Regardless of where you live, vaccine passports on the horizon promise to fast-track our safe return to public spaces. But only if people are able to access and trust them. And that’s a big if.
With the help of New Yorkers across a range of ages, I’ve been testing Excelsior Pass to see whether digital vaccine passports create more problems than they solve. Using Excelsior Pass is entirely voluntary, but it requires learning about the state’s system and mastering a few different websites and apps. It took me 20 minutes over Zoom to help an octogenarian set up his pass, though it was certainly simpler than mastering vaccine-appointment websites. Even when we thought we understood the system, Excelsior Pass didn’t always work: My tech-reporter colleague tried to use it to enter Yankee Stadium, but the system didn’t update with his clearance until after the game was over.
The good news: For the digitally savvy people who figure it out, using Excelsior Pass doesn’t appear to pose major privacy risks. The system, designed for the state by IBM, cannot be easily used by the state to track you. And it’s more discreet than the alternative of showing your medical records to a bouncer.
But I question how effective Excelsior Pass will be at keeping everyone safe. For one, it’s pretty easy to set up a fake pass. (Yikes, you might want to take down any vaccine selfies you posted to social media.) To stop potential fraud, you always have to show your ID along with Excelsior Pass — which is another kind of barrier that could make some people not want to use it.
As other states and even private companies work on their own vaccine passports, some of New York’s other choices also deserve scrutiny. The state hasn’t been very clear about where, and for how long, we might be required to show a vaccine passport — digital or physical. We all expect to need a passport at a border crossing, but will we eventually need a vaccine passport at Starbucks? The grocery store? Work? I found you could technically already use Excelsior Pass to scan your own dinner party guests … if they’d still call you a friend after.
At Madison Square Garden, which used Excelsior Pass for three games last week, most people still aren’t using the app — but it’s doing the job of being quick. “While the numbers are still small, they’ve nearly doubled at every game, which we expect will continue as more people become familiar with the app,” spokeswoman Kim Kearns says. “From a technology standpoint, everything has been straightforward, and worked well.”
As goes New York, so goes the nation? Here’s what we can all learn from the early days of Excelsior Pass.
How it works
Just the idea of vaccine passports is controversial — Florida’s governor issued an executive order banning them — so it’s important to be clear about how New York is and isn’t using Excelsior Pass. The state’s guidelines require theaters, major stadiums and arenas, wedding receptions and catered events to screen customers for the coronavirus. Businesses can do that by confirming either your vaccination status or that you’ve had a coronavirus test in the past 72 hours.
When you show up at one of these businesses, you can bring your physical vaccination card from the Centers for Disease Control and Prevention or a copy of a recent test result — or flash the Excelsior Pass that replaces both of those. The high-tech approach is voluntary, but providing proof of your coronavirus status to these kinds of businesses is not.
Setting up an Excelsior Pass requires a few steps. You start at the state’s website and enter your name, date of birth and Zip code. It follows up with a few questions about when, where and how you got the vaccine or a test. Then it pops up a QR code — a special kind of bar code — that contains your name, date of birth and whether you’re cleared for either reason.
You could print out your Excelsior Pass from the website, save a picture to your camera roll or add it to an app on your phone. To do the latter, you download the NYS Wallet app for Android or iPhone. The app will ask you to scan the QR code you generated on the Excelsior Pass website, and it pops up instantly.
Once you get your code, you should be set. But we experienced glitches getting to that point. My colleague Gerrit De Vynck wasn’t able to use Excelsior Pass with his rapid test results before Monday’s Yankees game. Turns out, the private test provider he chose was slow to upload results to the state database. He was still able to get into the game by showing a printout of his results.
New York says people looking for a quick turnaround should get a test from a list of providers that have committed to rapid reporting — but I’m not sure how we were supposed to know that.
For a lot of people, using Excelsior Pass is going to require trusting how it handles our privacy. It’s complicated, but New York put in some smart protections: No health information gets stored on your phone — just that QR code with your clearance status, your name and birth date. The state and IBM both say they aren’t getting any new data about you when you use Excelsior Pass. (New York already has an exhaustive database of everyone who’s gotten the vaccine or a test.)
The app does ask for access to your camera roll, to read a QR code you might have stored there when you first registered. But it doesn’t appear to collect location or other identifying information that could be used to track you.
The same applies to the separate app that businesses use to read your Excelsior Pass, called NYS Scanner. The app deletes your personal information after each scan. That means, in theory, using Excelsior Pass doesn’t leave an extra trail of personal data that could be tracked by police, immigration authorities or businesses.
The best arguments for using Excelsior Pass are that you’re less likely to accidentally misplace an important record on a little piece of paper — and you’re more likely to move quickly through line.
A balancing act
Testing Excelsior Pass, what surprised me most was how easy it is to fake.
When you first sign up for your QR code on the state website, it asks a handful of questions based on your vaccination and testing records. But after that, you’re on the honor system — you can add the QR code to any phone without any more challenge questions.
That’s far less secure than the smartphone tech millions of Americans now use to securely pay for things using Apple Pay and Google Pay. Those credit card systems require you to unlock with your face, fingerprint or passcode right before you make a payment. Why didn’t New York use Apple’s iPhone Health app, which includes more robust security protections?
Albert Fox Cahn, executive director of the nonprofit Surveillance Technology Oversight Project, told me he was able to load up a volunteer’s Excelsior Pass in about 11 minutes, using nothing more than that person’s Twitter posts and information from publicly available websites. Posting a photo of your CDC vaccination card puts it all out there.
Vaccine passports could leave us exposed to the “worst of both worlds,” says Cahn — a complicated digital system that puts up new barriers to access businesses, while not actually stopping fraudsters. “Despite its invasiveness, Excelsior Pass won’t advance the underlying public health goals it claims to support,” he says.
It isn’t clear how wide a problem vaccine passport fraud could become, or how dangerous it would be. Passports could persuade people to let down their guard about masks and other protections. Madison Square Garden, for one, says it wasn’t aware of any cases of people trying to enter the venue with an Excelsior Pass that wasn’t their own.
“To be clear, Excelsior Pass is a voluntary system that creates a digital copy of a preexisting paper record — it is not a standalone identification document,” said Kristin Devoe, a spokeswoman for Empire State Development, the umbrella organization that created Excelsior Pass. To fight fraud, New York says venues accepting Excelsior Pass are supposed to check people’s photo IDs.
But instituting new ID checks at businesses that didn’t used to require them creates new social barriers. One of my senior citizen testers told me he was too old to have a driver’s license.
New York says it tried to make Excelsior Pass more accessible by including an option to just print it out from the website — no smartphone required. But that assumes people have a printer, too.
“You need to have a translator before you can really understand the nuances of this technology,” says Noel Hidalgo, executive director of BetaNYC, a civic tech nonprofit organization. “To get the vaccine, you had to have high-speed Internet access and have time and literacy. In many ways, the Excelsior Pass is an extension of that.”
I fear vaccine passports could become something akin to the TSA PreCheck security lines at airports: A system that works to speed up life for the savvy or wealthy, yet literally leaves everyone else in the slow lane.
Cyd Harrell, a design consultant and author of “A Civic Technologist’s Practice Guide,” says more important than making a vaccine passport 100 percent fraud-proof is understanding when using it actually makes us safer, and where we already have sufficient public health protections in place. That way we can make the right choices about balancing security with access.
“How much of life is it going to exclude you from if you can’t provide the smartphone-enabled proof?” says Harrell. “And how long is this going to be in place?”
We need answers to those questions before we start bringing vaccine passports beyond stadiums to more critical parts of American life.
Read more tech reviews and advice from Geoffrey A. Fowler: