Inside the high-tech fight against fake vaccine cards

Paper vaccine cards are easy to fake. This public-private coalition is working to expand QR code vaccine passports beyond states like California and New York.

COVID-19 passport app on a series of phone screens

Digital vaccine passports can beat out fraudulent cards or photos.

Image: Commons Project

It's easy to fake a vaccine card.

Because the U.S. government didn't have a more elegant vaccine passport system in place when it rolled out COVID-19 vaccines earlier this year, CDC cards are what we got. The cards — or a photo or copy of them — will generally get us into the office, or a bar, or out of the Honolulu airport.

Unless something more high-tech and instantly verifiable becomes standard. That's what the Vaccination Credential Initiative is working to accomplish with QR code-based SMART Health Cards — already available in California, New York and Louisiana — as vaccine mandates become a bigger part of life in America.

"The two keys are, one, addressing the potential for fraud," said JP Pollak, the co-founder and chief architect of the Commons Project Foundation, a driving force behind VCI and SMART Health Cards. "The second is just efficiency in the system. CDC cards, if you want to use them for travel or to prove your status to a workplace, somebody has to interpret these things, and that takes time."

A niche between Big Tech, startups and government

Pollak, a Cornell University researcher who develops systems to capture health data, co-founded the nonprofit Commons Project in 2019. Now funded by the Rockefeller Foundation, the Commons Project expanded upon his team's work to build, essentially, an Android version of Apple Health.

The 70-person nonprofit has product and engineering teams that previously worked at large tech companies, but no shareholders or investors to pay. "We try and sort of fit in a niche between the kinds of things that big tech companies do, what startups do and what governments can't necessarily do," Pollak said. "The kinds of things that maybe utility operators would do in the physical world: There's not really a digital equivalent to that."

When the pandemic hit, Pollak and the Commons Project saw an application for their expertise in building these sorts of tools. The Commons Project then launched VCI alongside partners at Apple, Microsoft, Cigna, the Mayo Clinic and the Mitre Corporation, a nonprofit that does R&D for a number of federal agencies.

To these ends, the Commons Project and VCI designed SMART Health Cards, the specification behind the digital vaccine passports that are already available to people who were vaccinated in California, New York or Louisiana. SMART Health Cards verify a user's vaccination status with any of hundreds of health systems and providers, including Walmart, CVS, Walgreens, Epic and Cerner, spitting out a QR code that users can print or store on a mobile device.

Scanning the QR code shows that the vaccination record came from a trusted source like a major pharmacy, "and not some sort of sketchy fraudster organization that's just making fake credentials," Pollak said.

The Commons Project offers its own SMART Health Card app in the form of CommonPass, a digital health app that travelers to Aruba and Hawaii, as well as those traveling from Germany to the U.S., use to verify their vaccination and testing status.

That's not the only such app. Clear, the airport security company and another VCI partner, uses SMART Health Cards in its Health Pass, which the company markets for use in travel, events and the workplace. The IATA Travel Pass is a similar initiative.

Vaccine card fraud vs. privacy concerns

People are faking vaccine cards, but it's unclear how common this type of fraud is.

"I think one of the challenges is with the paper CDC cards, it's incredibly difficult to know how much fraud there really is going on," Pollak said. "It's not that hard to create a fake one. And generally speaking, if you're not trying to check those records against the state registry, if there's a good fake, there's quite literally no way that anyone would know that it's a fake."

Tech companies that have shared their vaccination verification processes with Protocol have generally described collecting proof of vaccination — often an image of a vaccine card, a digital vaccine record from California or New York, or a record from a doctor's office — through email or an HR/IS system like Workday.

Phone with a Health Pass on the screen Clear offers another vaccine passport option with its Health Pass.Photo: Clear

In other words, no tech company has indicated to Protocol that it will turn down a paper vaccine card in favor of a digital, verified vaccine passport, which Pollak said they can do today using open source code from VCI. Pollak is hopeful that Workday and similar systems will incorporate SMART Health Cards into their workflows so companies can even more easily collect verifiable vaccine proof from employees.

Some see the traditional vaccine card as a more straightforward alternative. "It's OK to take a low-tech approach … To do it all in the most technologically savvy and efficient way may not be the smartest option, given that we don't know all the medium-term consequences of putting this data in lots of places," said Rob Shavell, the CEO of the online privacy company Abine.

As for vaccine card fraud? Shavell isn't concerned. "Designing a whole system to make sure that we're catching that 0.1% of people that are so crazy and motivated that they want to create forged vaccine records is not a smart way to protect society," Shavell said. Pollak agreed with Shavell's concerns about privacy, noting that that's why VCI has taken such a decentralized approach: To download a SMART Health Card, a user simply has to log in to a state website, download a QR code and present it to one's employer or another authority.

Will SMART Health Cards become ubiquitous?

