Clicky

NY’s vaccine pass is plagued with privacy failures as anyone can access someone else’s health records

Anyone can access someone else's status with just their name, date of birth and ZIP code.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

New York state has been testing and deploying a Covid vaccine program for some months now, but reports suggest evidence is already mounting that the scheme is headed for failure.

The Excelsior Pass looks like it’s turning into a perfect storm of incompetence, design and implementation-wise, and one that, even though it handles sensitive medical data, is open to manipulation, the investigative blog The Dossier suggests.

Excelsior Pass builds on IBM’s Digital Health Pass and is developed in cooperation with the tech dinosaur. Users must have the latest version of Android or iOS to be able to install the app, which immediately rules out those with older devices.

And those who are able to download are mostly unhappy. 100 iOS users out of the 240 who have so far left a review have “one-starred” their Excelsior Pass, complaining that it doesn’t update vaccination information even weeks after it had been validated, while offering no support.

In addition to many saying that the app simply doesn’t work, others noted that the problem requires a nation-wide solution since people vaccinated out of state cannot be added to the New York database.

Then there’s the issue of the tech company behind this software, IBM, its competency and credibility in this segment. The word “blockchain” is used to reassure users that their data is safe, but critics fear it merely disguises the lack of transparency around how this data is actually stored and handled.

It doesn’t help that New York chose IBM and its “blockchain” platform as the backbone of Excelsior Pass just as reports in February suggested that the company’s blockchain effort was a complete financial failure, missing revenue targets by 90%, while the majority of its blockchain team is now gone.

And Excelsior Pass has poor security in place, allowing anyone to check a person’s eligibility and access their Covid-related health records through the app simply by entering their name, date of birth and ZIP code.

After this, more “relatively easily obtained information” is required to verify identity, The Dossier writes. “Even if you get some questions wrong, it appears that you can go back in and answer an unlimited amount of times until you get the right combination,” said the report.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Read more

Share this post

Reclaim The Net Logo

Join the pushback against online censorship, cancel culture, and surveillance.

Already a member? Login.