Inside the high-tech fight against fake vaccine cards

Paper vaccine cards are easy to fake. This public-private coalition is working to expand QR code vaccine passports beyond states like California and New York.

COVID-19 passport app on a series of phone screens

Digital vaccine passports can beat out fraudulent cards or photos.

Image: Commons Project

It's easy to fake a vaccine card.

Because the U.S. government didn't have a more elegant vaccine passport system in place when it rolled out COVID-19 vaccines earlier this year, CDC cards are what we got. The cards — or a photo or copy of them — will generally get us into the office, or a bar, or out of the Honolulu airport.

Unless something more high-tech and instantly verifiable becomes standard. That's what the Vaccination Credential Initiative is working to accomplish with QR code-based SMART Health Cards — already available in California, New York and Louisiana — as vaccine mandates become a bigger part of life in America.

"The two keys are, one, addressing the potential for fraud," said JP Pollak, the co-founder and chief architect of the Commons Project Foundation, a driving force behind VCI and SMART Health Cards. "The second is just efficiency in the system. CDC cards, if you want to use them for travel or to prove your status to a workplace, somebody has to interpret these things, and that takes time."

A niche between Big Tech, startups and government

Pollak, a Cornell University researcher who develops systems to capture health data, co-founded the nonprofit Commons Project in 2019. Now funded by the Rockefeller Foundation, the Commons Project expanded upon his team's work to build, essentially, an Android version of Apple Health.

The 70-person nonprofit has product and engineering teams that previously worked at large tech companies, but no shareholders or investors to pay. "We try and sort of fit in a niche between the kinds of things that big tech companies do, what startups do and what governments can't necessarily do," Pollak said. "The kinds of things that maybe utility operators would do in the physical world: There's not really a digital equivalent to that."

When the pandemic hit, Pollak and the Commons Project saw an application for their expertise in building these sorts of tools. The Commons Project then launched VCI alongside partners at Apple, Microsoft, Cigna, the Mayo Clinic and the Mitre Corporation, a nonprofit that does R&D for a number of federal agencies.

To these ends, the Commons Project and VCI designed SMART Health Cards, the specification behind the digital vaccine passports that are already available to people who were vaccinated in California, New York or Louisiana. SMART Health Cards verify a user's vaccination status with any of hundreds of health systems and providers, including Walmart, CVS, Walgreens, Epic and Cerner, spitting out a QR code that users can print or store on a mobile device.

Scanning the QR code shows that the vaccination record came from a trusted source like a major pharmacy, "and not some sort of sketchy fraudster organization that's just making fake credentials," Pollak said.

The Commons Project offers its own SMART Health Card app in the form of CommonPass, a digital health app that travelers to Aruba and Hawaii, as well as those traveling from Germany to the U.S., use to verify their vaccination and testing status.

That's not the only such app. Clear, the airport security company and another VCI partner, uses SMART Health Cards in its Health Pass, which the company markets for use in travel, events and the workplace. The IATA Travel Pass is a similar initiative.

Vaccine card fraud vs. privacy concerns

People are faking vaccine cards, but it's unclear how common this type of fraud is.

"I think one of the challenges is with the paper CDC cards, it's incredibly difficult to know how much fraud there really is going on," Pollak said. "It's not that hard to create a fake one. And generally speaking, if you're not trying to check those records against the state registry, if there's a good fake, there's quite literally no way that anyone would know that it's a fake."

Tech companies that have shared their vaccination verification processes with Protocol have generally described collecting proof of vaccination — often an image of a vaccine card, a digital vaccine record from California or New York, or a record from a doctor's office — through email or an HR/IS system like Workday.

Phone with a Health Pass on the screenClear offers another vaccine passport option with its Health Pass.Photo: Clear

In other words, no tech company has indicated to Protocol that it will turn down a paper vaccine card in favor of a digital, verified vaccine passport, which Pollak said they can do today using open source code from VCI. Pollak is hopeful that Workday and similar systems will incorporate SMART Health Cards into their workflows so companies can even more easily collect verifiable vaccine proof from employees.

Some see the traditional vaccine card as a more straightforward alternative. "It's OK to take a low-tech approach … To do it all in the most technologically savvy and efficient way may not be the smartest option, given that we don't know all the medium-term consequences of putting this data in lots of places," said Rob Shavell, the CEO of the online privacy company Abine.

As for vaccine card fraud? Shavell isn't concerned. "Designing a whole system to make sure that we're catching that 0.1% of people that are so crazy and motivated that they want to create forged vaccine records is not a smart way to protect society," Shavell said. Pollak agreed with Shavell's concerns about privacy, noting that that's why VCI has taken such a decentralized approach: To download a SMART Health Card, a user simply has to log in to a state website, download a QR code and present it to one's employer or another authority.

Will SMART Health Cards become ubiquitous?

All told, Pollak estimates that between vaccinations at mass vaccine sites, in doctor's offices and at pharmacy chains, around 100 million people — roughly half of those who have been vaccinated in the U.S. — can gain access to their vaccine records through SMART Health Cards, "with a bunch more to come."

"It will be a long tail before every state provides this service," Pollak said. "But we think through the different channels that we're hopeful that most people who have been vaccinated by year end or so should be able to get access to their health records in this format."

VCI now has around 700 partners in the public and private sectors, ranging from medical records providers like Cerner and Epic Systems to Apple, which has integrated VCI's Smart Health cards into iOS 15, as well as Salesforce and Microsoft, which both have large vaccine administration platforms.

"Large group consensus is really important," Pollak said. "If we're not building something that all of the entities can adopt, then it really has no chance of becoming successful."


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories