This is going to be a three part diary in which I try to strike a middle ground between the hard “we need vaccine passport apps yesterday” and the “let’s ban any sort of verification of vaccination status” camps. It’s not obvious that this should be a partisan issue, with the ACLU, Republican governors, and the Biden administration on one side of the divide and Andrew Cuomo, Boris Johnson, Benjamin Netanyahu on the other. So I’m hoping against hope that we can cool this down before this spins into yet another partisan issue that really shouldn’t be.
Stop me when this sounds familiar: the CDC cards we get are a bunch of flimsy pieces of paper, they’re easy to forge! Before long we’re going to be awash in fake CDC cards!
Breathe. They’re going to work just fine.
Before getting started, it’s worth taking a step back and thinking about why we’re verifying proof of vaccination status. Is it because we expect groups of people to be 100% vaccinated before we’re safe from outbreaks, variants, and the like? No. The best we can do is mitigate risk. The question then becomes whether the marginal effort required to build a high tech “vaccine passport” system is worth the effort and the risks associated with that.
What does it mean for a document — a piece of paper, or a physical token such as a phone, or an email — to “prove” a fact? Can a document ever prove anything? Well, no. It’s a document. It doesn’t prove a damn thing, in the same way that religious texts don’t prove the existence of cherubim. From a societal point of view, to say that a documents “proves” or “authenticates” something just means that (a) the person who perpetrates the forgery can eventually be caught, if the forgery results in harm to someone else (b) there are consequences to getting caught forging the document that are adequate to deter forgery.
Both of these things are true with the CDC cards. Here’s the scenario. An entity such as a school, summer camp, workplace, sports stadium, cruise ship, or airline wants to screen for vaccination status. So they ask for everyone’s driver’s licenses and CDC cards.
Suppose someone presents their CDC card and photo ID to you. In the upper right hand corner you’ll notice a couple logos — one for the United States Department of Health and Human Services, and another for the Centers for Disease Control. These both happen to be federal agencies.
Here’s what the United States criminal code has to say about that:
Whoever fraudulently or wrongfully affixes or impresses the seal of any department or agency of the United States, to or upon any certificate, instrument, commission, document, or paper or with knowledge of its fraudulent character, with wrongful or fraudulent intent, uses, buys, procures, sells, or transfers to another any such certificate, instrument, commission, document, or paper, to which or upon which said seal has been so fraudulently affixed or impressed, shall be fined under this title or imprisoned not more than five years, or both. (18 U.S.C. § 1017)
Indeed, the FBI has issued a warning to anyone with the audacity to forge these cards:
If You Make or Buy a Fake COVID-19 Vaccination Record Card, You Endanger Yourself and Those Around You, and You Are Breaking the Law
Then what? Well, there are two possibilities. Either the person who faked the card wasn’t infectious or they were. If they don’t infect anyone, then it doesn’t matter. So say there’s an outbreak at your venue. The local health department initiates an investigation. You provide them with the contact information of the people who attended — as required, if we’re still in a state of emergency.
Because the people who attended the event presented ostensibly authentic official government documents, the FBI can initiate an investigation. As a law enforcement agency, they can invoke an exception to HIPAA and verify the information with your state or local health department:
A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.
45 CFR § 164.512 (f)(5)
But wait! There’s more! The feds are also legally entitled to verify your driver’s license (or non-driver ID):
Personal information referred to in subsection (a) ... may be disclosed...[for] use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.
18 U.S. Code § 2721 (b)(1)
TLDR: once you fake a government document, and faking that government document results in harm to others, the FBI can verify both your health information and your identity. To quote Walter Sobchak, you’re entering a world of pain.
Now compare this to the marginal effort required to build a bespoke, high tech, “vaccine passport.” First, there are the equity issues: not everyone has a smart phone. By contrast, everybody gets a CDC card. Next, there are all those GOP governors going around banning vaccine passports outright. Next you have to ask yourself whether the a vaccine passport is really buying you that much more security for it to be worth it. For that I refer you to an article that recently appeared in the Atlantic:
Digital vaccine-passport systems overcome vaccine cards’ awkward physicality, but just as hygiene theater turned cleaning into a false sense of pandemic security, vaccine passports risk becoming verification theater, especially if deployed in only a small number of states. In March, New York launched Excelsior Pass, a free app that claims to provide secure vaccine verification for entry into venues such as theaters and stadiums. Hawaii plans to introduce a system backed by the same company, and California has adopted a policy that seems to require a similar app. Excelsior Pass does plug into state databases to produce a screen or printout with a bar code that can be scanned by another app. But this is all limited by the fact that the databases record only shots administered in New York State. And the app isn’t magic; not much is stopping someone from sharing their own screenshots or printouts with someone else.
Bingo. The author continues:
When I asked an Excelsior Pass help-desk agent how a business could confirm that a pass actually belonged to its holder, she said it was the first time anyone had asked that question. “As far as I know, there is no way,” she said. A vaccine-scanning agent could check the pass against a holder’s ID, but only a name and date of birth appear on the Excelsior Pass anyway. The New York governor’s office told me that hundreds of thousands of New Yorkers are downloading Excelsior Pass each day, and that “passes must be verified against a photo ID.” In a high-traffic environment such as a stadium or even a restaurant, though, it’s hard to believe that everyone will take the time to do so.
The other passes, such as Israel’s green passes, aren’t much better. I suppose Louisiana’s mobile driver’s licenses might work, although the ACLU has legitimate concerns about those.
As a point of order, I want to be clear that I’m comparing our friend the CDC cards to the “vax pass” options that actually exist, not the theoretical ones that probably aren’t ever going to make it to market. For instance, I’d love it if at some point vaccination status could be incorporated into one of the trusted traveler programs under the jurisdiction of the Department of Homeland Security. You’re most likely to make a lot of random contacts when you travel, which means that the overdispersion phenomenon becomes that much more relevant. As much as possible, vaccination status should be verified off site, to minimize the risk of conflict. Anti-vaxers are a violent bunch, and the last thing we should be doing is expecting low paid frontline workers to engage them directly. Even having an instrument that’s hard to forge is fraught with peril, with the potential for escalation. For example — and I hate to bring this up, but it’s an uncomfortable truth — the clerk Christopher Martin, who correctly identified George Floyd’s forged twenty dollar bill, is still traumatized and guilt-ridden.
We do not have the luxury of creating some system of screening people out in some mythical version of our society in which we don’t have a deeply broken system of enforcing laws and adequately protecting frontline workers from violent customers. We have the hot mess that we have, and to pretend otherwise is a dangerous fantasy. What all this adds up to is: in most cases, attempting to screen people as they enter the building is more trouble than it’s worth and comes with its own set of risks that I very much doubt that we’re ready for. The focus should be on deterrence, which is the product of the severity of the punishment and the probability of getting caught. Even a low probability of getting caught can be compensated with a large enough fine.
It should also be noted that the pedigree of the idea of vaccine passports is appalling. Some of the early suggestions were that people be tested for antibodies, the idea being that the system shouldn’t distinguish between people who were vaccinated and those who had acquired immunity naturally. That sounds fine, until you realize that even some people who do get vaccinated may fail to develop antibodies, and end up being an increased risk to others. I don’t know about you, but I’m in no mood to go back to the early 20th century, where we used a strict law enforcement model to prosecute people with TB and chronic typhoid. But that’s a topic for my next diary. Stay tuned.