The U.S. has its first official vaccine passport.
New York’s Excelsior Pass, developed by IBM, is essentially a simple digital wallet that can be accessed on mobile devices, which holds a handful of items: your name, your birth date, a QR code, a green check mark and the time when the passport expires.
The idea is that people can use the app to prove to somebody — say, a ticket-taker at the door of a sports stadium, an airline or the staff at a large event — that they’ve received a vaccine against COVID-19. In actuality, the app can also prove that somebody’s received a negative test for the disease.
“It’s all about trust, right?” said Tim Paydos, global general manager of government for IBM. “If people are right now reluctant to go watch a Rangers game in New York City, maybe it’ll make them feel safer to know that, OK, not only are they practicing social distancing and all that within the stadium, they’re also checking to make sure that someone’s been tested or vaccinated.”
So far, Paydos said, the app has been downloaded hundreds of thousands of times.
Criticism of Vaccine Passports
There’s no mandate that anybody use the app. Rather, the state has released it as a way to reduce risk in social gatherings. The same thing could be accomplished with the paper cards people receive when they get a vaccine, though the FBI recently warned that the market for fake vaccination cards has already materialized.Still, the idea of vaccine passports has prompted backlash from many. Republicans, who have said in public opinion surveys that they’re less likely to get the vaccine than the rest of the country, have largely rejected the idea. Civil rights advocates such as the Electronic Frontier Foundation (EFF) have also spoken out against vaccine passports, pointing that inequities in vaccine distribution have meant that racial minorities are less likely to have received their first dose than white Americans.
Alexis Hancock and Hayley Tsukayama with EFF also pointed out that the involvement of blockchain in vaccine passports — a feature of Excelsior Pass — will necessarily create a system where data that’s useful for proving vaccination in the current day will be preserved indefinitely. Creating widespread vaccine passports could, they argue, be a step toward a future where the government maintains digital IDs for everyone and uses them to collect and store personal information.
While Excelsior Pass, and likely other vaccine passports, don’t come with a government mandate, they will enable organizers and proprietors to set mandates for their own particular establishments.
“Resources, especially tax dollars, should be focused on giving people more information about and access to vaccinations, rather than creating a digital fence against those who haven’t been vaccinated yet — and subjecting people who have been vaccinated to new privacy risks,” they wrote in a blog post.
Paydos said it’s not IBM’s place to address those concerns.
“I’ll leave the policies around the use of this to the policymakers,” he said. “IBM is a technology company, and we’re committed to serving the citizens and society in the safest, most secure way that we know how.”
How Excelsior Pass Works
From the standpoint of a person using Excelsior Pass, the process is relatively simple: Put in your information, answer some basic questions to verify your identity and you’ll have your pass. To prove you’ve been vaccinated, either show somebody the app or let them scan the QR code.Behind the scenes, what the app is doing is connecting with some kind of credentialed health authority — a state agency, a hospital, another health provider — who can verify that you’ve been vaccinated. The first time you use the app, it will send the information (your name, birth date, QR code, pass expiration date and a green check mark) to your mobile device, where it will be available regardless of whether you have service. Once a month, it will ping the health authority again to re-verify. For tests, the information times out after 72 hours.
Should a person scan the QR code, the app will ping the health authority to verify the authenticity of the information.
IBM purposefully didn’t build a centralized database for Excelsior Pass in order to avoid creating a giant target for hackers.
“All of the data stays distributed,” Paydos said. “We’re not creating a big intergalactic database in the sky. We wouldn’t want to do that, nor given the time urgency could we do that.”
The app was built using open source standards, which IBM hopes will mean it’s interoperable across states, apps, health providers and even countries. So a person who lives in Connecticut who drives to New York City to go to a Rangers game would be able to use New York’s Excelsior Pass to show that they’ve been vaccinated.
The app was actually based on work IBM did with Maersk on shipping containers moving across the world, and Paydos said it should work for travelers moving between nations as well.
“Having this open, available, secure and safe platform will enable countries in Europe and the EU to communicate with each other,” he said. “They want interoperability so people can travel around Europe, but then when folks want to come over to the United States or go to Australia, as long as everyone’s on the same standard and we have interoperability, we’ll be able to do this validation process across the globe.”
Editor's note: This story has been updated with new information from IBM to show that in addition to a person's name, a green check mark and a QR code, Excelsior Pass also displays the user's birth date and the time the pass expires.