While a pre-pandemic visit to a New York City club may have required a driver’s licence and, perhaps, a $20 bill to slip into the bouncer’s palm, Big Apple patrons now also find themselves having to show proof of vaccination beginning this month for indoor activities ranging from theatres to gyms to restaurants.
While various forms of proof are already available in the city – a paper card, a digital pass from the state or the city’s new NYC COVID Safe app – Canada is only now getting in on the game, having announced plans earlier this month to introduce a vaccination passport beginning this fall.
B.C. followed suit earlier this week, outlining plans for a digital B.C. vaccine card that will need to be displayed via a smartphone when someone wishes to visit a restaurant, attend a concert or go for a workout at a gym.
But Tony Anscombe, chief security evangelist for global security software firm ESET LLC, said the federal and provincial governments risk sharing too much information as they embark on this effort: “I can’t envisage a scenario where the person needing confirmation that I’m vaccinated requires that level of detail [that the Canadian vaccine app will be providing].”
The federal digital passport will include a user’s COVID-19 vaccination record, the type of vaccine he or she received [such as Pfizer Inc. (NYSE:PFE) or Moderna Inc. (NYSE:MRNA)], and the dates and locations the vaccine shots were administered.
“It is a potential overreach, but it depends on how your system is built,” said Anscombe, referring to the Canadian app’s record of vaccination dates and types of vaccines administered.
“I don’t see a reason why a business needs to be storing that information. Unless of course, it’s for something like contact tracing or it’s an airline where potentially you need to have a record.”
Health care and related data pertaining to Canadians fall under the domain of the provinces, which is why the federal government must partner with its provincial counterparts on developing the app.
Federal officials have left the door open to provinces tapping it domestically for a variety of uses such as when businesses require proof of vaccination before letting patrons inside.
B.C.'s own efforts — separate from Ottawa's — come as Quebec unveiled plans in early August to require a domestic vaccine passport for anyone wishing to visit non-essential locations, such as restaurants or bars (as in B.C., retail outlets would be excluded from such a passport).
“What we have said is that we will not be denying people essential services based on their vaccination status,” B.C. provincial health officer Dr. Bonnie Henry said following Quebec's early August announcement.
“But I’ve also said very clearly that there are some services where people who work in those industries – and we think health care is an essential public service – that we need to make sure we are protecting health-care workers.”
One week later, Henry said it was “perfectly valid” for private businesses to consult their legal teams on requiring employees to show proof of vaccination as a condition of employment. This came the same day she ordered all long-term care and assisted-living workers to be fully vaccinated by October 12.
By August 24, the province confirmed it would be deploying its own vaccine certificates by September 13.
Premier John Horgan, meanwhile, said during the announcement his government was working with the Privacy Commissioner, the Ministry of Health and the Office of the Public Health Officer to ensure the data was kept secure.
“We’re confident that every tool we can use to protect this information and to make sure it can’t be duplicated or forged will be put in place and we’ll see how we unroll it on the 13th [of September] and can be judged at that time,” he said.
Anscombe said the system that the provincial and federal governments develop to prove vaccination status should be kept as airtight as possible in terms of sharing information.
He noted that the New York state app, the Excelsior Pass, was developed by IBM Corp. (NYSE:IBM) and is backed by blockchain to keep all the information secure and encrypted. The app will display a QR code for a business to scan and confirm the user’s vaccination status.
But Anscombe noted that it doesn’t re-prompt users to confirm the business is allowed to access their vaccination record.
“And the reason they should do that is because if somebody else has got a copy of my QR code, I’d know if they’re fraudulently using it,” he said.
Anscombe added that users should also provide ID such as a driver’s licence to verify the holder’s identity in the event someone gets a copy of the QR code. The QR scan should simply confirm someone’s vaccination status with a green for yes or a red for no, rather that showcasing any of the data Ottawa has outlined, Anscombe added.
The Canadian government’s vaccine passport is meant for international travel, but Anscombe said the potential for developing a global standard would be like herding cats.
“The problem is if you’re a border guard, the likelihood of you knowing 50 different apps and how they should look becomes … very unlikely.”
