Educated Guesswork

Some Confusion in New York's Vaccine Passport Rollout

June 1st's NYT has an article about the state of NYT's Excelsior Pass vaccine passport[1] which reveals that people have some weird ideas about the system and how it needs to be used. First, we have:

It took Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, a nonprofit watchdog group, just 11 minutes to download someone else’s Excelsior Pass using information they had posted on social media and Google searches, he said. Many people have posted pictures of their vaccination cards, which include a person’s name, birthday, date of vaccination and type of shot.

Cahn writes, in an article called "I Forged New York’s Digital Vaccine Passport in 11 Minutes Flat":

But beyond the civil liberties and equity concerns, there’s a much more fundamental critique: The technology doesn’t work. The entire justification for an electronic vaccine tracker is that it’s supposedly “secure.” But while the CDC’s flimsy “white cards” provide few protections against forgery, are the high-tech apps much better? That’s what I set out to find on Easter Sunday. I set aside the entire day for the experiment, but I was done before breakfast. After getting consent from an Excelsior Pass user, I tried to download their pass, logging into their account using nothing more than public information from social media. Eleven minutes after he gave me the greenlight, I had a copy of his blue Excelsior Pass in hand, valid for use until September.

Now, this is not an ideal set of properties, but for privacy, not security reasons. As I described previously, a vaccine credential system like this isn't a bearer token: it's a signed assertion binding the user's identity to a given vaccine status. That's why the user also has to present some sort of biometric identification like a driver's license to show that they're the person described in the credential. This means that you having a copy of my vaccine passport doesn't let you pretend to be vaccinated unless you're also able to get some biometric ID for yourself but my name on it (or, I suppose, if we have the same name). This is pretty much the way things have to work because you'll be showing your credential to people all the time in order to demonstrate that you're vaccinated; if they could just make a copy and use that, the whole system would fall apart the minute someone who wanted to cheat got a copy of any valid credential, as they could distribute it all over the Internet. So, it doesn't really make sense to say that this is "forging" the credential.[2]

As a comparison point, consider a "vaccine passport" system in which we just had a giant online database of who was vaccinated and who wasn't (effectively, the purpose of the signature on the credential is to passivate database entries so they can be verified offline.) When someone wants to know if you're vaccinated, you give them your name and they just look it up and check against your ID. We wouldn't say that someone had "forged" your vaccine passport in that case if they were able to retrieve your record, it's just the system working as designed.

What we would say, however, is that this system has a privacy problem: I can also use that information to determine whether anyone -- not just the person in front of me -- was vaccinated or not, and, depending on exactly what's in the credential, when and with what vaccine. However, if you can retrieve people's credentials with public information, then even an offline credentials system has the same problem, which seems to be the situation here. What you want is that only the vaccinated person can get their own credential, though this is may not be as easy to implement as it sounds. If you issue credentials at vaccination time, it's pretty straightforward, but if you want to issue them to people who have already been vaccinated, it's harder. Here's what the article says is required:

I.B.M. recently added a phone number check to the identification field of the app to make it easier to find someone’s vaccination. Only four of the five fields — including first and last name, date of birth and ZIP code — need to match for someone to get a pass.

Unfortunately, nearly all of this information is semi-public. There are plenty of people for whom I know their full name, zip code, and phone number; if that's all that's required, the privacy situation is not good. Probably the best approach is to send patients a copy of the credential -- or a code to retrieve it -- to the phone or email address they used to register for their appointment (or even physically mail them a piece of paper with the QR code on it.) I don't really have a good solution for poeple for whom you don't have good contact information though.

The article goes on to say that people are treating the QR code itself as it it were proof of vaccination:

And each pass can be uploaded to a limitless number of devices, or printed out and copied. The Excelsior Pass, which cost the state $2.5 million to develop, contains no biometric data for privacy reasons, so it needs to be compared against an ID, an extra step that, in practice, sometimes isn’t taken.

...

At the City Winery on Wednesday, outdoor hosts sometimes asked for ID when people flashed their Excelsior Pass or paper vaccination cards to gain entry, but sometimes they didn’t. At the Armory, Covid compliance officers in face shields carefully checked IDs, but they just eyeballed the pass’s QR code, instead of scanning it to double-check its veracity.

To the extent to which this practice is common, it's actually a fairly serious problem. Just checking to see if people have a QR code of some kind on their phone doesn't do anything: one QR code looks much like another and without scanning it, you can't tell if it even has the right name on it, yet alone if it actually describes someone's vaccination status, has a digital signature from someone you trust, etc. If verifiers just glance at the code without scanning it, it doesn't matter whether the system is properly designed, cryptographically secure, etc., because anyone who wants to pretend to be vaccinated can just download a random QR code of the right size off the Internet and pretend it's their vaccine credential.

This isn't to say that there's no value in a system like this. First, many verifiers will actually check the QR codes. Second, just as with the paper cards, it's some effort to forge even a bogus QR code and a lot of people just won't be comfortable with effectively lying about their vaccine status. But to the extent to which that's true, you don't need any fancy crypto, just have people show a photo of their vaccine card. In any case, it seems clear that if we are going to have this kind of system more education is needed in order to prevent misunderstandings like these.


  1. Recall that this is powered by IBM's Digital Health Pass. See here for more on that. ↩︎

  2. While we're on the topic, California only seems to want to give you a new driver's license if yours is lost or stolen, but why can't I just get two copies of the same license so that I can have one in my wallet and one in my car? It's got my picture on it, so it's not usable by someone else. ↩︎

Keep Reading