Protocol | Workplace

Inside the high-tech fight against fake vaccine cards

Paper vaccine cards are easy to fake. This public-private coalition is working to expand QR code vaccine passports beyond states like California and New York.

COVID-19 passport app on a series of phone screens

Digital vaccine passports can beat out fraudulent cards or photos.

Image: Commons Project

It's easy to fake a vaccine card.

Because the U.S. government didn't have a more elegant vaccine passport system in place when it rolled out COVID-19 vaccines earlier this year, CDC cards are what we got. The cards — or a photo or copy of them — will generally get us into the office, or a bar, or out of the Honolulu airport.

Unless something more high-tech and instantly verifiable becomes standard. That's what the Vaccination Credential Initiative is working to accomplish with QR code-based SMART Health Cards — already available in California, New York and Louisiana — as vaccine mandates become a bigger part of life in America.

"The two keys are, one, addressing the potential for fraud," said JP Pollak, the co-founder and chief architect of the Commons Project Foundation, a driving force behind VCI and SMART Health Cards. "The second is just efficiency in the system. CDC cards, if you want to use them for travel or to prove your status to a workplace, somebody has to interpret these things, and that takes time."

A niche between Big Tech, startups and government

Pollak, a Cornell University researcher who develops systems to capture health data, co-founded the nonprofit Commons Project in 2019. Now funded by the Rockefeller Foundation, the Commons Project expanded upon his team's work to build, essentially, an Android version of Apple Health.

The 70-person nonprofit has product and engineering teams that previously worked at large tech companies, but no shareholders or investors to pay. "We try and sort of fit in a niche between the kinds of things that big tech companies do, what startups do and what governments can't necessarily do," Pollak said. "The kinds of things that maybe utility operators would do in the physical world: There's not really a digital equivalent to that."

When the pandemic hit, Pollak and the Commons Project saw an application for their expertise in building these sorts of tools. The Commons Project then launched VCI alongside partners at Apple, Microsoft, Cigna, the Mayo Clinic and the Mitre Corporation, a nonprofit that does R&D for a number of federal agencies.

To these ends, the Commons Project and VCI designed SMART Health Cards, the specification behind the digital vaccine passports that are already available to people who were vaccinated in California, New York or Louisiana. SMART Health Cards verify a user's vaccination status with any of hundreds of health systems and providers, including Walmart, CVS, Walgreens, Epic and Cerner, spitting out a QR code that users can print or store on a mobile device.

Scanning the QR code shows that the vaccination record came from a trusted source like a major pharmacy, "and not some sort of sketchy fraudster organization that's just making fake credentials," Pollak said.

The Commons Project offers its own SMART Health Card app in the form of CommonPass, a digital health app that travelers to Aruba and Hawaii, as well as those traveling from Germany to the U.S., use to verify their vaccination and testing status.

That's not the only such app. Clear, the airport security company and another VCI partner, uses SMART Health Cards in its Health Pass, which the company markets for use in travel, events and the workplace. The IATA Travel Pass is a similar initiative.

Vaccine card fraud vs. privacy concerns

People are faking vaccine cards, but it's unclear how common this type of fraud is.

"I think one of the challenges is with the paper CDC cards, it's incredibly difficult to know how much fraud there really is going on," Pollak said. "It's not that hard to create a fake one. And generally speaking, if you're not trying to check those records against the state registry, if there's a good fake, there's quite literally no way that anyone would know that it's a fake."

Tech companies that have shared their vaccination verification processes with Protocol have generally described collecting proof of vaccination — often an image of a vaccine card, a digital vaccine record from California or New York, or a record from a doctor's office — through email or an HR/IS system like Workday.

Phone with a Health Pass on the screen Clear offers another vaccine passport option with its Health Pass.Photo: Clear

In other words, no tech company has indicated to Protocol that it will turn down a paper vaccine card in favor of a digital, verified vaccine passport, which Pollak said they can do today using open source code from VCI. Pollak is hopeful that Workday and similar systems will incorporate SMART Health Cards into their workflows so companies can even more easily collect verifiable vaccine proof from employees.

Some see the traditional vaccine card as a more straightforward alternative. "It's OK to take a low-tech approach … To do it all in the most technologically savvy and efficient way may not be the smartest option, given that we don't know all the medium-term consequences of putting this data in lots of places," said Rob Shavell, the CEO of the online privacy company Abine.

As for vaccine card fraud? Shavell isn't concerned. "Designing a whole system to make sure that we're catching that 0.1% of people that are so crazy and motivated that they want to create forged vaccine records is not a smart way to protect society," Shavell said. Pollak agreed with Shavell's concerns about privacy, noting that that's why VCI has taken such a decentralized approach: To download a SMART Health Card, a user simply has to log in to a state website, download a QR code and present it to one's employer or another authority.

Will SMART Health Cards become ubiquitous?

