Digital Vaccine Passes Will Soon Be In More Than 30 States

"More and more locations recognize A) the virus is becoming endemic and B) fraudulent paper credentials are an ongoing issue and challenge."

Not only are the paper vaccination record cards issued by the CDC easily faked, but surveys indicate that many unvaccinated Americans are willing to lie about their vaccination status to stay in college or keep their jobs. [...]

As the calendar flips to 2022, expect to see a stampede of states adopting SMART Health Cards. "The watershed moment is very much right upon us," says Brian Anderson, co-founder of the VCI and chief digital health physician at MITRE, a not-for-profit organization that provides technical guidance for the government on issues of national concern.

"We're working with approximately 20 other states that are not ready to publicly announce the issuance of these credentials, but we're working with their development teams," Anderson says, noting that most of these state apps are coming next year "in the earlier part of Q1."

This is great news, but we won't be safe until venues are able to require SMART Health QR codes and stop accepting paper cards, and photos of cards.

And that won't happen until state or local governments mandate that.

Nearly everybody who enters DNA Lounge using a QR code acquired that code while standing on our sidewalk. Everyone shows up expecting that a photo of their card will be good enough, since we are the only nightclub in town -- or possibly the country -- who do not accept photos. So the customers had no incentive to get the digital record until they arrived here.

Everyone else is at best following SFDPH's woefully inadequate recommendations, and accepting photoshop forgeries of vaccination cards. If they are checking at all. SFDPH believes that scribbling your name on someone else's vax card in Comic Sans counts as proof of vaccination.

We need to move to digital-only, and that can't happen without government mandates. Which I doubt we're going to get from people like Maskless Mayor Breed.

Previously, previously.

Tags: , , ,

21 Responses:

  1. nooj says:

    There is a lot of checking going on in the Bay Area! I was vax-carded at every restaurant and bar I went to around Berkeley campus with indoor seating, and several in SF. I forgot to ask if they would accept a photo of a card.

  2. gilbert says:

    I'm STILL getting "I can't scan that on my phone" responses from hosts/hostesses asking for proof, who then okay my vax status based on a photograph, and then immediately get back onto FB or Twitter after seating us. My dudettes and dudes, if you can selfie yourself on your phone I promise you can use the app thinger to verify the vax QRs.

  3. Dude says:

    This is great news, but we won't be safe until venues are able to require SMART Health QR codes and stop accepting paper cards, and photos of cards.

    Seriously! A few weeks ago, I sent an e-mail to every teacher and educator I know (as well as several venue proprietors) encouraging them to stop accepting and hand-waving photos of vax cards when the SMART Health scanner is is available to everyone. EVERYONE. I have it on my phone alongside my QR code, meaning I could personally scan anyone and everyone's QR code, if I had to.

    And I'm not anyone important; I just got it from the official Android App Store for free. Yet, every place I go to just glances at phones and hand-waves people in to create shoulder-to-shoulder crowds.

    Well... not quite every place.

  4. cmt says:

    We have this https://digitaler-impfnachweis-app.de/en (QR code and scanner/verifier - different countries have different apps based on the same scheme, so it's portable across most of the EU). Problem is that they needed a way to import the standard yellow WHO vaccination certifications (for those who got vaccinated before we got the apps, because who could expect that we needed something like that; and for those who didn't get their digital certificates with the vaccination "the printer doesn't work"), and that goes just like you would expect any analog-digital interface to work: https://www.hessenschau.de/panorama/stromableser-entdecken-impfpass-faelscherwerkstatt,gefaelschte-impfausweise-100.html large-scale counterfeiting.

    • phuzz says:

      We have a similar thing in the UK, (although I guess it's not compatible with the European version because of some brexit bollocks).

      • tfb says:

        Pretty sure that in some depth of one of Johnson's fiefs, someone has been hired for a job whose description is 'ensure that whatever is developed is not compatible with whatever the EU does'. Also that in some way this will involve Johnson or his chums getting paid.

  5. plumpy says:

    FYI in NYC it seems like a lot of people (maybe 50%?) are using the app instead of the CDC card. (We have to show proof of vaccination to do almost anything indoors except shop). But never once in the 100+ times I've shown my pass has anyone scanned the QR code. They usually do check your ID, so you can't just use a screenshot of your friend's, but it's even easier to photoshop than a CDC card is if you're so inclined.

  6. prefetch says:

    An aside due to comments being disabled on the relevant page: Your workflow is... intriguing.

    Is this update prompted by the 100 month anniversary of its passing?

  7. Paul says:

    In Victoria, Australia if you don't show the green tick as proof you're double vaxxed you can't see a gig. Or go to a restaurant. Or most other places.
    https://service.vic.gov.au/covid-19/add-covid-19-digital-certificate

    Which I think is one reason we're over 90% with two doses.

    • Hamish says:

      But everywhere I went, they happily accepted my NHS certificate instead of their green tick (and of course, didnt scan the QR code it has)

      So, I am quite sure that if someone wanted to fake it, Victoria would be no better than elsewhere.

  8. divVerent says:

    Just to be clear: I will NOT be waving a SMART health card in front of any scanner before I read their privacy policy on how my data is being handled. I'd rather wave around the original CDC card in front of your face, given there's a good chance you won't remember all the details.

