Cuomo’s Covid-19 Vaccine Passport Leaves Users Clueless About Privacy

A New York state system for proving that you’ve been vaccinated uses overhyped blockchain technology — and leaves many privacy questions unanswered.

Photo illustration: Soohee Cho/The Intercept, Getty Images

Technology firms are leaping at the chance to use the Covid-19 pandemic to ply dubious products, from useless thermal cameras to creepy tracking collars. The latest comes courtesy of New York Gov. Andrew Cuomo, who entered the state into a partnership with IBM to put citizens’ Covid-19 vaccine and test data on perhaps the most over-hyped technology of all: blockchain.

State officials are providing virtually no details on the high-tech coronavirus “health passport” system, raising troubling privacy questions. Furthermore, the use of blockchain technology appears completely nonsensical, lending the distinct impression that the project — trumpeted amid a series of sexual harassment allegations against the governor — is as much about generating much-needed positive buzz for him as solving real problems.

Cuomo’s office announced on March 2 that testing had begun on the joint IBM system, known as Excelsior Pass. The “pass” itself is a smartphone app that displays a QR code to be scanned before entering an indoor business or other public gathering place; when verified by another device, it attests that the bearer has been vaccinated against Covid-19 or received a recent negative test result. The idea is to offer streamlined access to indoor businesses as they begin to reopen, similar to plans in other parts of the country and throughout the world.

What sets Cuomo’s approach apart is that the data behind the Excelsior Pass lives atop a blockchain, the software technology behind Bitcoin and other digital currencies. A blockchain is essentially just a widely distributed list of data whose contents are verifiable as genuine using cryptography (essentially, complex math). Blockchains are typically public, their contents transparent to anyone with an internet connection, but the one behind Excelsior Pass will be private, meaning only parties sanctioned by IBM will be able to check the contents.

On paper, such a system would let people — at least those who can afford smartphones — move more freely in their communities while giving businesses and other public spaces greater confidence that they aren’t hosting a superspreader event. Cuomo’s office claimed that Excelsior Pass enjoyed a “successful” test run at a recent Brooklyn Nets game and would soon be used at Madison Square Garden.

But the governor’s office and IBM, neither of which provided comment for this article, have been stingy with details, like how exactly the app works behind the scenes or why New Yorkers should trust this software with their sensitive health information. The answer to both of these questions is simply: blockchain. The press release from Cuomo’s office assures users that “robust privacy protections are woven throughout the digital health pass solution” without giving any details whatsoever as to what these protections are or what might make them robust. IBM’s public material about the system is similarly devoid of specifics.

“Gov. Cuomo gave us screenshots of the user interface, but he never even published a privacy policy,” said Albert Fox Cahn, executive director of the New York-based Surveillance Technology Oversight Project. “We have no idea how this data can be tracked and if it’s accessible to police.”


Screenshots of the Excelsior Pass.

Image: New York state website

To be clear, criticism of the health passport app is not aimed at the separate process of actually getting tested and vaccinated; the concerns, instead, are around the high-tech system rapidly assembled to prove that such testing and vaccination has occurred. Hopefully issues with the latter don’t prevent people from participating in the former.

Cahn said the hype around Excelsior Pass’s use of blockchain technology serves to further obfuscate the inner workings of what’s supposed to be a vital Covid-19 response tool. “Blockchain” has become an industry buzzword par excellence. Owing to the fact that the underlying math behind these software ledgers is extremely complex, stamping an otherwise unimpressive or outright bogus product with the word “blockchain” has become a surefire way to trick gullible investors into believing you’re a tech visionary, and its meaning has been diluted toward nothingness, proliferating a whole subindustry of “blockchain-powered” nonsense. Herein lies one of blockchain’s greatest strengths: Rather than answer hard questions about trust and security, IBM and Cuomo can simply repeat the word “blockchain” again and again until skeptics are worn out.