All told, Pollak estimates that between vaccinations at mass vaccine sites, in doctor's offices and at pharmacy chains, around 100 million people — roughly half of those who have been vaccinated in the U.S. — can gain access to their vaccine records through SMART Health Cards, "with a bunch more to come."

"It will be a long tail before every state provides this service," Pollak said. "But we think through the different channels that we're hopeful that most people who have been vaccinated by year end or so should be able to get access to their health records in this format."

VCI now has around 700 partners in the public and private sectors, ranging from medical records providers like Cerner and Epic Systems to Apple, which has integrated VCI's Smart Health cards into iOS 15, as well as Salesforce and Microsoft, which both have large vaccine administration platforms.

"Large group consensus is really important," Pollak said. "If we're not building something that all of the entities can adopt, then it really has no chance of becoming successful."


How the creators of Spligate built gaming’s newest unicorn

1047 Games is now valued at $1.5 billion after three rounds of funding since May.

1047 Games' Splitgate amassed 13 million downloads when its beta launched in July.

Image: 1047 Games

The creators of Splitgate had a problem. Their new free-to-play video game, a take on the legendary arena shooter Halo with a teleportation twist borrowed from Valve's Portal, was gaining steam during its open beta period in July. But it was happening too quickly.

Splitgate was growing so fast and unexpectedly that the entire game was starting to break, as the servers supporting the game began to, figuratively speaking, melt down. The game went from fewer than 1,000 people playing it at any given moment in time to suddenly having tens of thousands of concurrent players. Then it grew to hundreds of thousands of players, all trying to log in and play at once across PlayStation, Xbox and PC.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at

While it's easy to get lost in the operational and technical side of a transaction, it's important to remember the third component of a payment. That is, the human behind the screen.

Over the last two years, many retailers have seen the benefit of investing in new, flexible payments. Ones that reflect the changing lifestyles of younger spenders, who are increasingly holding onto their cash — despite reports to the contrary. This means it's more important than ever for merchants to take note of the latest payment innovations so they can tap into the savings of the COVID-19 generation.

Keep Reading Show less
Antoine Nougue,

Antoine Nougue is Head of Europe at He works with ambitious enterprise businesses to help them scale and grow their operations through payment processing services. He is responsible for leading the European sales, customer success, engineering & implementation teams and is based out of London, U.K.

Protocol | Policy

Why Twitch’s 'hate raid' lawsuit isn’t just about Twitch

When is it OK for tech companies to unmask their anonymous users? And when should a violation of terms of service get someone sued?

The case Twitch is bringing against two hate raiders is hardly black and white.

Photo: Caspar Camille Rubin/Unsplash

It isn't hard to figure out who the bad guys are in Twitch's latest lawsuit against two of its users. On one side are two anonymous "hate raiders" who have been allegedly bombarding the gaming platform with abhorrent attacks on Black and LGBTQ+ users, using armies of bots to do it. On the other side is Twitch, a company that, for all the lumps it's taken for ignoring harassment on its platform, is finally standing up to protect its users against persistent violators whom it's been unable to stop any other way.

But the case Twitch is bringing against these hate raiders is hardly black and white. For starters, the plaintiff here isn't an aggrieved user suing another user for defamation on the platform. The plaintiff is the platform itself. Complicating matters more is the fact that, according to a spokesperson, at least part of Twitch's goal in the case is to "shed light on the identity of the individuals behind these attacks," raising complicated questions about when tech companies should be able to use the courts to unmask their own anonymous users and, just as critically, when they should be able to actually sue them for violating their speech policies.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Protocol | Workplace

Remote work is here to stay. Here are the cybersecurity risks.

Phishing and ransomware are on the rise. Is your remote workforce prepared?

Before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

Photo: Stefan Wermuth/Bloomberg via Getty Images

The delta variant continues to dash or delay return-to-work plans, but before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

So far in 2021, CrowdStrike has already observed over 1,400 "big game hunting" ransomware incidents and $180 million in ransom demands averaging over $5 million each. That's due in part to the "expanded attack surface that work-from-home creates," according to CTO Michael Sentonas.

Keep Reading Show less
Michelle Ma
Michelle Ma (@himichellema) is a reporter at Protocol, where she writes about management, leadership and workplace issues in tech. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at
Protocol | Fintech

When COVID rocked the insurance market, this startup saw opportunity

Ethos has outraised and outmarketed the competition in selling life insurance directly online — but there's still an $887 billion industry to transform.

Life insurance has been slow to change.

Image: courtneyk/Getty Images

Peter Colis cited a striking statistic that he said led him to launch a life insurance startup: One in twenty children will lose a parent before they turn 15.

"No one ever thinks that will happen to them, but that's the statistics," the co-CEO and co-founder of Ethos told Protocol. "If it's a breadwinning parent, the majority of those families will go bankrupt immediately, within three months. Life insurance elegantly solves this problem."

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at or via Signal at (510)731-8429.

Latest Stories