Vaccine passport apps are about to be everywhere. It could get complicated
As the vaccine rollout continues to accelerate and the broader US economy prepares to reopen, talk of vaccine verification apps has heated up.
Tech companies, health care providers and even retail stores are working on digital health pass apps that will allow users to show proof of vaccination before entering events and businesses. The state of New York is already scanning IBM’s Excelsior app at the door of venues such as Madison Square Garden ahead of sporting events; if you’ve tested negative for COVID-19 or received a vaccine, you can watch a Rangers hockey game in person.
Vaccine verification apps could play a key role in lifting restrictions, but privacy and security experts say the upcoming rollout will present a handful of challenges over standards, interoperability, personal data and adoption — from both users and businesses. This will be compounded by a deluge of apps potentially coming our way, with the federal government largely saying it will stay out of it.
“Less is more,” said Alan Butler, president of the Electronic Privacy Information Center. “These are public health related systems that should be managed by public health departments and should be limited in how they’re used to that context. We don’t want these to be broad data collection systems for all sorts of different uses that exist far beyond the public health crisis.”
White House press secretary Jen Psaki recently said there will be “no centralized universal federal vaccinations database, and no federal mandate requiring everyone to obtain a single vaccination credential. … We want to encourage an open marketplace with a variety of private sector companies and nonprofit coalitions developing solutions.”
But leaving the process up to the private sector and local governments could present unforeseen consequences. For example, Florida Governor Ron DeSantis already banned the requirement of vaccination proof documents in the state — a move that has the cruise line industry worried about reopening plans.
Jenny Wanger, the director of programs for Linux Foundation Public Health, said “hundreds” of companies are actively involved in making vaccine credential solutions. Her organization is behind The COVID-19 Credentials Initiative, a global community made up of more than 450 technologists, academics and healthcare professionals from more than 100 organizations, that is among the groups establishing standards for vaccine health pass apps.
The aim is to set guidelines so apps can be interoperable and open sourced, allowing developers to see what’s happening behind the coding to create a more transparent and collaborative process.
“Our goal is to have any business develop something — startups can play in this space, as well as IBM,” Wanger said. “We are working on this system so there isn’t a way for one company or one group of companies to have power over health records or be overly dominant.”
In theory, she said, people will have the freedom to choose what apps they want to use. “I don’t think we’ll see a future where you can buy paper towels through a Walmart app and then also get your vaccine credentials. But we think people will be able to manage their credentials through a platform and then use that domestically or overseas.”
Similarly, the Vaccination Credential Initiative — which includes IBM, Microsoft, Salesforce, Oracle, Mayo Clinic and the Commons Project, a nonprofit with a vaccine passport app currently working with some airlines — is also playing a key role in developing US standards for digital health passes, including its approach to data privacy. Members of the not-for-profit will be required to not collect or store user data. In March, Walmart announced it will use the standard being developed under VCI to anyone vaccinated at its stores and Sam’s Club locations.
Jenn Markey, a marketing director at security firm Entrust, said the success of these rollouts will also depend in part on how the apps work with multiple systems. “The vision is one set of secure digital credentials where the border guard at Heathrow is able to read the same credentials as the usher at Madison Square Garden without compromising citizen privacy,” said Markey.
She added that trying to manage too many solutions could open the process up to security vulnerabilities in the handoff between one application and the next.
At the start, Wanger said the rollout will be reminiscent of the early days of email; AOL users could only email AOL members before standards were developed.
“We are seeing a wave of closed group systems like IBM that are not letting anyone else come into that system and build onto it,” she said. “What we will see with wave two is apps [that can work together]; that’s when enforcement and community alignment comes in. Anyone who wants to play has to play by the same rules when it comes to security, privacy and match standards for interoperability.”
John Verdi, vice president of policy at the Future of Privacy Forum, said it’s too soon to see what methods will prove most popular but he expects to see a handful of approaches: “We’ve seen this dynamic with contact tracing frameworks, payment cards and other technologies.”
At the same time, people won’t likely want to manage too many digital health pass apps, and it’s possible businesses will accept only a few, much like credit cards at retail locations.
“I would be surprised if any apps that are not directly supported by the state public health departments gain any broad traction at all beyond very limited use cases,” Butler said.
Another issue is adoption, not only among users who have to trust the technology but with the businesses themselves, from grocery and retail stores to movie theaters and workplaces. “It seems as if it will come down to whether individual businesses want to use a vaccine passport,” said Erica DeWald, director of strategic communications at Vaccine Your Family, a nonprofit vaccine advocacy organization. “At this point, I don’t think that many will without the federal government taking a stance on them.”