As vaccine passports morph into digital IDs, privacy advocates want to know that user data is protected

Vaccine passports might be clearing the runway for greater adoption of digital IDs. Privacy experts say there are still many unanswered questions.
New York State Excelsior pass (Photo by CHRIS DELMAS/AFP via Getty Images)

Tech companies and global organizations have championed health passes, sometimes known as vaccine passports, as a means to securely reopen businesses and borders as COVID-19 cases drop and vaccination rates rise.

The technology is meant to serve as a secure way to prove vaccination without someone needing to present a physical vaccine card or other documentation. For instance, instead of checking a customer’s vaccine card, a business or airline could simply scan a QR code that provides verification based on uploaded medical records.

The European Union, Israel, Japan and Singapore have all embraced vaccine passports to an extent to help reopen their borders. Several states including New York and soon California have embraced verification technology. A growing number of states, including Arizona, Florida, and Georgia have banned requiring them.

Some opponents of the technology have raised concerns that vaccine passports are an unnecessary replacement for paper, and could disadvantage individuals without access to smartphones. Others have accused companies such as IBM and Clear of being scant on details about how they’re protecting user data. 


Now, data protection experts have a new concern: a greater expansion of the technology to include other forms of digital identities that will outlast the pandemic. So-called digital IDs — a broad term for app-based tools to authenticate user identity through real-time verification, biometrics, or an existing identification form such as a license — are emerging as a means of securely verifying users’ identities without spilling their personal information.

Privacy experts worry, though, that without appropriate protections, the technologies could end up putting user data at greater risk.

IBM is now working with New York state to expand the state’s Excelsior Pass to include not just vaccine status, but also age, driver’s licenses and other personal records, according to a government contract obtained by Surveillance Technology Oversight Project (S.T.O.P.) and first reported by The New York TimesIBM isn’t alone. Clear, the maker behind Health Pass, was launched as a biometric identification system to get through airport security more quickly. Apple, which does not have a health pass, also recently introduced technology that will allow users to upload and present digital driver’s licenses in some states and to the Transportation Security Administration.

Digital IDs could act as a real-time relay between the government and an authenticator to prove that a person is who they say they are without revealing sensitive data like a Social Security number. These IDs, in theory, could go a long way to prevent identity fraud.

They could also potentially cut down on the overexposure of personal information. For instance, one could virtually sign a mortgage without having to expose a Social Security number. Instead of the reams of paper identification required for recipients of social welfare programs, participants could use a one-time verification credential. 


During the pandemic, the need to verify identity without having to physically interact has become even clearer, says Jeremy Grant, the coordinator of the Better Identity Coalition, a group pushing for new digital identification policy in the United States. Its members include Yubico, Discover, Equifax, and Microsoft among others.

“The private sector is stepping up to fill the gap that the government has left,” he said. 

But privacy experts have expressed concerns that, in absence of federal guidance or regulations, tech companies could use the pandemic to gain a foothold for versions of digital identification technology that fail to safeguard user privacy.

“A lot of these solutions presented by private companies — we’re just really just taking their word for it,” said Alexis Hancock, who is a director of engineering at the privacy advocacy group the Electronic Frontier Foundation. “It doesn’t matter how many promises the company puts out, or how often they may claim that they’re doing the safest thing. With people’s data, there’s no federal accountability.”

Instead, the technology is often wrapped up in non-disclosure agreements and proprietary patents.


“With this, we’re dealing with a proprietary database so we don’t understand how records are being kept or protected,” Albert Fox Cahn, founder and executive director of S.T.O.P, said of IBM’s technology. “It’s really to me just unconscionable that a health-related app would have fewer protections and fewer disclosures than a generic weather-related app.”

Some of those concerns could be allayed by adhering to standards set by an existing open standards body that dictate security standards and make sure technology is interoperable. Several such organizations already exist for digital identification technology, including W3C’s verified credential standard, which is used in IBM’s health pass. Credentials from open standards bodies are developed in a collaborative and transparent way, making it easier for researchers and users to evaluate the technology behind a product.

“If you’re going to have an app that plays such an important public role, the public needs to be able to know that such an app does what it says it does no more no less,” says Jay Stanley, a senior policy analyst with the ACLU’s Speech, Privacy, and Technology Project. “The only way that’s possible is if the code is transparent so experts or members of the public can look at it, read it and see what it does.”

IBM says that it already takes a number of steps to secure user data, including securing transactions with blockchain technology, which allows the company to create a unique identifier for verification that would be difficult to manipulate without leaving evidence.

Its digital health pass app connects directly with public health databases and information is stored on the user’s phone. IBM does not look at or track where the app has been used, says Eric Piscini, who leads the team for IBM’s digital health pass. IBM did not respond to follow-up questions about how it would secure any additional private information stored by the wallet.


Grant, of the Better Identity Coalition, also agreed that common standards are important in keeping user privacy protected.  Grant, who spearheaded a national strategy for online identification and management in the Obama administration, believes the government has a role in shaping those best practices.

The Biden administration has previously said that while it would not mandate a national vaccine passport, it would help provide guidelines to industry to ensure best privacy practices. The Department of Homeland Security is also exploring security standards for digital driver’s licenses to update rules for the REAL ID Act.

Without more transparency and guidance, it’s difficult to assess not just what a company is doing with data, but how well they’re securing it, Hancock noted.

“If it’s rolled out on a wide scale, companies including Apple and Google would need to consider using a specified open standard that people are able to audit,” says Hancock. “If there’s no transparency on how it’s implemented… I’m afraid that information can be leaked across databases, or can be leaked through a hack, or some sort of issue that can happen with security.”

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts