It could be Big Tech’s shot at making a dent with pandemic solution tools following its failed attempt last year at contact tracing apps, which used Bluetooth technology to alert people if they’ve been in close proximity with someone who tested positive for the virus. Those products were plagued by issues around measuring proximity while keeping data anonymous, notifications that failed to trigger and slow adoption rates among states.
On paper, this latest effort should be much simpler, but the companies face a crowded app market and the potential for privacy concerns among some Americans.
Samsung recently announced Galaxy device users can load their vaccination record from the CommonHealth app — created by Commons Project Foundation, the same healthcare nonprofit working with some airlines for proof of vaccination — and store it in the Samsung Pay digital wallet. Unlike some apps that don’t check if uploaded vaccine cards are legit, users verify their identity and gain access to their status from the pharmacy or healthcare provider that provided their shot.
«If Big Tech has specific apps they will work with, then this would go a long way to cut down on the volume of app solutions that are currently flooding the market,» said Sam Gazeley, digital research analyst at ABI Research. «It would help to a degree by removing the risk of fraudulent certification from forged documents entering circulation.»
Some vaccine verification apps, such as New York City’s NYC Safe app, have faced criticism from some privacy experts for being a «dressed-up camera app,» allowing users to upload photos of their vaccine card — or of anything — and leaving the onus on business owners to determine if it’s real. (To date, countless counterfeit vaccine cards have been sold on the dark web and US border patrol has seized thousands of fakes.)
In addition to verifying vaccine status, apps such as the CommonHealth app and the New York Excelsior Pass app developed by IBM provide a scannable QR code for entry at different businesses. They display no personal information beyond whether that person received a shot.
Some experts say companies such as Samsung, Google and Apple may play a significant role in the private and public sectors coming together to create verifiable credentials.
«Technology companies are helping lead the way in leapfrogging US efforts in verifiable digital Covid-19 credentials, but perhaps more importantly having portable digital consumer health data stored in digital wallets,» said Donna Medeiros, senior research director at market research firm Gartner. «This means using mobile phones to share our data in a standardized manner when, where and with whom we want.»
In June, Google announced Android users will be able to store various test results and vaccine status from healthcare organizations, government agencies and organizations directly on devices. Meanwhile, Apple’s iOS 15 software coming this fall can store verifiable vaccine records and test results in its Health app. Apple told CNN Business other vaccine verification apps available in the App Store undergo a strict approval process and that it only approves those from known entities such as government organizations, health-focused NGOs, medical and educational institutions, and companies credentialed in health issues. Earlier this year, it published an update around health pass apps to outline privacy requirements. Developers can use Apple’s PassKit framework to make those apps available on Apple Wallet.
Vaccine status apps have seen early adoption in California, New York and Louisiana as more people download their data and store it on their device, due largely to local governments requiring proof of vaccination to enter certain areas. It’s also an appealing effort for smartphone makers that don’t have to manage the process themselves.
Gazeley said serving as a storage solution is less risky than creating location-monitoring softtware rife with privacy concerns.
Making a mark
Last year, longtime rivals Google and Apple announced to great fanfare that they would work together to help governments track the spread of the Covid-19 using Bluetooth technology. It was also poised to be a potential tipping point in their longtime effort to gain a bigger foothold in the health care industry. (Samsung did not have a contact tracing initiative). Google and Apple’s apps intended to anonymously monitor where people were traveling, who they’d been in close proximity with and alert them if they’ve possibly been exposed to the virus. Ultimately, they were buggy, presented privacy concerns and not widely adopted.
Amy Loomis, research director at IDC who closely follows future of work trends, said Big Tech’s efforts to support vaccine health pass apps are innately better set up for success.
«Language matters,» she said. «No one wants to be ‘traced’ or tracked but we show ‘proof of’ all the time — proof of employment with a badge, proof of legal age with license.
«Even if [Apple and Google’s] involvement is limited to just providing the storage solution for the certificate itself, many will associate it with being issued by [the company] even if this is not the case,» Gazeley said. «So in this manner, it achieves more for them than the contact tracing app attempts.»
Not everyone is convinced Big Tech will succeed. According to Albert Cahn — whose experiment uploading a picture of Mickey Mouse to the NYC Covid Safe app as proof of vaccination went viral earlier this month — vaccine verification apps open up a Pandora’s box of privacy concerns and are susceptible to counterfeit proof, which could provide a false sense of protection when entering a vaccine-required establishment like a restaurant or workplace.
«The tech companies promised us that exposure notification apps would stop the pandemic. They failed,» said Cahn, founder and executive director of the Surveillance Technology Oversight Project and a fellow at the NYU School of Law. «Now, the vaccine apps will fail us once again, and I fear they will do lasting harm to public trust in the vaccines.»
He said the fact that some apps are easy to forge, not every citizen owns a smartphone and persisting questions around how user data is handled will limit the success of the tools. Chief among the privacy fears, he said, is the question of whether location or medical data will be collected and stored and who will have access to that information.
The companies behind the many apps on the market have said they will not store data, but the perception could nonetheless dissuade some. (The issue has already been politicized this year. For example, Florida Gov. Ron DeSantis banned the use of vaccine passports in the state in April, citing freedom and privacy concerns.)
The Vaccination Credential Initiative — which includes IBM, Microsoft, Salesforce, Oracle, Mayo Clinic and the Commons Project — is playing a key role in developing US standards and guidelines for digital health passes. It requires participating apps to not save data on a central server or be aggregated, so an issuer wouldn’t know a person’s location history.
Still, Cahn argues the money the states spent on developing apps could be better used as financial incentives and paid time off for the vaccine hesitant. His organization reported New York’s Excelsior app cost nearly $27 million to develop — more than 10 times the project’s original budget. (The state told The New York Times it had only spent $4.7 million to date and would only reach the full amount if the program was a success.)
«Despite all of these apps, the best proof of vaccination is still the laminated CDC card I carry in my pocket,» he said.
Another major issue stems from what apps each venue or business decides to require for vaccination proof. Meanwhile, Samsung declined to share if it’ll open its digital wallet up to apps beyond CommonHealth but «without universal acceptance, the impact it will have on cutting down on the [app] noise will remain limited,» Gazeley said.