NEW YORK — When New York City announced Tuesday that it would soon require people to show proof of at least one coronavirus vaccine shot to enter businesses, Mayor Bill de Blasio said the system was “simple — just show it, and you’re in.”
Less simple was the privacy debate that the city reignited.
Vaccine passports, which show proof of vaccination, often in electronic form such as an app, are the bedrock of de Blasio’s plan. For months, these records — also known as health passes or digital health certificates — have been under discussion around the world as a tool to allow vaccinated people, who are less at risk from the virus, to gather safely. New York will be the first U.S. city to include these passes in a vaccine mandate, potentially setting off similar actions elsewhere.
But the mainstreaming of these credentials could also usher in an era of increased digital surveillance, privacy researchers said. That’s because vaccine passes may enable location tracking, even as there are few rules about how people’s digital vaccine data should be stored and how it can be shared. While existing privacy laws limit the sharing of information among medical providers, there is no such rule for when people upload their own data onto an app.
The moment is reminiscent of the months after the Sept. 11, 2001, attacks, privacy advocates said. That was when changes made in the name of national security led to lasting effects, including taking off shoes in airports and data collection enabled by the Patriot Act.
Without safeguards now, presenting a digital vaccination passport every time people enter a public place could lead to a “global map of where people are going,” said Allie Bohm, a policy counsel at the New York Civil Liberties Union. The information could be used by third parties for profit or be handed over to law enforcement or immigration authorities, she said.
“How do we make sure that in 20 years we’re not saying, ‘Well, there was COVID, so now I’ve got this passport on my phone that is also my driver’s license and also has every health record I’ve ever had, and every time I go into a store I have to swipe it?’” Bohm said.
She added that the passes could particularly disadvantage groups that are more concerned about privacy, including those who are living in the U.S. illegally. The New York Civil Liberties Union and other advocacy groups have supported legislation to prevent vaccination data from being shared with law enforcement officials and to ensure that the passes do not become permanent health trackers.
Vaccine passports have largely been rolled out without a national framework in the United States. President Joe Biden has ruled out a national vaccine pass, leaving states, cities and private companies to determine whether and how to have their own electronic systems to keep track of vaccinated people.
Some companies that have developed digital vaccine passes have tried to preempt privacy concerns. Over 200 private and public organizations recently joined the Vaccination Credential Initiative, a coalition that aims to standardize how vaccine data is recorded and protected.
Many developers said they had taken pains to make sure the passports do not cross privacy boundaries. Clear Secure, a security company that has created a health pass used by over 60 organizations, many of them sports venues, said health data about its users was “handled with the utmost care” and protected by a variety of tools. Employers or venues can see only a red or green signal showing whether a user has been inoculated, it said.
The Commons Project, a nonprofit that has developed a vaccine pass called the CommonPass, stores vaccination and testing data on users’ phones and uploads the information only temporarily to a server to check that a traveler has met requirements, it said. Airlines that have adopted CommonPass, including JetBlue and Lufthansa, can see only whether a passenger has been cleared for travel, it said.
JP Pollak, a co-founder of the Commons Project, said the group’s vaccine pass was “trustworthy” because users’ data was not stored on the cloud and because the pass limits the information businesses can see.
But while vaccine passports remain nascent, COVID-19 contact-tracing apps that were introduced earlier in the pandemic have already been used by more authoritarian countries in ways that raise privacy questions. That gives researchers little confidence about how these vaccine passes might be used later.
In China, for example, a program called “reportInfoAndLocationToPolice” within the Alipay Health Code, used by the Chinese government to assess people’s health status, sends a person’s location, city name and an identifying code number to a server as soon as the user grants the software access to personal data.
In Singapore, officials said in January that data from the country’s coronavirus contact-tracing system had been used in a criminal investigation, even though leaders had initially said it would be used only for contact tracing. In February, Singapore passed a law limiting such use only to “serious” criminal investigations.
“One of the things that we don’t want is that we normalize surveillance in an emergency and we can’t get rid of it,” said Jon Callas, director of technology projects at the Electronic Frontier Foundation, a digital rights group.
While such incidents are not occurring in the United States, researchers said, they already see potential for overreach. Several pointed to New York City, where proof of vaccination requirements will start on Aug. 16 and be enforced starting on Sept. 13.
For proof, people can use their paper vaccination cards, the NYC COVID Safe app or another app, the Excelsior Pass. The Excelsior Pass was developed by IBM under an estimated $17 million contract with New York state.
To obtain the pass, people upload their personal information. Under the standard version of the pass, businesses and third parties see only whether the pass is valid, along with the person’s name and date of birth.
On Wednesday, the state announced the “Excelsior Pass Plus,” which displays not only whether an individual is vaccinated, but includes more information about when and where they got their shot. Businesses scanning the Pass Plus “may be able to save or store the information contained,” according to New York state.
The Excelsior Pass also has a “Phase 2,” which could involve expanding the app’s use and adding more information like personal details and other health records that could be checked by businesses upon entry.
IBM has said that it uses blockchain technology and encryption to protect user data, but did not say how. The company and New York state did not respond to requests for comment.
De Blasio told WNYC in April that he understands the privacy concerns around the Excelsior Pass, but thinks it will still “play an important role.”
For now, some states and cities are proceeding cautiously. More than a dozen states, including Arizona, Florida and Texas, have in recent months announced some type of ban on vaccine passports. The mayors of San Francisco, Los Angeles and Seattle have also said they were holding off on passport programs.
Some business groups and companies that have adopted vaccine passes said the privacy concerns were valid but addressable.
Airlines for America, an industry trade group, said it supported vaccine passes and was pushing the federal government to establish privacy standards. The San Francisco Chamber of Commerce, which is helping its members work with Clear Secure, said using the tools to ensure only vaccinated people entered stores was preferable to having businesses shut down again as virus cases climb.
“People’s privacy is valuable,” said Rodney Fong, the chamber’s president, but “when we’re talking about saving lives, the privacy piece becomes a little less important.”