Inside the high-tech fight against fake vaccine cards

Paper vaccine cards are easy to fake. This public-private coalition is working to expand QR code vaccine passports beyond states like California and New York.

COVID-19 passport app on a series of phone screens

Digital vaccine passports can beat out fraudulent cards or photos.

Image: Commons Project

It's easy to fake a vaccine card.

Because the U.S. government didn't have a more elegant vaccine passport system in place when it rolled out COVID-19 vaccines earlier this year, CDC cards are what we got. The cards — or a photo or copy of them — will generally get us into the office, or a bar, or out of the Honolulu airport.

Unless something more high-tech and instantly verifiable becomes standard. That's what the Vaccination Credential Initiative is working to accomplish with QR code-based SMART Health Cards — already available in California, New York and Louisiana — as vaccine mandates become a bigger part of life in America.

"The two keys are, one, addressing the potential for fraud," said JP Pollak, the co-founder and chief architect of the Commons Project Foundation, a driving force behind VCI and SMART Health Cards. "The second is just efficiency in the system. CDC cards, if you want to use them for travel or to prove your status to a workplace, somebody has to interpret these things, and that takes time."

A niche between Big Tech, startups and government

Pollak, a Cornell University researcher who develops systems to capture health data, co-founded the nonprofit Commons Project in 2019. Now funded by the Rockefeller Foundation, the Commons Project expanded upon his team's work to build, essentially, an Android version of Apple Health.

The 70-person nonprofit has product and engineering teams that previously worked at large tech companies, but no shareholders or investors to pay. "We try and sort of fit in a niche between the kinds of things that big tech companies do, what startups do and what governments can't necessarily do," Pollak said. "The kinds of things that maybe utility operators would do in the physical world: There's not really a digital equivalent to that."

When the pandemic hit, Pollak and the Commons Project saw an application for their expertise in building these sorts of tools. The Commons Project then launched VCI alongside partners at Apple, Microsoft, Cigna, the Mayo Clinic and the Mitre Corporation, a nonprofit that does R&D for a number of federal agencies.

To these ends, the Commons Project and VCI designed SMART Health Cards, the specification behind the digital vaccine passports that are already available to people who were vaccinated in California, New York or Louisiana. SMART Health Cards verify a user's vaccination status with any of hundreds of health systems and providers, including Walmart, CVS, Walgreens, Epic and Cerner, spitting out a QR code that users can print or store on a mobile device.

Scanning the QR code shows that the vaccination record came from a trusted source like a major pharmacy, "and not some sort of sketchy fraudster organization that's just making fake credentials," Pollak said.

The Commons Project offers its own SMART Health Card app in the form of CommonPass, a digital health app that travelers to Aruba and Hawaii, as well as those traveling from Germany to the U.S., use to verify their vaccination and testing status.

That's not the only such app. Clear, the airport security company and another VCI partner, uses SMART Health Cards in its Health Pass, which the company markets for use in travel, events and the workplace. The IATA Travel Pass is a similar initiative.

Vaccine card fraud vs. privacy concerns

People are faking vaccine cards, but it's unclear how common this type of fraud is.

"I think one of the challenges is with the paper CDC cards, it's incredibly difficult to know how much fraud there really is going on," Pollak said. "It's not that hard to create a fake one. And generally speaking, if you're not trying to check those records against the state registry, if there's a good fake, there's quite literally no way that anyone would know that it's a fake."

Tech companies that have shared their vaccination verification processes with Protocol have generally described collecting proof of vaccination — often an image of a vaccine card, a digital vaccine record from California or New York, or a record from a doctor's office — through email or an HR/IS system like Workday.

Phone with a Health Pass on the screen Clear offers another vaccine passport option with its Health Pass.Photo: Clear

In other words, no tech company has indicated to Protocol that it will turn down a paper vaccine card in favor of a digital, verified vaccine passport, which Pollak said they can do today using open source code from VCI. Pollak is hopeful that Workday and similar systems will incorporate SMART Health Cards into their workflows so companies can even more easily collect verifiable vaccine proof from employees.

Some see the traditional vaccine card as a more straightforward alternative. "It's OK to take a low-tech approach … To do it all in the most technologically savvy and efficient way may not be the smartest option, given that we don't know all the medium-term consequences of putting this data in lots of places," said Rob Shavell, the CEO of the online privacy company Abine.

