Skip Navigation

Evaluating the Privacy and Equity Concerns Posed by Digital Vaccine Credentials

There’s still much to be done to ensure privacy in vaccine verification systems.

November 18, 2021

As vaccination rates increase and vaccine mandates are implemented to reduce the spread of Covid-19 and save lives, digital vaccine credentials are the latest public health tech innovation to emerge from the pandemic. These credentials make it easier to provide proof of Covid-19 vaccination status, compared to carrying around paper cards from the Centers for Disease Control and Prevention, and may play an important role in supporting efforts to return to normalcy.

But we must ensure that privacy and equity concerns are addressed in order to maximize the adoption of digital credentials. States that choose to release digital vaccine credentials should proactively address these concerns rather than scrambling to fix them on the back end — an approach that contributed to the failure of exposure notification apps in the United States.

By way of background, digital vaccine credentials are generally app- or web-based certifications of Covid-19 vaccination status. They may also include information documenting whether someone has tested negative or recovered from Covid-19. Several digital credentials, including the Docket app used by New Jersey, Utah, and Minnesota, are designed to verify a user’s identity and health records against a government database. Some, like New York State’s Excelsior Pass and the Virginia system, also generate a scannable QR code. Others, such as NYC Covid Safe, are simply places where users can store photos of their paper CDC vaccine cards. Because the term “vaccine passport” has become somewhat contentious, some states are describing their systems as digital vaccine records instead.

So far, paper CDC cards are the only standardized, national vaccine credential. However, they can be easily damaged, lost, or forged. Digital credentials are a convenient, less destructible alternative for those with a smartphone, although they will not necessarily prevent fraud. The NYC Covid Safe app made headlines when an advocate successfully uploaded a picture of Mickey Mouse instead of his CDC card as proof of his vaccine status. Reports of false verifications being stored in New York State’s Excelsior Pass (a vulnerability that has since been patched) and security bugs allowing users to access other people’s QR codes in the Docket app (also fixed) suggest that issues related to forgery remain a problem. Thus, the question for the public and state governments to resolve is whether the convenience of supplementing the paper CDC system with digital credentials outweighs the costs, particularly when it comes to privacy.  

User privacy has emerged as a touchstone issue in the debate about digital vaccine verification, cutting across political affiliation. Citing concerns about privacy, the Biden administration chose not to develop a national vaccine passport, instead delegating the issue to individual states and localities. At least 20 states with Republican governors have chosen to limit or ban vaccine passports through executive order or legislation. While partisan politics and messaging around individual freedom appear to be the primary reason for these restrictions, privacy concerns are often cited, suggesting that elected leaders recognize that privacy is a significant concern for many users. A number of states remain undecided. Only 10 states and cities — including New York, New Jersey, Utah, CaliforniaHawaiiColorado, and Louisiana — have released digital vaccine credentials.

All vaccine credentials contain sensitive health information that must be protected against data breaches or misuse. However, the design of some digital passports raises additional privacy vulnerabilities.

For example, Illinois’s Covid-19 immunization portal asks users to provide their social security number to facilitate identity verification through Experian, which has had several high-profile data breaches. Users were sometimes asked to unfreeze their credit for 24 hours to complete the registration process (although the Illinois Department of Health says that this is no longer necessary). Requiring users to jump through hurdles like unfreezing their credit — a labor-intensive process — and asking them to provide more data than is on their paper CDC cards creates barriers to utilization. It also creates inequities for those who wish to use the app but do not have a social security number or access to credit or are worried about protecting their credit.    

In addition, in the absence of adequate safeguards, digital passports that generate scannable QR codes create opportunities for prolonged surveillance of people’s movements. For instance, New York’s Excelsior Pass does not track location, but experts have pointed out that a user’s movements could potentially be traced by the separate verification apps that businesses use to scan the pass. Monitoring every time someone’s QR code is scanned at a movie theater, sports stadium, bar, museum, gym, or restaurant (all places where proof of vaccination is now required in New York City) implicates civil liberties like freedom of association. The risk that this data might be retained and then sold to a third party or provided to law enforcement compounds these concerns. For example, digital passports or verification apps that track a user’s granular location data might become a source of marketing data for commercial advertisers or a tool to track individuals for immigration or policing purposes.

The surveillance consequences of vaccine passport tracking could disproportionately affect certain communities. Undocumented individuals, many of whom have already struggled to obtain access to the vaccine, may either avoid using the digital passports or restrict their own movements out of fear of immigration penalties.

The privacy and equity issues posed by digital vaccine credentials are likely to persist. Those states that have released digital vaccine passports currently allow for analog proof as well. It is critical that this remain the case for those that do not have a smartphone or choose not to use the digital options. A system of digital-only vaccine passports would exclude those without smartphones from economic and social opportunities. Low-income people and older individuals are less likely to have a smartphone capable of generating a QR code or supporting passport apps.

In addition, policymakers should agree upon uniform privacy standards that transcend state lines. While the General Data Protection Regulation (GDPR) sets baseline standards for protection of personal data in the EU (and efforts have been made to ensure that the EU’s Digital Green Certificate complies with these standards), the absence of a federal data privacy law in the US means that privacy protections vary by state. Moreover, because there is no national vaccine registry in the United States, unlike in other countries such as the United Kingdom, there are many different parties collecting and disseminating immunization records. The lack of standardization undermines the interoperability of those digital passports that verify signatures from health authorities. While centralization of data creates privacy vulnerabilities, particularly with respect to hackers and data breaches, decentralization does as well because diverse parties have access to sensitive health information.

In this environment, implementation of federal legal protections for vaccine passport data will foster public trust by establishing baseline privacy and security standards. There should be clear limits on data collection, retention, and sharing not only for passport developers, but also for verification apps and those businesses that scan QR codes or otherwise use the apps. The Biden administration said last spring that it would work with companies to develop national standards, but has provided little information on such efforts since.

Finally, publication of independent privacy and security assessments would go a long way in reassuring a skeptical public. At a minimum, these assessments should evaluate what data is collected by digital vaccine credentials, how it is stored, and if it is shared with any third parties. This information should be presented in a user-friendly format and reflect whether the passports comply with minimum standards. The CDC recommended similar assessments be conducted for exposure notification apps, but states generally either did not perform them or kept the results private.

Whether in digital or paper form, vaccine credentials will undoubtedly have a role to play in verifying compliance with vaccine mandates and will factor into reopening plans for states and cities. For the digital version to be successful, it is imperative that safeguards are put in place to protect user data. And for equity reasons, analog options should also always be accepted.