about your security habits (not sharing passwords, etc.).
The rest is up to the software developers and data storage providers. Some are bad at protecting your security and privacy, as we’ve learned the hard way over the last few years, and will go to great lengths to escape blame for their mistakes.
The devil is in the information (of security)
With all due regard for the Excelsior’s well-intentioned privacy and security issues and critiques, it appears that there are some technological misunderstandings regarding how this device operates. Popular Science spoke with Eric Piscini, IBM Watson Health’s VP of Emerging Business Networks, who took us through the security procedures used by the Digital Health Pass and New York’s Excelsior Hotel.
IBM’s Digital Health Pass is a platform for creating apps that clients can personalize. The client in the case of Excelsior Pass is the state of New York. The user must first go to the Excelsior Pass website in New York State, click “get started,” then read and accept the terms. These are relevant because they remind us that “you are not offering covered health information for health care services, reimbursement, or operations (as specified by HIPAA).”
After that, users must verify their identity by entering their name, date of birth, and zip code.
The individual’s information, such as vaccination records and/or test results, is then collected from state health databases and converted into a QR code. Name, date of birth, and expiration dates (on, say, a test result) and the date this result was generated are the only pieces of information that can be viewed.
Before developing a QR code, all data is encrypted on the state’s side rather than on the user’s phone, and it is not saved. It is impermanent. It is unnecessary to build an account, and if you lose this QR code (or it expires), you will have to repeat the procedure.
The user may then import the code into their phone through the official app or their iPhone’s Keychain or print a paper copy of the QR code. What’s cool about this movie is that your data is already encrypted until it travels from the website to your phone (or printer), so simple data can’t be “seen” in transit due to insecure wi-fi (or other attack methods).
You show the doorperson the QR code when you arrive at your much-anticipated baseball game, air guitar exhibition, or cosplay convention. They have the app as well, and they use it to search your results, which display your name, birthdate, and either a green checkmark or a red “X” on their screen. The screen also instructs the bouncer to double-check your identification.
Go for the color green.
What’s this about it being protected by “the blockchain,” if we’re talking about chains? What’s going on with “the blockchain” and IBM’s Health Move, it turns out, isn’t connected to bitcoin, distributed ledger technology, or blockchain protection jargon. Mr. Piscini told Popular Science that Health Pass only uses a small portion of the blockchain network to record the event of a data import and to generate a specific cryptographic “hash” for possible authentication verification.
So, what could possibly go wrong? Someone might see your unredacted selfie with your CDC vaccination card and create a pass using that information. So, unless you know how to safely conceal your birth date or even other data on the card, don’t post those selfies. (To be secure, cover sensitive information with your thumb before taking the photo.) Even then, the identity thief will have to hope that the ticket taker doesn’t ask for identification or is having a lazy day.
It continues to be seen how well the security chain’s human “scan ID” section would hold up. After all, people are people.
As with seat reservation apps at airports, some people will be comfortable using a digital covid “passport,” while others will not. Just make sure that whichever digital vaccine pass creator your state or country chooses isn’t powered by a shady covid developer that wants to monitor or sell your info or a creepy company that requires you to log in via Facebook.
It’s certainly preferable to keeping your CDC vaccine passport, which would be highly inconvenient to lose at this stage in the pandemic.