Review | We tested the first state vaccine passport at Yankee Stadium. Its not quite a home run.

Regardless of where you live, vaccine passports on the horizon promise to fast-track our safe return to public spaces. But only if people are able to access and trust them. And thats a big if.

With the help of New Yorkers across a range of ages, Ive been testing Excelsior Pass to see whether digital vaccine passports create more problems than they solve. Using Excelsior Pass is entirely voluntary, but it requires learning about the states system and mastering a few different websites and apps. It took me 20 minutes over Zoom to help an octogenarian set up his pass, though it was certainly simpler than mastering vaccine-appointment websites. And even when we thought we understood the system, Excelsior Pass didnt always work: My tech-reporter colleague tried to use it to enter Yankee Stadium, but the system didnt update with his clearance until after the game was over.

The good news: For the digitally savvy people who figure it out, using Excelsior Pass doesnt appear to pose major privacy risks. The system, designed for the state by IBM, cannot be easily used by the state to track you. And its more discreet than the alternative of showing your medical records to a bouncer.

But I question how effective Excelsior Pass will be at keeping everyone safe. For one, its pretty easy to set up a fake pass. (Yikes, you might want to take down any vaccine selfies you posted to social media.) To stop potential fraud, you always have to show your ID along with Excelsior Pass which is another kind of barrier that could make some people not want to use it.

As other states and even private companies work on their own vaccine passports, some of New Yorks other choices also deserve scrutiny. The state hasnt been very clear about where, and for how long, we might be required to show a vaccine passport digital or physical. We all expect to need a passport at a border crossing, but will we eventually need a vaccine passport at Starbucks? The grocery store? Work? I found you could technically already use Excelsior Pass to scan your own dinner party guests if theyd still call you a friend after.

At Madison Square Garden, which used Excelsior Pass for three games last week, most people still arent using the app but its doing the job of being quick. While the numbers are still small, theyve nearly doubled at every game, which we expect will continue as more people become familiar with the app, says spokeswoman Kim Kearns. From a technology standpoint, everything has been straightforward, and worked well.

As goes New York, so goes the nation? Heres what we can all learn from the early days of Excelsior Pass.

Proof of vaccination to travel or attend school is not new, but the coronavirus has introduced a potential need to modernize outdated paper standards. (Jonathan Baran/The Washington Post)

How it works

Just the idea of vaccine passports is controversial Floridas governor issued an executive order banning them so its important to be clear about how New York is and isnt using Excelsior Pass. The states guidelines require theaters, major stadiums and arenas, wedding receptions and catered events to screen customers for the coronavirus. Businesses can do that by confirming either your vaccination status or that youve had a coronavirus test in the past 72 hours.

When you show up at one of these businesses, you can bring your physical vaccination card from the Centers for Disease Control and Prevention or a copy of a recent test result or flash the Excelsior Pass that replaces both of those. The high-tech approach is voluntary, but providing proof of your coronavirus status to these kinds of businesses is not.

Setting up an Excelsior Pass requires a few steps. You start at the states website and enter your name, date of birth and Zip code. It follows up with a few questions about when, where and how you got the vaccine or a test. Then it pops up a QR code a special kind of bar code that contains your name, date of birth and whether youre cleared for either reason.

You could print out your Excelsior Pass from the website, save a picture to your camera roll or add it to an app on your phone. To do the latter, you download the NYS Wallet app for Android or iPhone. The app will ask you to scan the QR code you generated on the Excelsior Pass website, and it pops up instantly.

Once you get your code, you should be set. But we experienced glitches getting to that point. My colleague Gerrit De Vynck wasnt able to use Excelsior Pass with his rapid test results before Mondays Yankees game. Turns out, the private test provider he chose was slow to upload results to the state database. He was still able to get into the game by showing a printout of his results.

New York says people looking for a quick turnaround should get a test from a list of providers that have committed to rapid reporting but Im not sure how we were supposed to know that.

For a lot of people, using Excelsior Pass is going to require trusting how it handles our privacy. Its complicated, but New York put in some smart protections: No health information gets stored on your phone just that QR code with your clearance status, your name and birth date. The state and IBM both say they arent getting any new data about you when you use Excelsior Pass. (New York already has an exhaustive database of everyone whos gotten the vaccine or a test.)

The app does ask for access to your camera roll, to read a QR code you might have stored there when you first registered. But it doesnt appear to collect location or other identifying information that could be used to track you.

The same applies to the separate app that businesses use to read your Excelsior Pass, called NYS Scanner. The app deletes your personal information after each scan. That means, in theory, using Excelsior Pass doesnt leave an extra trail of personal data that could be tracked by police, immigration authorities or businesses.

The best arguments for using Excelsior Pass are that youre less likely to accidentally misplace an important record on a little piece of paper and youre more likely to move quickly through line.

A balancing act

Testing Excelsior Pass, what surprised me most was how easy it is to fake.

When you first sign up for your QR code on the state website, it asks a handful of questions based on your vaccination and testing records. But after that, youre on the honor system you can add the QR code to any phone without any more challenge questions.

Thats far less secure than the smartphone tech millions of Americans now use to securely pay for things using Apple Pay and Google Pay. Those credit card systems require you to unlock with your face, fingerprint or passcode right before you make a payment. Why didnt New York use Apples iPhone Health app, which includes more robust security protections?

Albert Fox Cahn, executive director of the nonprofit Surveillance Technology Oversight Project, told me he was able to load up a volunteers Excelsior Pass in about 11 minutes, using nothing more than that persons Twitter posts and information from publicly available websites. Posting a photo of your CDC vaccination card puts it all out there.

Vaccine passports could leave us exposed to the worst of both worlds, says Cahn a complicated digital system that puts up new barriers to access businesses, while not actually stopping fraudsters. Despite its invasiveness, Excelsior Pass wont advance the underlying public health goals it claims to support, he says.

Its not clear how wide a problem vaccine passport fraud could become, or how dangerous it would be. Passports could persuade people to let down their guard about masks and other protections. Madison Square Garden, for one, says it wasnt aware of any cases of people trying to enter the venue with an Excelsior Pass that wasnt their own.

To fight fraud, New York says venues accepting Excelsior Pass are supposed to check peoples photo IDs. But instituting new ID checks at businesses that didnt used to require them creates new social barriers. One of my senior citizen testers told me he was too old to have a drivers license.

New York says it tried to make Excelsior Pass more accessible by including an option to just print it out from the website no smartphone required. But that assumes people have a printer, too.

You need to have a translator before you can really understand the nuances of this technology, says Noel Hidalgo, executive director of BetaNYC, a civic tech nonprofit organization. To get the vaccine, you had to have high-speed Internet access and have time and literacy. In many ways, the Excelsior Pass is an extension of that.

I fear vaccine passports could become something akin to the TSA PreCheck security lines at airports: A system that works to speed up life for the savvy or wealthy, yet literally leaves everyone else in the slow lane.

Cyd Harrell, a design consultant and author of A Civic Technologists Practice Guide, says more important than making a vaccine passport 100 percent fraud-proof is understanding when using it actually makes us safer, and where we already have sufficient public health protections in place. That way we can make the right choices about balancing security with access.

How much of life is it going to exclude you from if you cant provide the smartphone-enabled proof? says Harrell. And how long is this going to be in place?

We need answers to those questions before we start bringing vaccine passports beyond stadiums to more critical parts of American life.

Read more tech reviews and advice from Geoffrey A. Fowler:

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *