New York's 'Excelsior Pass' – a vaccine passport – has been downloaded by 1.1 million people in The Empire State, state authorities recently revealed.
The mass uptake mirrors that of various other vaccine passport schemes around the world, which have been marred with privacy concerns from the word "Go".
The Excelsior Pass
The Excelsior Pass is a simple QR code that indicates the pass holder's vaccine status and can be downloaded onto either a smartphone or a computer.
Around 9 million New Yorkers (or around 57% of the state's adult population) have been fully vaccinated against Covid-19 to date. Excelsior Pass uptake for the vaccinated currently sits at around 12.3%, however.
The passport itself was developed by multinational technology company IBM, and has been available to New York residents since March of this year. It has been credited with helping certain pubs and bars open up, many of which now take the Excelsior Pass as a condition of entry.
Blockchain: A pointless usage?
The Excelsior Pass utilizes blockchain technology to house its data. IBM defines a blockchain as "a shared, immutable ledger that facilitates the process of recording transactions and tracking assets in a business network. An asset can be tangible (a house, car, cash, land) or intangible (intellectual property, patents, copyrights, branding). Virtually anything of value can be tracked and traded on a blockchain network, reducing risk and cutting costs for all involved".
Usually, blockchains are public. But for the Excelsior pass, the blockchain will be private and only certain entities will have access to it. But vaccine data isn't an asset in the same way that the examples listed by IBM are, so why are they using blockchain technology in the first place? The answer is unclear.
The minute you add blockchain to it, you've left the zone of 'We are thinking seriously about the hard problems' and gone into 'We have a solution to sell someone'.
Open questions on privacy, security, and fairness
Right out of the blocks, the Excelsior App's privacy notice is cause for concern. According to Max Eddy in PC Mag, who describes the privacy policy as 'sketchy', it states that there is no obligation for the Excelsior pass to be HIPPA (Health Insurance Portability and Accountability Act of 1996)-Compliant.
The problem is – and the reason there are significant privacy concerns – is that this is essentially the only information we have regarding the security of this data. A press release about the passport published back in March reads: "Using blockchain technology, individuals will be able to voluntarily share their health status through an encrypted digital wallet on their smartphone without the need to share underlying medical and personal information".
This is devoid of technical information and says little about the actual security of the system. IBM's Digital Health Pass page isn't much better and does little to further elucidate exactly how vaccine information would be securely held.
There's yet to be a vaccine passport success story
Vaccine passports around the world have been marred by privacy problems, most notably Israel's, which used outdated encryption protocols and was easily forged. In fact, Israel's 'Green Pass' has several design and function aspects that could be described as questionable or even disastrous, including contact forms containing health information being sent to a Health Ministry official's private Gmail account.
Other countries that are yet to roll out vaccine passport schemes have suffered other privacy-related setbacks in the fight to administer vaccines, including the United Kingdom. Just last month, anyone could determine the vaccine status of pretty much any other individual via the NHS website using just a few bits of basic information on that individual. The idea of using vaccine passports as a legal requirement for entry to mass gatherings, originally billed as a way to get the nation back to normal, has now been 'killed off'.