By Leslie Harris
Last month, the International Digital Accountability Council (IDAC) launched its investigation into Vaccine Passports to increase transparency about privacy practices, identify harms and practices that don’t align with app users’ reasonable expectations, and highlight best practices.
As part of our initial investigation, we performed an initial analysis into New York’s Excelsior Pass. Our results found no inappropriate data transmissions, and no personal information or unexpected permissions transmitted. The governing privacy policy on the app is clear and outlines the information collected and access permissions.
To date, Excelsior Pass has been a laudable effort due to its simple, focused and appropriate use of data to ensure COVID vaccination status for those entering public spaces during a time of community spread of the virus.
But reports that the Excelsior Pass has a second phase of development that will potentially collect other user information like “proof of age, driver’s license and other health records,” raises significant concerns about how the state will use, store and share personal data. The reported updates appear to shift the app’s purpose from addressing the immediate emergency needs to a more comprehensive digital identification strategy.
To our knowledge, the state has offered no clear purpose for this sweeping expansion of the Excelsior Pass. Before the state moves forward with a centralized database of New York residents’ sensitive personal information, it must provide a compelling reason for creating what amounts to an all-purpose government ID, precisely what privacy advocates warned against when the idea of vaccine passports was first raised.
Centralized databases of sensitive personally identifiable information are rarely a good idea as they invite data breaches and data theft. When they include health data for the residents of an entire state, it should give us pause. Whatever the rationale for the expansion of the Exelsior Pass, the design needs to be reconsidered to ensure that the app, as well as the whole program including back-end infrastructure, data processing, protocols, and supported entities, are put through a thoughtful design and oversight process.
Vaccine Apps are entering the marketplace without any agreed upon standards or guidance and it is not clear if and when any federal guidance will be forthcoming. These apps can play an important role in helping us stay safe, as we reopen the economy and begin to travel. But developers have to put privacy first.