Skip Navigation

Evaluating the Privacy and Equity Concerns Posed by Digital Vaccine Credentials

There’s still much to be done to ensure privacy in vaccine verification systems.

November 18, 2021

As vaccin­a­tion rates increase and vaccine mandates are imple­men­ted to reduce the spread of Covid-19 and save lives, digital vaccine creden­tials are the latest public health tech innov­a­tion to emerge from the pandemic. These creden­tials make it easier to provide proof of Covid-19 vaccin­a­tion status, compared to carry­ing around paper cards from the Centers for Disease Control and Preven­tion, and may play an import­ant role in support­ing efforts to return to normalcy.

But we must ensure that privacy and equity concerns are addressed in order to maxim­ize the adop­tion of digital creden­tials. States that choose to release digital vaccine creden­tials should proact­ively address these concerns rather than scram­bling to fix them on the back end — an approach that contrib­uted to the fail­ure of expos­ure noti­fic­a­tion apps in the United States.

By way of back­ground, digital vaccine creden­tials are gener­ally app- or web-based certi­fic­a­tions of Covid-19 vaccin­a­tion status. They may also include inform­a­tion docu­ment­ing whether someone has tested negat­ive or recovered from Covid-19. Several digital creden­tials, includ­ing the Docket app used by New Jersey, Utah, and Minnesota, are designed to verify a user’s iden­tity and health records against a govern­ment data­base. Some, like New York State’s Excel­sior Pass and the Virginia system, also gener­ate a scan­nable QR code. Others, such as NYC Covid Safe, are simply places where users can store photos of their paper CDC vaccine cards. Because the term “vaccine pass­port” has become some­what conten­tious, some states are describ­ing their systems as digital vaccine records instead.

So far, paper CDC cards are the only stand­ard­ized, national vaccine creden­tial. However, they can be easily damaged, lost, or forged. Digital creden­tials are a conveni­ent, less destruct­ible altern­at­ive for those with a smart­phone, although they will not neces­sar­ily prevent fraud. The NYC Covid Safe app made head­lines when an advoc­ate success­fully uploaded a picture of Mickey Mouse instead of his CDC card as proof of his vaccine status. Reports of false veri­fic­a­tions being stored in New York State’s Excel­sior Pass (a vulner­ab­il­ity that has since been patched) and secur­ity bugs allow­ing users to access other people’s QR codes in the Docket app (also fixed) suggest that issues related to forgery remain a prob­lem. Thus, the ques­tion for the public and state govern­ments to resolve is whether the conveni­ence of supple­ment­ing the paper CDC system with digital creden­tials outweighs the costs, partic­u­larly when it comes to privacy.  

User privacy has emerged as a touch­stone issue in the debate about digital vaccine veri­fic­a­tion, cutting across polit­ical affil­i­ation. Citing concerns about privacy, the Biden admin­is­tra­tion chose not to develop a national vaccine pass­port, instead deleg­at­ing the issue to indi­vidual states and local­it­ies. At least 20 states with Repub­lican governors have chosen to limit or ban vaccine pass­ports through exec­ut­ive order or legis­la­tion. While partisan polit­ics and messaging around indi­vidual free­dom appear to be the primary reason for these restric­tions, privacy concerns are often cited, suggest­ing that elec­ted lead­ers recog­nize that privacy is a signi­fic­ant concern for many users. A number of states remain unde­cided. Only 10 states and cities — includ­ing New York, New Jersey, Utah, Cali­for­niaHawaiiColor­ado, and Louisi­ana — have released digital vaccine creden­tials.

All vaccine creden­tials contain sens­it­ive health inform­a­tion that must be protec­ted against data breaches or misuse. However, the design of some digital pass­ports raises addi­tional privacy vulner­ab­il­it­ies.

For example, Illinois’s Covid-19 immun­iz­a­tion portal asks users to provide their social secur­ity number to facil­it­ate iden­tity veri­fic­a­tion through Experian, which has had several high-profile data breaches. Users were some­times asked to unfreeze their credit for 24 hours to complete the regis­tra­tion process (although the Illinois Depart­ment of Health says that this is no longer neces­sary). Requir­ing users to jump through hurdles like unfreez­ing their credit — a labor-intens­ive process — and asking them to provide more data than is on their paper CDC cards creates barri­ers to util­iz­a­tion. It also creates inequit­ies for those who wish to use the app but do not have a social secur­ity number or access to credit or are worried about protect­ing their credit.    

