SAN FRANCISCO — Coming soon to your smartphone: Digital codes that afford you access to airplanes, concert venues and even restaurants.
Vaccine passports are new apps that will carry pieces of your health information — most critically your coronavirus vaccination status. They may soon be required to travel internationally or even to enter some buildings.
But a growing list of tech companies, governments and open-source software groups are all attempting to tackle the problem, prompting some concerns about a lack of a standard approach that would make it possible to carry around just one pass. Plus, apps would need to pull and verify your vaccination records in an easy, safe and controlled format. And wide adoption would require the majority of countries, airlines and businesses to agree on one (or two or three) accepted standards.
It’s a technical headache that is becoming only more urgent as more people get vaccinated and businesses and borders begin to reopen.
Several different organizations developing apps and tapping into government databases acknowledge how critical a common standard is. Still, many different groups are all racing to create that standard, with some overlap.
“When you think about standards, we should have one, but we have at least five organizations coming up with standards,” said Eric Piscini, the team lead for IBM’s digital health pass. “We are working with all five and will be compatible with all five.”
The Biden administration is working with companies to develop a standard way of handling the passports — or certificates, credentials or health passes, as the industry would prefer they be called — The Washington Post reported this week.
How do vaccine passport apps actually work?
The idea is that you will be able to carry a QR code on your phone, likely within a digital wallet app, that can be scanned by airlines or venues and give you the green light to enter. The code should contain only relevant information — in most cases, just a confirmation that you have been vaccinated with an approved vaccine within a valid time frame. It is scanned, and voilà, you are in.
State public health agencies have this information. So does the pharmacy or health system where you receive a vaccine. In order for you to get a vaccine passport on your phone, you have to first access that information, verify your identity and download it in some way. Then, the apps need to create a code that can tell others that you are vaccinated.
IBM, which debuted the Excelsior app with New York state this month, created a portal within an app that directs people to sign into a New York database. There, you enter your name, date of birth and vaccination date and receive a QR code to download. That stays in an app in your phone.
To verify the code, another app has to scan it upon entry.
The CommonPass app, a digital wallet created by the Commons Project, partnered with airport security clearance company CLEAR to speed up vaccination verification at airports.
“What the health pass apps do, including CommonPass app, is evaluate your underlying health information against some set of rules,” said JP Pollak, co-founder of the Commons Project.
For example, instead of exchanging actual data, the app would look for whether the record your app holds meets the standards of the specific entry requirements on the verifier’s side. Some will require more information — the Excelsior app displays your name, date of birth and the verification, so businesses will likely need to check it against an ID.
“The idea is that verifiers will have a relationship with the Commons Project and will trust that the Commons Project is sort of interpreting information against guidelines and being correct,” Pollack added.
How is my data secured?
This is a huge concern for developers and users of the app — after all, we are dealing with personal health information here, data that people rightfully want protected. And tech companies have not always been the most responsible with people’s information, so developers also have to overcome a trust void.
Perhaps because of this, many developers of the apps and wallets are trying make your information accessible to as few people as possible.
IBM’s app with New York allows people to connect directly to a public health database and save their information onto their phones. IBM can’t see that information, Piscini said.
“Most of the time, when we work with these employers, they do not want to see the information,” Piscini said of verifiers. “What they do is check against blockchain, and say ‘green, you can go,’ and that’s all they want to do.”
IBM is using a blockchain, or a digital ledger that stores information at many different points rather than one central spot. The app creates a hash — or a copy represented only by a unique set of numbers and letters — to store on the blockchain. Verifiers then connect to the blockchain to be able to confirm QR codes.
CommonPass also says it does not store your personal health information but instead creates a verification pass that can be shared for entry. It briefly sends your information to a server, where the health credential is created, but never stores the information, Pollak said.
“The model that we arrived at is essentially that data only ever lives at the original source,” he said. “So at the place you were vaccinated and then on your device.”
Will I need to have different passes to get into different places?
At the beginning, probably. This is one of the most significant challenges developers are facing — there are dozens of public health vaccination databases in the United States, not to mention hundreds of health systems, pharmacies and more. The most efficient way to create a broad vaccine passport would be to pull from data sources in a uniform way, and put them into a similar format on everyone’s phones.
