I Forged New York’s Digital Vaccine Passport in 11 Minutes Flat
It isn’t secure and it isn’t serious. It’s just more coercive theater that’s sure to fuel distrust among the already vaccine-hesitant.
Gov. Andrew Cuomo launched America’s first vaccine passport to global fanfare as a “secure” way to track health status. I forged it in 11 minutes. Not only do the security promises of New York’s Excelsior Pass fail to hold up to scrutiny, but the tracking tech raises an alarming array of public health, equity, and civil rights questions that remain unanswered.
While it is clear that the COVID-19 vaccine will save millions of lives, it’s unclear how to link vaccine status to reopening, which is the question that the Excelsior Pass, designed in partnership with IBM, is supposed to answer. Some tracking, like updated vaccine passports for international travel, are largely uncontroversial, but proposals for a vaccine door pass, used to access everything from concerts to the grocery store, have drawn quick rebukes from both sides of the aisle.
But beyond the civil liberties and equity concerns, there’s a much more fundamental critique: The technology doesn’t work. The entire justification for an electronic vaccine tracker is that it’s supposedly “secure.” But while the CDC’s flimsy “white cards” provide few protections against forgery, are the high-tech apps much better? That’s what I set out to find on Easter Sunday. I set aside the entire day for the experiment, but I was done before breakfast. After getting consent from an Excelsior Pass user, I tried to download their pass, logging into their account using nothing more than public information from social media. Eleven minutes after he gave me the greenlight, I had a copy of his blue Excelsior Pass in hand, valid for use until September.