I Forged New York’s Digital Vaccine Passport in 11 Minutes Flat
It isn’t secure and it isn’t serious. It’s just more coercive theater that’s sure to fuel distrust among the already vaccine-hesitant.
Gov. Andrew Cuomo launched America’s first vaccine passport to global fanfare as a “secure” way to track health status. I forged it in 11 minutes. Not only do the security promises of New York’s Excelsior Pass fail to hold up to scrutiny, but the tracking tech raises an alarming array of public health, equity, and civil rights questions that remain unanswered.
While it is clear that the COVID-19 vaccine will save millions of lives, it’s unclear how to link vaccine status to reopening, which is the question that the Excelsior Pass, designed in partnership with IBM, is supposed to answer. Some tracking, like updated vaccine passports for international travel, are largely uncontroversial, but proposals for a vaccine door pass, used to access everything from concerts to the grocery store, have drawn quick rebukes from both sides of the aisle.
But beyond the civil liberties and equity concerns, there’s a much more fundamental critique: The technology doesn’t work. The entire justification for an electronic vaccine tracker is that it’s supposedly “secure.” But while the CDC’s flimsy “white cards” provide few protections against forgery, are the high-tech apps much better? That’s what I set out to find on Easter Sunday. I set aside the entire day for the experiment, but I was done before breakfast. After getting consent from an Excelsior Pass user, I tried to download their pass, logging into their account using nothing more than public information from social media. Eleven minutes after he gave me the greenlight, I had a copy of his blue Excelsior Pass in hand, valid for use until September.
Keep in mind, I’m not some MIT-trained super-hacker, I’m a one-time philosophy major who tinkers a bit with tech on the side. The key vulnerability to Excelsior pass isn’t found in the QR code or the app itself, it’s the very first step in the process: proving who you are.
It turns out that it’s really hard for New York to know if you’re really the person downloading “your” pass. And even worse, the sort of biographical data they ask for is usually just a Google search away. After a couple of searches, I found where my volunteer worked, lived, and when he was born. New York asks for more than just your name and data of birth to register, but not a whole lot more. I’m not being more specific here so that this article isn’t a how-to guide, but you get the idea.
Making matters even worse, many vaccine selfies are giving away the exact details that attackers would use to steal our vaccine passport data. Going through the process, it felt like New York had built a massive, digital bank vault, but set the combination to “1-2-3-4.”
New York and IBM could add security measures to make this sort of forgery harder, but it will come at a price. The more secure the system becomes, the less accessible it will be for millions with limited computer access or proficiency.
Like temperature checks, vaccine door passes have always been a way to create the illusion of safety, not the reality. Even if the technology worked as advertised, it would still come up against a series of obstacles, including that it contradicts current CDC health guidance.
At a time when national health officials cautiously OK only limited changes in behavior for vaccinated people, New York State is taking a very different approach. Under federal guidelines, vaccinated individuals are allowed to spend time unmasked and indoors with small groups of other vaccinated people. But the CDC urges vaccinated individuals to avoid large crowds.
In contrast, New York is using Excelsior Pass to allow for in-person attendance at baseball and basketball games, at a time when we have one of the fastest growing COVID-19 rates in the country. The COVID-19 vaccine will save countless lives, but it is not enough on its own. We still need masks, social distancing, and the countless other tools that have helped us through this pandemic so far.
While Excelsior Pass’s benefits are questionable, the cost is clear. In New York’s rush to roll out the vaccine door pass, privacy, equity, and inclusion were little more than an afterthought.
For many of us, the Excelsior Pass QR code will just be the latest addition to our digital wallets, but for the millions of New Yorkers without a smartphone, it will leave a growing part of public life walled off. The countless seniors who struggled with electronic platforms to get their vaccines will now be cut off from their communities unless they can navigate another platform to prove their vaccine status.
And for New Yorkers of all ages, Excelsior Pass’s coercion will only build distrust. Under new state opening guidelines, a growing number of restaurants and performing venues will be allowed to reopen at up to 250% more capacity if they use a system like Excelsior Pass. The pass remains “voluntary” on paper, but for many venues that capacity will make the difference between staying in business and going under. For patrons, it may be a minor inconvenience to choose a different watering hole, but for the staff, they either download the app or lose their jobs.
Rather than promoting vaccine adoption, coercive measures like Excelsior Pass will fuel distrust among vaccine hesitant communities. And for those who think that new surveillance will solve the problem, remember that for those who remain unpersuaded, all it will take is 11 minutes to create a pass of their own.