A non-profit newsroom, powered by WNYC.

NY Launches Vaccine Passport For Use At Venues, But Privacy Expert Urges You To Read The Fine Print

New York’s Excelsior program works like a mobile airline boarding pass. — Governor Andrew Cuomo's Office

Published Mar 27, 2021

We rely on your support to make local news available to all

Make your contribution now and help Gothamist thrive in 2024. Donate today

Gothamist is funded by sponsors and member donations

As a way of helping stadiums and concert halls reopen safer and faster, the state has rolled out a smartphone app that confirms whether someone has received a COVID-19 vaccine or recent negative test for the coronavirus. But one expert contends that the platform's privacy policy fails to outline how secure the app really is.

"It's really just high-tech hydroxychloroquine," Albert Fox Cahn, an attorney and founder of Surveillance Technology Oversight Project—an advocacy group ensuring privacy rights are upheld—said of the "Excelsior Pass" app.

The app officially launched Friday following a trial run involving thousands of New Yorkers testing the program. The Excelsior Pass is the first of its kind to be rolled out in the United States and allows specific sites that administer COVID vaccines or test for the coronavirus to upload the data to the app.

The app, produced by IBM in partnership with the state, functions similarly to a virtual airline boarding pass. Activating it produces a secure QR code that can then be shown and scanned by a participating business or venue using a companion app to confirm an attendee’s vaccination or recent negative test for the virus. A pass can also be printed and shown at the door. The state said other types of proof can be used at the door as a way of "reducing any barriers to usage."

So far, big venues such as Madison Square Garden in Manhattan have announced it will begin using the technology over the next few weeks, with owner James Dolan saying the app is "critical to New York's recovery." Users who don't have a smartphone can also bring physical documentation from a healthcare provider at the Garden showing they either received a vaccine or tested negative for the coronavirus.

The hope is to decrease virus transmission in large venues and even allow them to operate at greater capacity as the state's reopening moves along. In a statement, Governor Andrew Cuomo said the Excelsior Passport will allow "more sectors of the economy to reopen safely and keeping personal information secure."

The state is opening the use of the Excelsior Pass to smaller venues in the arts and entertainment business beginning April 2nd. The rollout of the app comes just weeks after the state announced that baseball stadiums can start their seasons with limited number of fans in the stands beginning April 1st.

IBM and the state insist user data will be kept confidential thanks to the use of blockchain technology, which records public data that can then be safely stored in a variety of databases. But Cahn told Gothamist/WNYC that the fine print does not explicitly state how the data is tracked or safeguarded.

"I have more detailed technical documentation about the privacy impact of nearly every app on my phone than I do for this health pass," Cahn said. "IBM and the governor are using lots of buzzwords, but they're not explaining their cryptographic model. They're not explaining the security, implementation. And on top of it, the pass itself is incredibly revealing, disclosing not only people's health status, and name but their date of birth."

Cahn said there are no guarantees listed on the terms of service document determining whether the information won't be accessed by police departments or the Immigration or Customs Enforcement agency.

Cahn specifically pointed to the application's terms of service, which he said "have absolutely nothing to do with this type of app" and don't specifically cite the type of blockchain technology—including public, private, consortium, or hybrid–IBM utilizes.

"I know that it's very easy for this to come off as sort of alarmist or as over the top," Cahn said. "But, no, usually when I'm pushing back against these apps, I'm pushing back on the periphery; I'm making mild critiques. This is just like, my jaw hit the floor when I read how poorly this policy was written."

Cahn also criticized the state's use of a system requiring a smartphone, which he said creates a new form of "digital segregation" since it would exclude the millions of New Yorkers who lack a smartphone.

Cuomo's office not IBM did not immediately respond to a request for comment.