There are cases in which using a tamper-proof blockchain to store and share data might make a great deal of sense, like keeping a running list of the sorts of transactions people tend to argue over, such as legal contracts, or, in the case of a cryptocurrency like Bitcoin, who paid who how much and when. Rather than relying on the integrity of Visa or Bank of America to keep track of these things, blockchains are supposed to rely on “consensus,” meaning that all the many computers participating in the network constantly work together to verify the ledger’s contents and agree on the master version, coming to an agreement that doesn’t require the sign-off of a central authority or leader.

“We have no idea how this data can be tracked and if it’s accessible to police.”

But in the case of Excelsior Pass, it’s unclear what purpose the technology serves, especially given that public health strategy against a pandemic inherently requires trust in centralized institutions (in this case, medical authorities and the state of New York).

“There is zero reason for blockchain to be involved in this problem,” said Matthew Green, an associate professor of cryptography at Johns Hopkins University and the creator of Zerocash, a software protocol designed to improve the privacy of the Bitcoin blockchain. “Blockchain solves a very specific problem around not trusting people, and the problem with this vaccine stuff is you do trust people; you have to trust the data being entered into the blockchain is an actual trusted reflection of who’s vaccinated or not.”

To deploy a Covid-19 response app requires “a lot of policy thinking, it requires a lot of hard software and user experience work, and all of those problems have nothing to do with blockchain,” Green added.

That’s true. For example, there’s the question of how to help the 1 in 5 Americans who do not have a smartphone or even access to one and are thus presumably shut out of Excelsior Pass. As Cahn said, “I’m terrified that vaccine passports will transform health care inequity into digitized segregation.”

As Green put it, “The minute you add blockchain to it, you’ve left the zone of ‘We are thinking seriously about the hard problems’ and gone into ‘We have a solution to sell someone.’” Instead of using the blockchain, New York state could simply put its vaccine passport information on a web server, ready for conversion into QR codes via the smartphone app, he added. Then it could get down to the work of addressing issues around access and privacy.

“There is zero reason for blockchain to be involved in this problem.”

Documents on IBM’s website don’t provide much insight into how or why the company turned to blockchain technology for this application or how its opaque take on a blockchain really functions. One blog post about Excelsior Pass claims that “trust in the data exchanged is achieved through a distributed ledger,” that is, a blockchain “with strict governance practices and verification of signatures.” It features a cartoon of a woman on a floating block connected to other floating blocks by glowing blue wires. Since those practices are not spelled out, it’s impossible to know what the company means when it says in another post about the system that “we have designed our solution with privacy as the starting point.” A separate set of IBM “Principles for Trust and Transparency” argues, essentially, that IBM is trustworthy and principled because IBM is trustworthy and principled, having “earned the trust of our clients by responsibly managing their most valuable data” for “more than a century,” a period of time that includes the company’s work for Nazi Germany, creation of citywide surveillance systems for Philippine President Rodrigo Duterte, and coziness with the Trump administration.


Inside the Video Surveillance Program IBM Built for Philippine Strongman Rodrigo Duterte

Given the complete absence of any specifics about how it will protect your medical data and that its blockchain, unlike most others, will remain private and unauditable, Excelsior Pass leaves users with a single choice: You can trust IBM and the state government, or not. This is quite literally the exact sort of arrangement — mandatory trust in monolithic bureaucracies — that blockchains were supposed to render obsolete. Private blockchains like IBM’s are blockchains “in name only,” the security researcher and cryptographer Bruce Schneier wrote in Wired in 2019, “and—as far as I can tell—the only reason to operate one is to ride on the blockchain hype.”

Asked about Excelsior Pass over email, Schneier told The Intercept that there’s no sound reason to use blockchain storage for this sort of application, and the fact that it’s private renders it only superficially similar to other applications — “‘a blockchain’ for marketing purposes only,” as he put it. What IBM is offering New Yorkers provides no benefit beyond what you’d get from any other way to store data on the internet, Schneier and Green agreed, but adds needless complications. “To the extent that it just uses a data structure — sure, I don’t particularly care what data structure the database uses,” explained Schneier. “And neither does anyone else. To the extent that it uses any actual blockchain features, run away fast. It doesn’t add anything.”

Join The Conversation