All told, Pollak estimates that between vaccinations at mass vaccine sites, in doctor's offices and at pharmacy chains, around 100 million people — roughly half of those who have been vaccinated in the U.S. — can gain access to their vaccine records through SMART Health Cards, "with a bunch more to come."

"It will be a long tail before every state provides this service," Pollak said. "But we think through the different channels that we're hopeful that most people who have been vaccinated by year end or so should be able to get access to their health records in this format."

VCI now has around 700 partners in the public and private sectors, ranging from medical records providers like Cerner and Epic Systems to Apple, which has integrated VCI's Smart Health cards into iOS 15, as well as Salesforce and Microsoft, which both have large vaccine administration platforms.

"Large group consensus is really important," Pollak said. "If we're not building something that all of the entities can adopt, then it really has no chance of becoming successful."

A visitor plays a game using Microsoft's Xbox controller at a flagship store of SK Telecom in Seoul on November 10, 2020. (Photo by Jung Yeon-je / AFP) (Photo by JUNG YEON-JE/AFP via Getty Images)

On this episode of the Source Code podcast: Nick Statt joins the show to discuss Microsoft’s $68.7 billion acquisition of Activision Blizzard, and what it means for the tech and game industries. Then, Issie Lapowsky talks about a big week in antitrust reform, and whether real progress is being made in the U.S. Finally, Hirsh Chitkara explains why AT&T, Verizon, the FAA and airlines have been fighting for months about 5G coverage.

For more on the topics in this episode:

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

COVID-19 accelerated what many CEOs and CTOs have struggled to do for the past decade: It forced organizations to be agile and adjust quickly to change. For all the talk about digital transformation over the past decade, when push came to shove, many organizations realized they had made far less progress than they thought.

Now with the genie of rapid change out of the bottle, we will never go back to accepting slow and steady progress from our organizations. To survive and thrive in times of disruption, you need to build a resilient, adaptable business with systems and processes that will keep you nimble for years to come. An essential part of business agility is responding to change by quickly developing new applications and adapting old ones. IT faces an unprecedented demand for new applications. According to IDC, by 2023, more than 500 million digital applications and services will be developed and deployed — the same number of apps that were developed in the last 40 years.[1]

Keep Reading Show less
Denise Broady, CMO, Appian
Denise oversees the Marketing and Communications organization where she is responsible for accelerating the marketing strategy and brand recognition across the globe. Denise has over 24+ years of experience as a change agent scaling businesses from startups, turnarounds and complex software companies. Prior to Appian, Denise worked at SAP, WorkForce Software, TopTier and Clarkston Group. She is also a two-time published author of “GRC for Dummies” and “Driven to Perform.” Denise holds a double degree in marketing and production and operations from Virginia Tech.

Congress’ antitrust push has a hate speech problem

Sen. Klobuchar’s antitrust bill is supposed to promote competition. So why are advocates afraid it could also promote extremists?

The bill as written could make it a lot riskier for large tech companies to deplatform or demote companies that violate their rules.

Photo: Photo by Elizabeth Frantz-Pool/Getty Images

The antitrust bill that passed the Senate Judiciary Committee Thursday and is now headed to the Senate floor is, at its core, an attempt to prevent the likes of Apple, Amazon and Google from boosting their own products and services on the marketplaces and platforms they own.

But upon closer inspection, some experts say, the bill as written could make it a lot riskier for large tech companies to deplatform or demote companies that violate their rules.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.


Ask a tech worker: How many of your colleagues have caught omicron?

Millions of workers called in sick in recent weeks. How is tech handling it?

A record number of Americans called in sick with COVID-19 in recent weeks. Even with high vaccination rates, tech companies aren’t immune.

Illustration: Christopher T. Fong/Protocol

Welcome back to Ask a Tech Worker! For this recurring feature, I’ve been roaming downtown San Francisco at lunchtime to ask tech employees about how the workplace is changing. This week, I caught up with tech workers about what their companies are doing to avoid omicron outbreaks, and whether many of their colleagues had been out sick lately. Got an idea for a future topic? Email me.

Omicron stops for no one, it seems. Between Dec. 29 and Jan. 10, 8.8 million Americans missed work to either recover from COVID-19 or care for someone who was recovering, according to the Census Bureau. That number crushed the previous record of 6.6 million from last January, and tripled the numbers from early last month.

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.

The fast-growing paychecks of Big Tech’s biggest names

Tech giants had a huge pandemic, and their execs are getting paid.

TIm Cook received $82 million in stock awards on top of his $3 million salary as Apple's CEO.

Photo: Mario Tama/Getty Images

Tech leaders are making more than ever.

As tech giants thrive amid the pandemic, companies like Meta, Alphabet and Microsoft have continued to pay their leaders accordingly: Big Tech CEO pay is higher than ever. In the coming months, we’ll begin seeing a lot of companies release their executive compensation from the past year as fiscal 2022 begins.

Keep Reading Show less
Nat Rubio-Licht
Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.
Latest Stories