One big problem with New York's Excelsior Pass

Here's a hint: privacy protections for undocumented folks

Since my last post, the SBA no longer requires restaurants to register for a account (or need a DUNS number). While we were told that additional guidance should be provided 7–10 days from late March, not much by the way of requirements or plans has been made public. Given that the SVOG (Shuttered Venue Operators Grant), which makes use of is currently suspended due to tech issues, I am doubtful that Restaurant Revitalization Fund Grant (RRFG) applications will be open this month (as some have projected)—especially if SBA is building a website specific for this process.

I suppose we’ll have to wait and see. In the interim, here is what I meant for last week’s post, but procrastination got the better for me. This week’s actual post on New York’s Excluded Worker’s Fund will be out on Tuesday morning (hopefully).

Excelsior Pass: privacy protections and exposure

The topic of vaccine passports are continuously making the rounds, including this article from Insider that was trending today on Twitter. While the Biden administration will not be mandating a vaccine passport program in the U.S., New York Gov. Andrew Cuomo’s office has been testing a program, based on blockchain and in partnership with IBM, known as the Excelsior Pass. Apart from the discussions of digital segregation that such an app can promote, the lack of privacy protection is overly concerning.

Albert Fox Cahn, Executive Director of the Surveillance Technology Oversight Project, is quick to point out that there is no privacy policy offering protections from law enforcement. In other words, the program does not provide assurance that information would not be access by police departments or by Immigration or Customs Enforcement (ICE).

To get at what Cahn is articulating, let’s take look at the current privacy policies. The program has its own privacy page; however, what it covers is rather limited. With regards to data sharing, it only notes the following:

Your personal health information or records are not shared with anyone. To validate your Pass, the Excelsior Scanner app scans the QR code and receives from it your First Name, Last Name, Date of Birth and Pass Status (valid, invalid, expired).

While it sounds like people are safe privacy-wise with the term “personal health information”, it should be noted that the addition of “health” in between the two words limits coverage. The term “personal information”, carries a broader definition and therefore now has a greater level of exposure, since it was not included in the sharing exemption above.

As an example to highlight the differences between the two terms, personal information can cover the basics of name and address, whereas personal health information could be the vaccination records. Therefore, a case for access for basic personally identifiable information (PII) could be made should police or ICE want to retrieve this data.

The NYS Department of Health Privacy Policy, which the Excelsior Pass makes reference to at the bottom of its webpage, mentions “personal information” access for law enforcement. However, this information is only disclosed in the event that there is unauthorized access or attempted access to NYS’ IT assets. As a result, we do not have precedent or current law to limit law enforcement’s access to PII for the Excelsior Pass.

The New York State Department of Health may also disclose personal information to federal or state law enforcement authorities to enforce its rights against unauthorized access or attempted unauthorized access to the New York State Department of Health's information technology assets.

Even though the Excelsior Pass program is a voluntary one, I have concerns over its use in the private sector where participating venues may tout this app as its preferred method, without considering the implications. Those who are unaware and undocumented may unexpectedly find themselves with heightened legal exposure. Or, if they are aware, then they are unnecessarily saddled with the choice to either find alternative proof or to skip out on activities, therefore furthering social inequities. Neither scenario is a good one, and both are easily avoidable. All it would entail is for Gov. Cuomo’s office to address the handling of personal information and limit its access accordingly for this initiative.

Further reading: