New York City’s Vaccine Passport Plan Renews Online Privacy Debate
When New York City announced Tuesday that it would soon require people to show proof of at least one coronavirus vaccine to enter businesses, Mayor Bill de Blasio said the system was “simple – show it and you are in it ”.
Less straightforward was the privacy debate that the city reignited.
Vaccine passports, which show proof of vaccination, often in electronic form such as an app, are the cornerstone of Mr de Blasio’s plan. For months, these records – also known as health passes or digital health certificates – have been discussed around the world as a tool for those vaccinated, less exposed to the virus, to safely assemble. New York will be the first U.S. city to include these passes in a vaccination mandate, potentially sparking similar actions elsewhere.
But incorporating those credentials could also usher in an era of heightened digital surveillance, privacy researchers said. This is because vaccine passes can allow location tracking, although there are few rules on how digital data on people’s vaccines is to be stored and how it can be shared. Although existing privacy laws restrict the sharing of information between medical providers, there is no such rule when people upload their own data to an app.
The moment recalls the months following the September 11, 2001 attacks, privacy advocates said. This was when changes in the name of national security had lasting effects, including the removal of footwear at airports and the data collection permitted by the Patriot Act.
Without current guarantees, presenting a digital vaccination passport every time people enter a public place could lead to a “global map of where people are going,” said Allie Bohm, policy adviser at the New York Civil Liberties Union. The information could be used by third parties for profit or turned over to law enforcement or immigration authorities, she said.
“How do we make sure that in 20 years we don’t say, ‘Well there was Covid, so now I have this passport on my phone which is also my driver’s license and also has all the records of health I’ve ever had and every time I go to a store I have to slip it? ‘ Ms. Bohm said.
She added that the passes could particularly disadvantage more privacy-conscious groups, including undocumented migrants. The New York Civil Liberties Union and other advocacy groups have backed legislation to prevent sharing of immunization data with law enforcement and to ensure passes do not become permanent health trackers.
Vaccine passports have been widely deployed without a national framework in the United States. President Biden has ruled out a national vaccine pass, leaving states, cities and private companies to determine if and how to have their own electronic systems to track those vaccinated.
Some companies that have developed digital vaccine passes have tried to anticipate privacy concerns. More than 200 private and public organizations recently joined the Vaccination Credential Initiative, a coalition that aims to standardize how vaccine data is recorded and protected.
Many developers have said they have taken care to ensure that passports do not exceed the limits of privacy. Clear Secure, a security company that created a health pass used by more than 60 organizations, many of which are sports venues, said its users’ health data was “treated with the utmost care” and protected by a variety of tools. Employers or sites can only see a red or green signal indicating whether a user has been vaccinated, he said.
The Commons Project, a nonprofit organization that developed a vaccination card called CommonPass, stores vaccination and test data on users’ phones and only uploads the information temporarily to a server to verify that a traveler has meets the requirements, he said. Airlines that have adopted CommonPass, including JetBlue and Lufthansa, can only see if a passenger has been cleared to travel, he said.
JP Pollak, co-founder of the Commons Project, said the group’s vaccine pass was “trustworthy” and kept user data confidential.
But while vaccine passports remain nascent, the Covid-19 contact tracing apps that were introduced earlier in the pandemic have already been used by more authoritarian countries in a way that raises questions of privacy. This gives researchers little confidence in how these vaccines might be used later.
In China, for example, a program called “reportInfoAndLocationToPolice” in the Alipay health code, used by the Chinese government to assess the health status of people, sends a person’s location, city name and a identification code number to a server as soon as the user grants the software access to personal data.
In Singapore, officials said in January that data from the country’s coronavirus contact tracing system had been used in a criminal investigation, even though executives initially said it would only be used for contact tracing. . In February, Singapore passed a law limiting this use to only “serious” criminal investigations.
“One of the things we don’t want is for us to standardize emergency surveillance and not be able to get rid of it,” said Jon Callas, director of technology projects at the Electronic Frontier. Foundation, a digital rights group.
While such incidents do not occur in the United States, the researchers said, they are already seeing potential for overshoot. Several pointed to New York City, where proof of vaccination requirements will begin on August 16 and will be applied from September 13.
As proof, people can use their paper vaccination cards, the NYC Covid Safe app, or another app, the Excelsior Pass. The Excelsior Pass was developed by IBM under an estimated $ 17 million contract with New York State.
To get the pass, people upload their personal information. In the standard version of the pass, companies and third parties only see if the pass is valid, as well as the person’s name and date of birth.
On Wednesday, the state announced the “Excelsior Pass Plus,” which not only shows whether a person is vaccinated, but includes more information about when and where they were vaccinated. Companies that scan the Pass Plus “may be able to record or store the information it contains,” according to New York State.
The Excelsior Pass also has a ‘Phase 2’, which could involve expanding the use of the app and adding more information such as personal details and other health records that could be verified by companies upon entry.
IBM said it uses blockchain technology and encryption to protect user data, but did not specify how. The company and New York State did not respond to requests for comment.
Mr de Blasio told the WNYC in April that he understood the privacy concerns with the Excelsior Pass, but believed it “would still play an important role.”
For now, some states and cities are proceeding with caution. More than a dozen states, including Arizona, Florida and Texas, have announced some sort of ban on vaccine passports in recent months. The mayors of San Francisco, Los Angeles and Seattle have also said they are suspending passport programs.
Some business groups and businesses that have adopted vaccine passes have said the privacy concerns are valid but addressable.
Airlines for America, an industry trade group, said it supports vaccine passes and pushes the federal government to set standards for confidentiality. The San Francisco Chamber of Commerce, which helps its members work with Clear, said using the tools to ensure that only vaccinated people enter stores was better than closing businesses as cases of the virus. increase.
“People’s privacy is precious,” said Rodney Fong, chairman of the chamber, but “when we talk about saving lives, the element of privacy becomes a little less important”.
#York #Citys #Vaccine #Passport #Plan #Renews #Online #Privacy #Debate