Everything You Wanted to Know About Vaccine Passports

Vaccine passports, sometimes called digital vaccination certificates, are digital proof a person was vaccinated against COVID-19. Since their introduction, they have been controversial, rightly raising questions about privacy, security, and ethics in technology. The terminology has also been needlessly confusing, raising basic questions about how vaccine passports work. We hope to answer all the questions you have about vaccine passports but were too afraid to ask.  

What is a Vaccine Passport? 

Vaccine passports are a way to securely check whether someone has been vaccinated against COVID-19, clearing that person to engage in a higher-risk activity. These activities can include international travel, but also spectator events in high-capacity venues like concert halls or sports arenas. 

Despite the name, vaccine passports are not intended to exist within, or replace, traditional passports.  Instead, developers of vaccine passports imagine them as a digital version of the World Health Organization’s “Yellow Card,” which is a straightforward paper vaccination record (see below). Some countries, such as Belize, have required travelers to prove they are vaccinated against yellow fever before entering the country for decades. 

COVID-19 vaccination paper records can look similar to the ones below. 

They are often handwritten and don’t have security features, making them easy to counterfeit. In fact, there have been numerous cases of counterfeit paper cards already being used. You can buy a 10-pack of CDC blank vaccination cards on Amazon for $22. 

Many countries have similar paper documents signaling a person has been fully vaccinated. These documents are in a country’s native language and may be difficult for officials at border crossings to understand.  

Finally, these pieces of paper are vulnerable to being lost, or stolen, or damaged. 

Vaccine passports seek to resolve these problems by making the proof of vaccination status: 

• Portable and digital to avoid loss or damage, and for convenience. 
• Standardized, to allow portability and transferability between countries. 
• Secure, to prevent counterfeit. 

What are the Potential Downsides of Vaccine Passports? 

Regarding a person’s COVID-19 status, vaccine passports facilitate simple yes or no answers:  Has the person recently tested negative? Have they been vaccinated? Have they previously recovered from COVID-19, granting them temporary immunity? However, they can be developed multiple ways, raising questions about health data privacy and security. It’s important to learn from the lessons and mistakes of early adopters to gain a better sense of the benefits and pitfalls of this new technology. 

To fulfill their purpose, vaccine passports interact with systems that may contain vast amounts of health data. Some of this data collection occurs in countries without strong privacy regulations. Privacy regulations restrict what is collected, who can access the data, and how it can be accessed.  

Schemes for issuing vaccine passports rely on accurate data. Globally, thousands of health care workers have administered 4.88 billion COVID-19 vaccine doses (as of August 19, 2021).  This was a herculean effort, and one which despite best efforts has surely led to errors and omissions. Unfortunately, and as discussed below in the New York case study, such data inconsistencies can disrupt the rollout of vaccine passports. 

While the use of vaccine passports is still developing and remains voluntary in many places, the expectation is that they will be used to allow only those presumed COVID free into a destination, venue or mass transit vehicle. But if vaccine passports can be forged or the process of obtaining one can be circumvented, these passports essentially have little or no value.  

Vaccine Passports in Europe 

The European Union (EU) has undertaken the most ambitious governmental effort at developing vaccine passports by far. As of July 1, the EU has standardized around “The EU Digital COVID Certificate." This regulation defines a vaccine passport that is free and presented in English and an EU member nation’s national language. It records proof of vaccination, a negative COVID-19 test, or that the bearer has recovered from COVID-19. In addition to defining the passports, the EU provides the technology connecting all the participating nations’ systems together, so the digital certificates can be validated. 

The EU Digital Certificate program serves as a blueprint for making the entire system work and assists participating nations in creating compatible apps. The primary purpose is to exempt vaccinated travelers from travel restrictions such as quarantines. Additional uses, such as allowing people to dine at restaurants or attend sporting or music events, are still being evaluated. 

Note that using the EU’s Digital Certificate program is not foolproof either. Early versions of the UK’s implementation were plagued by code bugs, allowing anyone to forge a negative COVID test by entering a fictitious testing kit number. These bugs have since been fixed. 

Vaccine Passports in the United States 

Vaccine passports in the United States exist as a mosaic of private and public technologies. A complex patchwork of state laws and Governors’ executive orders creates a different situation in each state. Much like the independent European nations, each U.S. state maintains vaccine administration data independently.  

But unlike nations with nationalized health care and nationalized health records, Americans’ health records are distributed among thousands of medical systems. To address this issue, each state maintains its own vaccine administration data (not only how many doses are administered but to whom). For example, in Illinois this data is tracked in the I-CARE system and in Missouri this data is tracked in the ShowMeVax system. However, many people were vaccinated outside their home state or at sites operated by the U.S. government, resulting in their data is missing from these tracking systems.  

Twenty U.S. states have enacted some form of prohibition on vaccine passports while only California, Oregon, Hawaii, and New York have rolled out vaccine passports (as of August 16, 2021).  As a result, there are no interstate digital mechanisms to validate vaccination status, testing status, or having recovered from COVID-19. As incidents of forged vaccine cards continue to be reported, relying on them as proof of vaccine status may be dubious.

Case Studies 

Case Study #1: Denmark’s “Coronapas” 

The government of Denmark created an app to allow its citizens to visit zoos, theme parks, museums, and sports stadiums. This app, Coronapas, works like the Israeli Ramzor app (described in Case Study #2), but it also displays whether someone has recovered from the virus to comply with the EU Digital Covid Certificate requirements. These results can be shown via either a QR code through the app or a paper version with a QR code.  

As with Ramzor, Denmark’s app syncs with the Danish national health care system to get its data. When Danes receive their first COVID-19 vaccination dose or recent negative test, they present their Danish civil registration number (CPR). Their results are then uploaded to their account on the national healthcare portal. The app then automatically fetches those results. Vaccine status becomes valid two weeks after a full vaccination. 

To protect user privacy, Coronapas only contains information about whether a person is fully vaccinated, and not their entire testing or vaccination history. 

The app is compatible with the EU’s standard on vaccination certificates – Digital Covid Certificate – which is currently valid in 25 countries: Austria, Belgium, Bulgaria, Croatia, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Latvia, Lithuania, Netherlands, Norway, Poland, Portugal, Romania, Spain, Slovenia, Sweden, and Switzerland. The standard is expected to be valid in all EU countries by the end of summer.  

Case Study #2: Israel’s “Green Pass”

Israel has one of the highest per-capita vaccination rates in the world. Around 63% of Israelis are fully vaccinated (as of Aug. 19, 2021). As such, Israel rolled out the Ramzor app in February 2021 to enable fully vaccinated people to dine at restaurants, attend some events, and enter certain businesses.

Citizens download the app and enter their national identification number. The app then syncs vaccination information and recent COVID-19 tests from the national health service. Adults who received their vaccination and waited two weeks, along with children 16 and younger with a negative PCR test within the past 72 hours, receive a “Green Pass.” Users can then display a QR code, together with their ID, when they want to enter a space.

The Ramzor app was plagued with both technical and non-technical problems from the beginning and was ultimately discontinued in June 2021. Initially, no QR code was used, and the app relied on a background animation for security. Once a QR code was introduced, its implementation did not match the specifications, which made it possible for people to forge a valid QR code (and fake a vaccination status). The Israeli government’s decision to keep the app closed-source and not have a public source code audit likely contributed to these problems – security researchers at the University of Haifa easily reverse-engineered the app and found a range of easily preventable security problems including using outdated cryptographic libraries. 

On the nontechnical side, the app was not initially available to people whose phones were registered in app stores outside of Israel, such as foreign workers and students. Additionally, the app was slow and required huge amounts of memory, which meant it would not run properly on older smartphones. This flaw created an issue for people of comparatively lower incomes.  

Lastly, Israel’s high per-capita vaccination rates mask inequities when comparing the vaccination rate of Israeli and Palestinian populations. Until early March of 2021, Palestinians in the West Bank weren’t given access to COVID-19 vaccines, while many Israelis had access as early as February. This disparity of access resulted in delaying access to facilities such as gyms and restaurants for Palestinians, thereby exacerbating existing inequalities.  

Case Study #3: New York’s “Excelsior Pass” 

In collaboration with IBM, the state of New York created Excelsior Pass to allow New Yorkers to visit sporting events, high cost entertainment, and gyms. Users of Excelsior pass register on a website by supplying some personal information and verifying their identity by choosing from a list of dates when they received a vaccination dose or COVID-19 test. After completing their registration, those who are fully vaccinated receive a vaccine pass for 180 days and those who received a negative PCR test receive a pass for 72 hours. Users can then present their printed QR code or the code displayed in the Excelsior Pass app, along with their ID, to enter Yankee Stadium or Union Hall.

Somewhat like the Ramzor app, Excelsior Pass suffers from nontechnical concerns along with privacy issues. Unlike apps implemented using the EU standard, Excelsior Pass doesn’t publish a detailed privacy policy and relies on a proprietary data standard from IBM. The lack of transparency has raised concerns about how the data might be used and who it may be shared with. As inequities of the COVID-19 pandemic are highlighted by disparate impacts to communities of color, that Excelsior Pass was initially useful exclusively for expensive entertainment only exacerbates the many impacts of the pandemic, including ongoing economic harms. 