As for vaccine card fraud? Shavell isn't concerned. "Designing a whole system to make sure that we're catching that 0.1% of people that are so crazy and motivated that they want to create forged vaccine records is not a smart way to protect society," Shavell said. Pollak agreed with Shavell's concerns about privacy, noting that that's why VCI has taken such a decentralized approach: To download a SMART Health Card, a user simply has to log in to a state website, download a QR code and present it to one's employer or another authority.

Will SMART Health Cards become ubiquitous?

All told, Pollak estimates that between vaccinations at mass vaccine sites, in doctor's offices and at pharmacy chains, around 100 million people — roughly half of those who have been vaccinated in the U.S. — can gain access to their vaccine records through SMART Health Cards, "with a bunch more to come."

"It will be a long tail before every state provides this service," Pollak said. "But we think through the different channels that we're hopeful that most people who have been vaccinated by year end or so should be able to get access to their health records in this format."

VCI now has around 700 partners in the public and private sectors, ranging from medical records providers like Cerner and Epic Systems to Apple, which has integrated VCI's Smart Health cards into iOS 15, as well as Salesforce and Microsoft, which both have large vaccine administration platforms.

"Large group consensus is really important," Pollak said. "If we're not building something that all of the entities can adopt, then it really has no chance of becoming successful."


Why foundation models in AI need to be released responsibly

Foundation models like GPT-3 and DALL-E are changing AI forever. We urgently need to develop community norms that guarantee research access and help guide the future of AI responsibly.

Releasing new foundation models doesn’t have to be an all or nothing proposition.

Illustration: sorbetto/DigitalVision Vectors

Percy Liang is director of the Center for Research on Foundation Models, a faculty affiliate at the Stanford Institute for Human-Centered AI and an associate professor of Computer Science at Stanford University.

Humans are not very good at forecasting the future, especially when it comes to technology.

Keep Reading Show less
Percy Liang
Percy Liang is Director of the Center for Research on Foundation Models, a Faculty Affiliate at the Stanford Institute for Human-Centered AI, and an Associate Professor of Computer Science at Stanford University.

Every day, millions of us press the “order” button on our favorite coffee store's mobile application: Our chosen brew will be on the counter when we arrive. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as stream data “in motion” instantaneously, you — and millions of customers — won’t have these in-the-moment experiences.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.

The West’s drought could bring about a data center reckoning

When it comes to water use, data centers are the tech industry’s secret water hogs — and they could soon come under increased scrutiny.

Lake Mead, North America's largest artificial reservoir, has dropped to about 1,052 feet above sea level, the lowest it's been since being filled in 1937.

Photo: Mario Tama/Getty Images

The West is parched, and getting more so by the day. Lake Mead — the country’s largest reservoir — is nearing “dead pool” levels, meaning it may soon be too low to flow downstream. The entirety of the Four Corners plus California is mired in megadrought.

Amid this desiccation, hundreds of the country’s data centers use vast amounts of water to hum along. Dozens cluster around major metro centers, including those with mandatory or voluntary water restrictions in place to curtail residential and agricultural use.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (


Indeed is hiring 4,000 workers despite industry layoffs

Indeed’s new CPO, Priscilla Koranteng, spoke to Protocol about her first 100 days in the role and the changing nature of HR.

"[Y]ou are serving the people. And everything that's happening around us in the world is … impacting their professional lives."

Image: Protocol

Priscilla Koranteng's plans are ambitious. Koranteng, who was appointed chief people officer of Indeed in June, has already enhanced the company’s abortion travel policies and reinforced its goal to hire 4,000 people in 2022.

She’s joined the HR tech company in a time when many other tech companies are enacting layoffs and cutbacks, but said she sees this precarious time as an opportunity for growth companies to really get ahead. Koranteng, who comes from an HR and diversity VP role at Kellogg, is working on embedding her hybrid set of expertise in her new role at Indeed.

Keep Reading Show less
Amber Burton

Amber Burton (@amberbburton) is a reporter at Protocol. Previously, she covered personal finance and diversity in business at The Wall Street Journal. She earned an M.S. in Strategic Communications from Columbia University and B.A. in English and Journalism from Wake Forest University. She lives in North Carolina.


New Jersey could become an ocean energy hub

A first-in-the-nation bill would support wave and tidal energy as a way to meet the Garden State's climate goals.

Technological challenges mean wave and tidal power remain generally more expensive than their other renewable counterparts. But government support could help spur more innovation that brings down cost.

Photo: Jeremy Bishop via Unsplash

Move over, solar and wind. There’s a new kid on the renewable energy block: waves and tides.

Harnessing the ocean’s power is still in its early stages, but the industry is poised for a big legislative boost, with the potential for real investment down the line.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (

Latest Stories