In addi­tion, in the absence of adequate safe­guards, digital pass­ports that gener­ate scan­nable QR codes create oppor­tun­it­ies for prolonged surveil­lance of people’s move­ments. For instance, New York’s Excel­sior Pass does not track loca­tion, but experts have poin­ted out that a user’s move­ments could poten­tially be traced by the separ­ate veri­fic­a­tion apps that busi­nesses use to scan the pass. Monit­or­ing every time someone’s QR code is scanned at a movie theater, sports stadium, bar, museum, gym, or restaur­ant (all places where proof of vaccin­a­tion is now required in New York City) implic­ates civil liber­ties like free­dom of asso­ci­ation. The risk that this data might be retained and then sold to a third party or provided to law enforce­ment compounds these concerns. For example, digital pass­ports or veri­fic­a­tion apps that track a user’s gran­u­lar loca­tion data might become a source of market­ing data for commer­cial advert­isers or a tool to track indi­vidu­als for immig­ra­tion or poli­cing purposes.

The surveil­lance consequences of vaccine pass­port track­ing could dispro­por­tion­ately affect certain communit­ies. Undoc­u­mented indi­vidu­als, many of whom have already struggled to obtain access to the vaccine, may either avoid using the digital pass­ports or restrict their own move­ments out of fear of immig­ra­tion penal­ties.

The privacy and equity issues posed by digital vaccine creden­tials are likely to persist. Those states that have released digital vaccine pass­ports currently allow for analog proof as well. It is crit­ical that this remain the case for those that do not have a smart­phone or choose not to use the digital options. A system of digital-only vaccine pass­ports would exclude those without smart­phones from economic and social oppor­tun­it­ies. Low-income people and older indi­vidu­als are less likely to have a smart­phone capable of gener­at­ing a QR code or support­ing pass­port apps.

In addi­tion, poli­cy­makers should agree upon uniform privacy stand­ards that tran­scend state lines. While the General Data Protec­tion Regu­la­tion (GDPR) sets baseline stand­ards for protec­tion of personal data in the EU (and efforts have been made to ensure that the EU’s Digital Green Certi­fic­ate complies with these stand­ards), the absence of a federal data privacy law in the US means that privacy protec­tions vary by state. Moreover, because there is no national vaccine registry in the United States, unlike in other coun­tries such as the United King­dom, there are many differ­ent parties collect­ing and dissem­in­at­ing immun­iz­a­tion records. The lack of stand­ard­iz­a­tion under­mines the inter­op­er­ab­il­ity of those digital pass­ports that verify signa­tures from health author­it­ies. While cent­ral­iz­a­tion of data creates privacy vulner­ab­il­it­ies, partic­u­larly with respect to hack­ers and data breaches, decent­ral­iz­a­tion does as well because diverse parties have access to sens­it­ive health inform­a­tion.

In this envir­on­ment, imple­ment­a­tion of federal legal protec­tions for vaccine pass­port data will foster public trust by estab­lish­ing baseline privacy and secur­ity stand­ards. There should be clear limits on data collec­tion, reten­tion, and shar­ing not only for pass­port developers, but also for veri­fic­a­tion apps and those busi­nesses that scan QR codes or other­wise use the apps. The Biden admin­is­tra­tion said last spring that it would work with compan­ies to develop national stand­ards, but has provided little inform­a­tion on such efforts since.

Finally, public­a­tion of inde­pend­ent privacy and secur­ity assess­ments would go a long way in reas­sur­ing a skep­tical public. At a minimum, these assess­ments should eval­u­ate what data is collec­ted by digital vaccine creden­tials, how it is stored, and if it is shared with any third parties. This inform­a­tion should be presen­ted in a user-friendly format and reflect whether the pass­ports comply with minimum stand­ards. The CDC recom­men­ded similar assess­ments be conduc­ted for expos­ure noti­fic­a­tion apps, but states gener­ally either did not perform them or kept the results private.

Whether in digital or paper form, vaccine creden­tials will undoubtedly have a role to play in veri­fy­ing compli­ance with vaccine mandates and will factor into reopen­ing plans for states and cities. For the digital version to be success­ful, it is imper­at­ive that safe­guards are put in place to protect user data. And for equity reas­ons, analog options should also always be accep­ted.