But to do this, there needs to be a standard protocol. One organization working on this, the Vaccine Credential Initiative (VCI), includes more than 300 organizations including Microsoft, the Mayo Clinic, Cerner, Epic, the Commons Project and more. The organization is trying to get health organizations, including major electronic medical records companies, to adopt a standard known as smart health cards.
It’s a signed version of your health records, Pollak said, that could be downloaded and then shared with a health app or wallet of your choice. VCI said this week that its implementation guides for vaccine credentials will be widely available in May.
Another consortium, the Good Health Pass Collaborative, hopes to release specifications in June, said Brian Behlendorf, general manager of blockchain, health care and identity at the Linux Foundation, a large consortium of technology companies. The foundation’s public health arm is working with Good Health Pass to create the specifications.
Health credentials should belong to individuals, not companies, Behlendorf said.
“It should work like email, where you have control,” he said. “If you switch providers you should be able to take it. It’s still yours, it’s your sense of ownership of it.”
With no common standard, the U.S. could end up with a patchwork of apps that require you to log in and recreate vaccine verification codes at different businesses and entry points.
What if I don’t want to use an app?
For people who don’t have a smartphone, don’t easily have access to the Internet or prefer not to use an app, passes will still be available in paper form. Several organizations working on creating digital passes are also making sure the QR codes can be printed out or obtained in person.
Paper vaccination cards have been issued by health organizations for travel and other uses for decades. Why do we need digital versions now?
Developers point to the increased digitization of everything in society — many people prefer using their phones over paper documents. But developers also say that digital passports will make verifying vaccination records faster and more secure. It’s harder to lose, and may be harder to create a fake copy of a digital record.
Gartner analyst Donna Medeiros pointed to the need for long lines of people, perhaps at airports, to carry similar passes so they can all be scanned using the same machine.
“It’s going to speed up our process to have health passports overall,” she said.
Jenny Wanger, director of programs at the Linux Foundation Public Health, compared the issue to showing a bouncer at a bar a driver’s license. All the bouncer needs to see is that you are over 21 years old, and your picture matches. But they also get to see your address, weight and other identifying information.
With a digital option, Wanger said, the idea is that people will get to pick and choose what they show each entity, depending on the entrance requirements.
But digital records can also be faked. Israel’s Green Pass, one of the world’s first digital coronavirus vaccination passes to launch, faced hurdles in February when cybersecurity experts pointed out the passes could be copied and a market for counterfeit passes popped up online, according to the Times of Israel. The government said it would secure the passes and issue updated versions.
Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, says that while the application can “absolutely be made in a secure way” there will always be one weak point the hacker could exploit: the user. Without a central way to verify the phone user’s identity in real time, there’s always a chance that someone could have fraudulently obtained a vaccine pass through identity theft or other means.
He added that passes would be secure once they are in a digital wallet.
“If you’re looking to do the sort the bare minimum, which might be required for legal and liability purposes to get people into a sporting event, this is probably enough,” he said. “But is it going to be a foolproof system or a hacker-proof system or a system that is impossible to penetrate with forgeries? Absolutely not.”
How widespread will these be?
It’s unclear how prevalent it will be to require a vaccine passport for entry, or how long-lasting the trend will become. But the initial interest from governments, airlines and even some private venues shows no sign of abating.
Travelers to some countries are already using vaccine passports, and Madison Square Garden said it will try out New York’s app.
Still, there was a lot of initial interest for tech to get involved in contact tracing at the beginning of the pandemic. Apple and Google created protocols for the practice, but it was only used in a patchwork manner in a few states.
“We had a big thing around contact tracing and I really like the system we built — but no one used it,” said Matt Green, a cryptography and security expert who is an associate professor at the Johns Hopkins Information Security Institute. “I’m a little skeptical.”
That’s part of the reason many industry groups hope the federal government gets involved and issues guidelines for vaccine passports. They are also trying to tiptoe around the increasing politicization of vaccine passports.
“This technology is coming down the line no matter what, and there is a right way and a wrong way to do it and we want to make sure it’s done the right way,” Wanger said.
The Washington Post’s Tonya Riley and Geoffrey A. Fowler contributed to this report.
Send questions/comments to the editors.