    My own SHC contains the following info:

    - Full name and birthdate (useful to compare to my ID, yes, but if you store or even distribute it without my express informed consent, you're invading my privacy)
    - Full address of where I got the vaccines (which can be assumed to be close to my place of living)
    - Date and lot number of vaccination (fine, no issues with that)

    I would much prefer a way that does NOT contain as much PII.

    • jwz says:

      Then I very much hope that we soon live in a world where you just have to stay home.

      Your privacy maximalism is all very nice in the abstract, but continuing to cater to the whims of kooks like you is literally going to kill me and my friends.

    • Nate says:

      The app verifies a signature on a JSON blob. Nothing is sent anywhere, but I agree privacy is important so it should stay that way

      • Rudolf Polzer says:

        Yeah, all I really want to see is some "proof" that the verifier (whoever uses the app) is not collecting data.

        The privacy policy screen that the app hopefully has will do.

  9. Mycroft W says:

    You know, I agree with divVerent. Which is, of course, why I never go to bars (where I have to show a document with my full name (including middle, which my vaccine record doesn't show), birthdate, current place of living (which can be assumed to be close to my place of living), in addition to a picture designed explicitly to be personally identifiable, a requirement to wear glasses when driving, and my legal right to ride a motorcycle unsupervised). I mean, it doesn't show the vaccine lots I got, but you can't lose everything, I guess.

    Sarcasm aside, I am not happy with the "scan your DL" apps some bars have, because it is an invasion of my privacy to store it, and it's not the bar I have to trust, it's the appmaker('s lawyers, on the eventual bankruptcy). But, you know, their bar, their rules, I can choose not to go.

    But "show the green check, confirm data with DL I also have to show, all to a Mk. 1 eyeball?" Literally no additional privacy is invaded, unless you think the apps are storing scanned information. Which, given they say it doesn't, and it's freely available to everyone (including people who just love to publicise apps that send data on-the-sly to FB et al); well, I'm willing to be disappointed, but I believe them for now. Of course, it won't be long until there's a "works everywhere, not locked to <state&rt;" free app in the app store that does store and download that information to the app creator...

    All of this doesn't apply, of course, if you have got used to not showing proof of age, because you've passed the "old enough" line. Which is - a privilege not everyone gets. Possibly even one divVerent or I shouldn't get, even when obviously 21+.

    • Dude says:

      No one - and I mean NO ONE's - "privacy is being invaded" when the app is scanned. Read the actual goddamn info and you'll see that it's the digital equivalent to confirming one's name on their ID (which you have to do already in addition to the scan).

      The only "invasion" is you (what do we call you, "anti-appers"?) trying to force your way into a COVID-free space because a one-second QR scan makes your sphincters clench.

      • Mycroft W says:

        Did you in fact read anything I wrote? I have two - count'em, two - different scanners ON MY PHONE so even if the bar won't scan my fucking record, I can do it for them. It would be 3, but California doesn't like people who don't live there.

        Or was it that my sarcasm, ladled on with a trowel and even labelled, got read straight? Does it have to be in yellow for anyone to notice?

        All I said was that someone, eventually, will write a rogue scanner that does save some data, and people will download it instead of the official ones. If all it can get is "[signature] was checked here at this time", and they get to tie it to "same signature was checked at this other place last week", fine. Somebody will pay for that, especially if they also have location info from some crappy app on [signature]'s phone or random Arsebook data (from being tagged in pictures at those locations?). Because it's 2021, and the internet, and the Android Store.

        Sure, I did also say that the bar scan, save, and centralize your Driver's License products like PatronScan are a privacy issue, because they are. Looking at their FAQ, it seems better than before, but that's only if I, someone the company has zero financial interest in keeping happy, can trust what they write, even from mistakes or "mistakes", even unto liquidation. But it, correctly in the maker's and purchaser's view, prioritises the bar's safety from "bad customers/fake IDs" over their customer's privacy. Since I'm the only one in that transaction that cares about that, I get to decide whether it's worth it.

        But that isn't the COVID checker - which I am 100% behind Our Imperious Host on!

        • jwz says:

          Dude, nobody gives a shit which CVS gave you got your shot. If a venue wants to monetize your personal data, that venue will be one of the many who simply won't let you inside unless you agree to run your driver's license through their scanner. Your threat model is absurd.

          But worse than your threat model being absurd, catering to people who care about your threat model puts actual lives at risk in a measurable, real-world way.

        • jwz says:

          Also, someone who thinks "oh, let me prove that I'm vaccinated by showing you some random app running on my own phone" is something that anyone should accept is someone who has no business talking about security.

  10. Dude says:

    You spent that comment and the initial one imagining a bullshit scenario so as to defend not scanning when eye-balling is a bullshit tactic that is proliferating the spread. That's on you.

Leave a Reply

Your email address will not be published. But if you provide a fake email address, I will likely assume that you are a troll, and not publish your comment.

You may use these HTML tags and attributes: <a href="" title=""> <b> <blockquote cite=""> <code> <em> <i> <s> <strike> <strong> <img src="" width="" height="" style=""> <iframe src="" class=""> <video src="" class="" controls="" loop="" muted="" autoplay="" playsinline=""> <div class=""> <blink> <tt> <u>, or *italics*.