Vaccine passport for Bills games reignites debates over legality and user privacy

WBEN Legal Analyst Paul Cambria and Cybersecurity Expert Arun Vishwanath weigh in on Excelsior Pass
Excelsior Pass
Photo credit NYS

BUFFALO, N.Y. (WBEN) - The decision by Erie County Executive Mark Poloncarz to mandate that people get a COVID-19 vaccine and provide proof in order to attend Bills and Sabres games in the fall has reignited the debate over vaccine passports and whether or not they are legal.

New York State and IBM partnered to create the "Excelsior Pass" app last month. The application allows you to confirm either a negative COVID-19 test or proof that you have received a COVID-19 vaccination. Governor Andrew Cuomo said this will "fast-track" the reopening of businesses and event venues.

Critics of the initiative have shared concerns about user privacy and security. The governors of Texas and Florida have issued a ban on the vaccine passports. The Biden administration is also not supporting a system that requires a credential.

"Our interest is very simple from the federal government, which is American's privacy and rights should be protected so that these systems are not used against people unfairly," White House Press Secretary Jen Psaki said last week.

WBEN Legal Analyst Paul Cambria said he could see a court embracing the initiative and confirming it is legal.

"It'll be interesting," Cambria said. "If they pursue the same path that has been pursued with vaccines at schools, for example, there's a possibility the court could uphold that by saying it's a public health situation and that personal beliefs and desires are subservient to the public good."

But there are concerns about the requirement of the passport. Children under the age of 16 are ineligible to receive the vaccine, meaning they would be denied entry to the stadium if they cannot get a vaccine. Fans who live outside of New York State are also unable to verify a vaccine since the app uses information from the New York State Department of Health.

"There will be a number of people who could take the position that because they either can't have the vaccine, maybe they're allergic to it or what-have-you, or are of a certain age and health situation, that they shouldn't be discriminated against," Cambria said. "They may very well try to say that it violates the Citizens with Disability Act. This is a brand new area and I could see these two things coming into play. Personal privacy situation or personal choice, perhaps a substantive due process argument. On the other side of the coin, there's a pandemic and the overall health of the population is more important than individual choices, so we're going to follow the same path we did with mass vaccination as we did in going to school."

Poloncarz said he does not want any exemptions to the vaccine requirement, even for religious or medical reasons. He also said there is plenty of time to work out the details of the policy as it relates to kids and out-of-state fans.

User Privacy and Security

Cybersecurity expert Arun Vishwanath is worried about the prospect of people taking other people's information using the app.

"There's a lot of people who have put out their vaccine data," he said. "All you have to do is upload that data. That's all you really need. You can get this QR code and once you get the QR code...if you have an ID that looks the same, you can walk into this venue. This is easy to replicate and easy to spread to the wrong hands."

The app, by itself, does not track or store user data. According to the terms and conditions, the disclosure of information is for the  "strictly limited purpose of a one-time identity verification to confirm whether you meet the criteria necessary to enter the venue." Disclosure of the information gives the state access to information from the health department to generate a pass.

"The QR code is basically like a bar code that computers read," he said. "It doesn't track you. That's not a concern. But the data that they have is already with them and the problem here is could that data be re-used by someone else? Could it fall in the wrong hands? Those are bigger concerns than the state tracking you."

Most smartphones can download the Excelsior Pass, though iPhones that have an operating system that predates iOS 13.0 cannot use the app. One alternative is to use, where you can enter your name, birth date, and zip code. If you are fully vaccinated, you will be able to manually print the QR code.

"The app is tying into our system," Poloncarz said. "We know if you've been vaccinated. We know if you haven't been vaccinated...If you're using health care in New York State, the health care providers have a right and access to get your information. For those who are like 'I don't want to do it because the government will know I've been vaccinated,' we already know. This will ensure it's a safe environment so that people can come."

Featured Image Photo Credit: NYS