Here’s how New York’s ‘vaccine passport’ app works.

New York is the first state to issue a "vaccine passport" app. How does it work and how secure is it?
A hand caryrying a phone with the Empire Pass vaccine app on it
An app is a lot easier than carrying around your card. IBM

Large scale conversations and debates about digital “vaccine passports are already well underway.” New York state recently launched its own app, while governors in Florida, Texas, and Montana have issued orders against the use of vax passes.

You can carry your CDC vaccination card or new test results with you everywhere you go — though that won’t be practical or safe for everyone. Whether you decide to stay analog or go digital with this new state of affairs, these apps will be rolling out everywhere pretty soon and their user bases will likely grow quickly. 

Digital “vaccine passport” apps bring up some pretty thorny privacy and security issues. If you’re like us, there might be one or two apps in the whole world you actually trust. So the idea of some random app having your medical info so you can go to a concert sets off the alarms, you’re not alone. That’s probably why New York’s Excelsior Passrunning on IBM’s Digital Health Pass platform — got negative press attention about its unanswered privacy and security questions at launch.

New York is the first state to launch a digital vaccine “passport” for use at venues. It’s an app similar to virtual boarding passes, but for vaccinated people who want to smoothly attend concerts, baseball games, and other events that require proof of vaccination or “all clear” test results before entering.

The Excelsior Pass touts its privacy and security features — yet glosses over important details with buzzwords like “blockchain”. Worryingly, one reviewer said the app is “complicated to use and easy to fake.” Since these apps will soon be in use domestically and globally, IBM’s Health Pass deserves scrutiny before it earns our trust.

How IBM’s platform runs New York’s Excelsior Pass

A person scanning an Empire Pass vaccine app
The app only shares specific information. IBM

The first things to know when you’re assessing the privacy and security of most apps is to ask these two questions:

– How is my data secured “at rest?” That is to say, where is it stored? Where does the app pull your data from and where is it sent?

– How is my data secured while in transit between these three locations?

You’ll also want to know who is responsible for secure these data-protection pain points.

For instance, security on your app is partially on you. Choosing a strong password and being vigilant about your security practices (not sharing your passwords, etc.) will always be crucial

The rest of the  responsibility falls on the  app makers and data storers. As we’ve been learning the hard way over the past several years, most are terrible at protecting your security and privacy, and will go to great lengths to avoid responsibility for their negligence.

The devil is in the (security) details

With all due respect for the well-intentioned privacy and security concerns and criticisms about the Excelsior, it seems like there are some technical misconceptions around exactly how this system works. Popular Science spoke with Eric Piscini, VP, Emerging Business Networks, IBM Watson Health, who walked us through the security processes at work with the Digital Health Pass and New York’s Excelsior.

IBM’s Digital Health Pass is an app framework that its clients customize. In the case of Excelsior Pass, the client is the state of New York. The first thing a user does is visit New York state’s Excelsior Pass website, click “get started,” then read and agree to the Terms. These are important because they remind us that “you are not providing protected health information for health care treatment, payment, or operations (as defined under Health Insurance Portability and Accountability Act (HIPAA).”

Then users enter their name, date of birth, and zip code before verifying their identity.

From there, the individual’s data — vaccination records and/or test results — is retrieved from state health sources and turned into a QR code. The only viewable information is name, date of birth, any expiration dates (on, say, a test result), and when this result was generated.

All data encryption prior to QR code creation is done on the state’s side, not on the user’s phone and — perhaps most importantly — it is not saved. It is ephemeral. There is no account creation, and if you lose this QR code (or it expires), you’ll have to go through the code creation process again.

Next, the user can import the code onto their phone via the official app or onto their iPhone’s Keychain, or print the QR code to show a paper copy. What’s neat about this step is that your data is already encrypted before its trip from the website to your phone (or to the printer), so plain-text data can’t be “seen” in transit via weak wi-fi security (or other attack methods).

Upon arrival to your eagerly-awaited baseball game, air guitar competition, or cosplay convention of your choosing, you show the doorperson the QR code. They also have the app, and use it to scan your result; the results on their device show your name, date of birth, and either a green checkmark or a red “X.” The screen also prompts that bouncer to cross-check with your ID.

Green means go

Speaking of chains, what’s all this about it being secured by “the blockchain”? As it turns out, what’s at work with “the blockchain” and IBM’s Health Pass isn’t related to cryptocurrency, distributed ledgers, or blockchain security buzzword chicanery. As Mr. Piscini explained to Popular Science, Health Pass uses a very small portion of the blockchain platform to register the event of a data import, and to create a unique cryptographic “hash” to verify authentication in the future.

So, what’s the worst that can happen? Well, someone could see your unredacted selfie with your CDC vaccination card, and use that data to generate a pass. So please don’t post those selfies unless you know how to securely hide your date of birth or other data on the card. (Your safest bet is to cover sensitive info with your thumb before taking the pic.) Even still, the identity thief will have to hope the ticket-taker they encounter doesn’t ask for ID or is having a lazy day.

It remains to be seen how well the human “check ID” portion of the security chain will hold up. People are people, after all.

Ultimately, some people will be fine with using a digital covid “passport” and some won’t, same as with boarding pass apps at airports. Just be sure that whichever digital vaccine pass generator your state our country decides to use is one that isn’t run on some shady covid startup app that wants to track or sell your data, or a creepy company that wants everyone to log-in via Facebook.

It’s definitely better than carrying around your CDC vaccine card, which at this point in the pandemic would be an unbelievable pain to lose.