When applying for Excelsior Pass, applicants are required to select their vaccination date as a knowledge-based check to verify their identity by selecting the correct date from multiple choices. New Yorkers may have been vaccinated in a neighboring state, a site run by the U.S. government, or their data may simply have been improperly entered. Regardless of the reason, applicants sometimes find themselves unable to proceed through this step of the application due to data inconsistencies. Though many have been warned not to post pictures of their unredacted vaccination cards, the authentication scheme used during the Excelsior Pass application process can be defeated with such a picture. While matching an Excelsior Pass to a government-issued ID is part of the protocol in accepting one, it is often unenforced. 

Conclusion 

Vaccine passports are being rapidly deployed throughout the world. It is vital that we understand the benefits and pitfalls of this new technology to know what questions to ask when it appears in our neighborhood. We can learn many lessons from the early failures of Israel’s Green Pass, as well as the relative success of Denmark’s Coronapas. It shows us that it’s vital for the standards and the code to be public. When these criteria are not met, we find significant security and privacy issues, such as those found in Israel’s Green Pass. 

It is also important to remember that technical decisions can have unintended real-world consequences, in particular on equality of access. Building apps that run well both on older and newer phones, as well as offering a paper option, can help to address these challenges. 

Innovations from Norton Labs are for research, evaluation, and consumer feedback purposes. NortonLifeLock does not give any warranties as to the suitability or usability of these prototypes and recommends safeguarding data and reviewing all terms and conditions before use.

Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries.

References 

[1]: https://www.tomsguide.com/news/fake-covid-vaccination-cards  

[2]: https://ourworldindata.org/explorers/coronavirus-data-explorer?zoomToSelection=true&facet=none&pickerSort=asc&pickerMetric=location&Interval=7-day+rolling+average&Relative+to+Population=true&Align+outbreaks=false&country=~ISR&Metric=People+vaccinated+%28by+dose%29 

[3]: https://www.haaretz.com/israel-news/tech-news/.premium-israel-s-digital-green-pass-is-a-security-disaster-1.9582485 / https://archive.is/1zC7a  

[4]: https://www.haaretz.com/israel-news/.premium-from-diplomats-to-students-foreigners-in-israel-can-t-get-covid-19-green-passport-1.9601260 / https://archive.is/d7ERC (Mar 9, 2021) 

[5]: https://corona.health.gov.il/en/directives/green-pass-info/ / https://archive.is/xcxVr  (Mar 24, 2021) 

[6]: https://archive.is/PovFk (Feb 22, 2021) 

[7]: https://www.bbc.com/news/world-europe-56812293  

[8]: https://www.thelocal.dk/20210528/denmark-launches-new-corona-passport-heres-what-you-need-to-know-about-coronapas-app/  

[9]: https://www.technologyreview.com/2021/06/02/1025633/seven-eu-countries-just-got-a-digital-vaccine-passport/  

[10]: https://www.fema.gov/disaster/coronavirus/vaccine-support/vaccine-center 

[11]: https://www.technologyreview.com/2021/07/06/1027770/vaccine-passport-new-york-excelsior-pass/  

[12]: https://ec.europa.eu/info/live-work-travel-eu/coronavirus-response/safe-covid-19-vaccines-europeans/eu-digital-covid-certificate_en 

[13]: https://ballotpedia.org/State_government_policies_about_proof-of-vaccination_(vaccine_passport)_requirements 

[14]: https://www.brookings.edu/blog/techtank/2021/06/28/vaccine-passports-underscore-the-necessity-of-u-s-privacy-legislation/ 

[15]: https://ourworldindata.org/explorers/coronavirus-data-explorer?zoomToSelection=true&time=latest&pickerSort=asc&pickerMetric=location&Interval=Cumulative&Relative+to+Population=false&Align+outbreaks=false&country=~OWID_WRL&Metric=Vaccine+doses 

[16]: https://inews.co.uk/news/technology/nhs-covid-passes-obtained-without-taking-test-lack-safeguards-1103655 

[17]: https://www.bbc.com/news/55800921 

[18]: https://dph.illinois.gov/topics-services/prevention-wellness/immunization/icare 

[19]: https://health.mo.gov/living/wellness/immunizations/showmevax/ 

[20]: https://www.technologyreview.com/2021/07/01/1027768/us-vaccine-passport-guide/ 

[21]: https://www.npr.org/2021/06/08/1004264531/fake-covid-vaccine-cards-keep-getting-sold-online-using-one-is-a-crime 

[22]: https://www.nortonlifelock.com/blogs/norton-labs/chat-apps-illegal-marketplaces 

[23]: https://www.nytimes.com/2021/06/01/nyregion/excelsior-pass-vaccine.html 

[24]: https://spectrumlocalnews.com/nys/capital-region/coronavirus/2021/04/30/excelsior-pass-vaccine-issues-new-york 

[25]: https://www.thedailybeast.com/i-forged-new-yorks-digital-vaccine-passport-in-11-minutes-flat 

[26]: https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=26655 

[27]: https://archive.is/Bh8cm (July 18, 2021) 

[28]: https://www.bbc.com/news/world-us-canada-58063647