New York City's announcement of a vaccine passport mandate rekindled the complicated debate on online privacy. Vaccine passports will increase digital surveillance.
New York City Mayor Bill de Blasio announced that businesses will soon be required to demand proof of at least one dose of the coronavirus vaccines before allowing in a customer. The requirement will be enforced from September 13.
Related: NY's vaccine pass is plagued with privacy failures as anyone can access someone else’s health records
The announcement rekindled the debate about online privacy. Vaccine passports use digital systems and mobile apps, making them hackable and leakable and the major concern being the apps being abused for digital surveillance through tracking.
Despite the privacy concerns, governments and local authorities all around the globe have been gradually adopting vaccine passports, totally ignoring the civil liberties implications. New York will be the first city in the US to implement a vaccine passport mandate. Soon, other cities or jurisdictions might follow suit.
Privacy researchers, as well as critics of vaccine passports, have pointed out that mainstreaming vaccine certification could worsen the already alarming era of digital surveillance. Through the vaccine passports apps, a user's location and other data can be tracked. The fact that there are very few rules on how to store and share vaccine data makes the situation worse.
Some privacy advocates have likened the current situation to the months after 9/11. Following the terror attack, changes were made for the purpose of “national security.” But those changes, including data collection, have had long-lasting effects.
Considering the lack of safeguards on digital vaccine passports systems, their use could create a “global map of where people are going,” according to Allie Bohm, New York Civil Liberties Union's policy counsel. She added that the data vaccine passes could potentially collect could be sold to third parties or even be surrendered to law enforcement and immigration authorities.
“How do we make sure that in 20 years we're not saying, ‘Well, there was Covid, so now I've got this passport on my phone that is also my driver's license and also has every health record I've ever had and every time I go into a store I have to swipe it?'” Bohm explained.
Already, authoritarian regimes have abused the contact-tracing apps.
In January, officials in Singapore said that they had used the contact-tracing system in a criminal investigation. Such stories make privacy activists worry about how COVID vaccine passes, which might continue to be used long after the pandemic, might be used in the future.
“One of the things that we don't want is that we normalize surveillance in an emergency and we can't get rid of it,” said Jon Callas, of the digital rights group Electronic Frontier Foundation.
In the US, vaccine passports are being rolled out without federal guidelines. The Biden administration has said it won't launch a federal vaccine pass, but did not prohibit states, cities, and even private companies from launching their own vaccine certification systems.
The companies developing these systems insist that they have gone to great lengths to ensure the privacy of users' data. For instance, Clear Secure, a cybersecurity firm that has developed a vaccine pass used in more than 60 organizations, claims businesses do not get users' data since they only see a red or green light as proof of vaccination.
But the apps that will be used in New York City are not as discreet. The Excelsior Pass, which was developed by IBM under a $17 million contract with the state, shows the pass is valid and displays the person's name and date of birth.
The state recently announced the Excelsior Pass Plus, which will display additional information such as where the person got vaccinated. The state added that businesses scanning the new pass “may be able to save or store the information contained.”
Human rights and privacy advocacy groups, including the New York Civil Liberties Union, are supporting laws that would ensure vaccine passes do not end up being permanent health trackers and prohibit the sharing of vaccine passes' data with law enforcement.