New York’s Excelsior Pass is one of many “digital vaccine passports” that promise a verifiable way for businesses to determine who is vaccinated for COVID and who is not. It works by giving each person who was vaccinated or recently tested negative in New York State a QR code containing vaccination information, name, and date of birth, which can be scanned by a business using the “NYS Scanner App.” This app displays vaccination status (green check mark), name, and date of birth. The name and date of birth are supposed to be compared to an official government ID to make sure that the pass actually belongs to the person using it.
The state of New York also claims that no data about users are retained by the businesses scanning the passes. Unfortunately, this is only true when the official NYS app is used to verify the passes. The QR code contains the pass holder’s unencrypted name and date of birth, and these data can easily be retained using different software that is able to read QR codes and record the information within.
Using such an app, businesses can easily build a log of who entered their business, how often, and at what time and date their Excelsior Pass was scanned. If such data are retained, there’s no guarantee that they will not be shared with law enforcement, immigration authorities, or even shared with public records companies to obtain clients’ phone numbers, addresses, or e-mail information for marketing purposes. While a law that prevents businesses from doing this has been proposed in the New York Assembly (https://www.nysenate.gov/legislation/bills/2021/s6541), there is presently no law that makes data retention illegal.
Obviously, it is necessary for the Excelsior Pass to contain some personally identifying information so that it can be matched with an ID card. But it is not actually necessary for it to contain the user’s full name and birthday to be reasonably secure. If it only contained a day, month, and last digit of birth year, it would be sufficient to prevent sharing of passes, since only about one in 3650 (365 days x 10 years) people would share this information. However, it would not be sufficient to uniquely identify a given resident of New York State, which would remove most of the privacy concerns.
As to my methodology, I first obtained an Excelsior Pass from http://epass.ny.gov using name, date of birth, vaccination type, and vaccination date. I then took a screen capture of the resulting QR code, which is the same code displayed by the Excelsior Pass mobile app. Finally, I ran the QR code through a third-party web-based QR scanner (https://4qrcode.com/scan-qr-code.php) that’s not designed to scan Excelsior Passes. Fields for birth date, given name, and family name were visible and readable within the QR code data.
