In fairness, the claim in the headline comes with two big caveats. Faking the passport and gaining admission with it somewhere in New York isn’t as easy as it sounds.
But still. “Passport faked in 11 minutes” isn’t the headline restrictionists want as the country debates whether to lock unvaccinated people out of mass gatherings, right?
New York just rolled out its “Excelsior Pass” for major venues like Madison Square Garden and Yankee Stadium. How things go there will help determine how widely smaller businesses adopt the passport system for their own premises. WaPo’s tech columnist tried it out along with some friends and found that, in certain ways, the privacy protections were better than he expected. The app doesn’t store any health information on your phone and your check-in at a location is deleted afterwards (supposedly) so that authorities can’t track you based on where your passport’s been used.
Security is poor, though — at least if you’re one of those people who were foolish enough to photograph their vaccine card after getting a dose and post it on social media. Armed only with the info on the card and basic data available on public websites, an expert with whom WaPo consulted was able to virtually steal someone’s passport in the time it would take for a bathroom break at work.
When you first sign up for your QR code on the state website, it asks a handful of questions based on your vaccination and testing records. But after that, you’re on the honor system — you can add the QR code to any phone without any more challenge questions…
Albert Fox Cahn, executive director of the nonprofit Surveillance Technology Oversight Project, told me he was able to load up a volunteer’s Excelsior Pass in about 11 minutes, using nothing more than that person’s Twitter posts and information from publicly available websites. Posting a photo of your CDC vaccination card puts it all out there.
Vaccine passports could leave us exposed to the “worst of both worlds,” says Cahn — a complicated digital system that puts up new barriers to access businesses, while not actually stopping fraudsters. “Despite its invasiveness, Excelsior Pass won’t advance the underlying public health goals it claims to support,” he says.
So that’s one caveat, that a passport is easy to commandeer *if* the actual owner was dumb enough to photograph identifying information and post it on the ‘Net. The other caveat is that businesses are supposed to also ask for photo ID when scanning your passport to make sure that you really are the person listed on the vaccination card. But whether businesses will do that or not is another matter. And some people, like senior citizens, may not have driver’s licenses. Ultimately that was WaPo’s big criticism of the smartphone-based passport — too many barriers to entry. Unless you’re tech-savvy enough to download the app, enter the information, and possibly even print a QR code, you might find yourself fully vaccinated yet still struggling to gain entry to somewhere you want to go.
New York has thought of that and allows alternate means of proving negative COVID status, namely, a recent negative test or just presenting the CDC vaccination card you received when you got your shots. But tests can be inaccurate. And the CDC cards can be, and are being, faked.
It’s easier to imagine New York giving up on the passports because people dislike them and they’re too much of a hassle than to imagine them catching on nationally. In fact, a Democratic governor from one of America’s reliably blue states announced this afternoon that he doesn’t want something like the Excelsior Pass in his backyard. “Our vaccine passport is getting the shot,” said Tim Walz of Minnesota when asked about the idea. Charlie Baker of Massachusetts, a liberal Republican, also sounded lukewarm about vaccine passports, dodging questions by saying it was too soon to consider such a thing. They’ll probably end up sitting back and watching how things play out in New York. If the locals there take to it, other states will phase it in. If they rebel or if it’s glitchy, no thanks.
The privacy and equity issues presented by passports have been well ventilated already but don’t overlook the economic problem they present. They’re designed to help businesses get back to normal but in practice they may backfire:
It sounds like a way of easing coercive lockdown restrictions, but it’s the opposite. To see why, consider dining. Restaurants in most parts of the U.S. have already reopened, at limited capacity in some places. A vaccine passport would prohibit entry by potential customers who haven’t received their shots. It would restrict the freedom even of those who have: If you’re vaccinated but your spouse isn’t, forget about dining out as a couple.
Planes and trains, which have continued to operate throughout the pandemic, would suddenly be off-limits to the unvaccinated. The only places where restrictions would be relatively eased would be those still fully locked down, such as many live-event venues and schools. Yet even there, the passport idea depends on keeping the underlying restrictions in place—giving officials an incentive to do so for much longer as leverage to overcome vaccine resistance.
Even blue states like New York and Michigan where cases have been rising have moved in recent weeks towards easing restrictions on businesses, knowing full well that some unvaccinated infectious people will end up visiting them. Once a passport regime is in place, those restrictions will tighten again for the unimmunized — even though most of the people around them in those businesses will be protected by virtue of their own shots. The risk of being infected by an unvaccinated person has never been lower than it is right now and it’ll keep shrinking for weeks and months to come, and yet paradoxically vaccine passports would raise rather than lower barriers to interaction during that period. Most states won’t bother with them, I think. Even Cuomo will back down if New Yorkers complain, knowing that his career’s hanging by a thread already.