When New York City announced on Tuesday that it would soon require people to show proof of at least one coronavirus vaccine shot to enter businesses, Mayor Bill de Blasio said the system was “simple — just show it and you’re in.”
Less simple was the privacy debate that the city reignited.
Vaccine passports, which show proof of vaccination, often in electronic form such as an app, are the bedrock of Mr. de Blasio’s plan. For months, these records — also known as health passes or digital health certificates — have been under discussion around the world as a tool to allow vaccinated people, who are less at risk from the virus, to gather safely. New York will be the first U.S. city to include these passes in a vaccine mandate, potentially setting off similar actions elsewhere.
But the mainstreaming of these credentials could also usher in an era of increased digital surveillance, privacy researchers said. That’s because vaccine passes may enable location tracking, even as there are few rules about how people’s digital vaccine data should be stored and how it can be shared. While existing privacy laws limit the sharing of information among medical providers, there is no such rule for when people upload their own data onto an app.
sends a person’s location, city name and an identifying code number to a server as soon as the user grants the software access to personal data.
passed a law limiting such use only to “serious” criminal investigations.
“One of the things that we don’t want is that we normalize surveillance in an emergency and we can’t get rid of it,” said Jon Callas, the director of technology projects at the Electronic Frontier Foundation, a digital rights group.
While such incidents are not occurring in the United States, researchers said, they already see potential for overreach. Several pointed to New York City, where proof of vaccination requirements will start on Aug. 16 and be enforced starting on Sept. 13.
For proof, people can use their paper vaccination cards, the NYC Covid Safe app or another app, the Excelsior Pass. The Excelsior Pass was developed by IBM under an estimated $17 million contract with New York State.
To obtain the pass, people upload their personal information. Under the standard version of the pass, businesses and third parties see only whether the pass is valid, along with the person’s name and date of birth.
On Wednesday, the state announced the “Excelsior Pass Plus,” which displays not only whether an individual is vaccinated, but includes more information about when and where they got their shot. Businesses scanning the Pass Plus “may be able to save or store the information contained,” according to New York State.