New York’s Excelsior Pass is getting more popular. Since it launched in March, the digital vaccine platform has issued millions of passes, which allow people to display proof of vaccination or negative test results via an app developed by the state. But not many businesses are using the Excelsior Pass’s signature feature: a scannable QR code that can quickly verify customers’ vaccination status by checking state records.
While New York state has issued 6 million total Excelsior Passes in the 29 weeks since launch, those passes have been scanned just over 314,000 times, the governor’s office told Recode on Thursday. That amounts to an average of about 10,800 scans per week. The app that businesses use to scan Excelsior Pass QR codes has been downloaded around 156,000 times.
New York, the first state to launch an app-based vaccine passport system, paid IBM millions of dollars to help build the Excelsior Pass platform. The system was designed to make reopening safer by providing businesses with a more secure way to confirm vaccination status than checking paper CDC cards, which are easily forged. But neither New York state nor New York City require businesses to scan the Excelsior Pass, and the low number of total scans suggests the Excelsior Pass is too complicated for its own good. Meanwhile, workers don’t have a strong incentive to prolong the process of checking people’s proof of vaccination when they already face harassment from customers angry about Covid-19 guidelines.
Recode first learned that statewide scanning activity was low between March and June after obtaining a report from the New York Office of Information Technology Services through a public records request. The governor’s office then shared the latest data, which showed a similar trend. The scanning figures also match up with anecdotal evidence from more than a dozen New Yorkers who spoke to Recode, all of whom have used the Excelsior Pass but said their QR codes are rarely or never scanned.
“I’ve been to a number of places, more than 10 times. Basically, every time I go out, they look at it, but there’s no scanning,” Bruna Martins, a marketing manager who lives in Manhattan, said. “They don’t even have a scanner.”
“They just sort of look at it. ‘Oh, hey, it’s on your phone. It exists, great.’ I’ve never had anyone scan the QR code,” said Matt Gross, a digital strategist based in Brooklyn.
While New Yorkers said the app was a convenient way to store proof of vaccination, they weren’t sure why the Excelsior Pass included a QR code. Some said they didn’t even know there was a separate scanning app.
How the Excelsior Pass is supposed to work
The Excelsior Pass system includes two apps: the NYS Excelsior Pass Wallet app, which customers use to store their Excelsior Passes, and the NYS Excelsior Pass Scanner app, which venues use to scan the passes’ QR codes.
New Yorkers can download their individual Excelsior Pass from the state government website by providing personal details such as their name and birthday. The site also asks for the type of vaccine the person received as well as the date of their most recent doses, after which the system cross-checks the information against a state-run immunization database. If everything checks out, the state issues the person an Excelsior Vaccination Pass, which displays their QR code, name, and birthday. There’s also a newer option to retrieve an Excelsior Pass Plus, which also shows the type of vaccine a person received and the date of their doses. The Excelsior Pass system also works with test results and verification systems in other states.
Restaurants, movie theaters, and other venues are supposed to download the NYS Excelsior Pass Scanner app to scan their customers’ passes. When this app scans a QR code, the technology checks to see whether the user’s vaccination information matches the state’s records and is still valid. The scanner app then displays an alert, like “valid,” “expired,” or “not found.” Businesses are also supposed to check that the name on someone’s pass matches their official state ID.
New York has advertised the Excelsior Pass system as an advanced tool that could help the state reopen safely and quickly. To build this system, New York’s Office of Business Information Services agreed to pay IBM an initial $2.5 million to build a state-specific version of the company’s existing blockchain-based Digital Health Pass technology. Depending on how many Excelsior Passes are downloaded over the next three years, however, IBM could earn up to $12.3 million more in licensing fees. Overall, the project could cost as much as $27 million, according to the New York Times. The IBM contract also stipulates that the Excelsior Pass technology could be repurposed for other tasks in the future, like confirming someone’s age or checking their driver’s license.
The Excelsior Pass is rarely scanned
Some Excelsior Pass users say they’re surprised when a venue asks to scan their app. Alina Butareva, a communications professional based in Brooklyn, told Recode that the Barclays Center is the only venue that’s ever scanned her Excelsior Pass. Martins, the marketing manager, said that her code has only been scanned by Pasquale Jones, an Italian restaurant.
Meanwhile, it’s service workers who have the unpleasant job of enforcing New York City’s indoor vaccine mandate. While they can glance at a CDC card and driver’s license, using a new app and scanning QR codes could make the already taxing process of checking vaccine statuses more tedious. After all, these workers have faced abuse, violence, and sexual harassment when trying to enforce public health measures during the pandemic.
When asked about the scanner app’s limited usage, the architect of the Excelsior Pass program, Sandra Beattie, emphasized that venues have a choice when it comes to scanning the passes’ QR codes.
“As more strict measures have been put in place, we see scanning activity increase, but that scanning activity is up to the cooperation of individuals, no matter how you’re interacting,” Beattie, the first deputy director of the New York State Division of the Budget, told Recode. “The scanner is optional — recommended, not mandated.”
Leaving the verification piece out of the process is problematic, according to Siddarth Adukia, the technical director at the cybersecurity firm NCC Group.
“If you just look at the pass on a user’s device, that’s no guarantee that the user is actually vaccinated or the credential is genuine,” Adukia said. While he thought the scanning number seemed low, Adukia said it matched up with his own experience visiting venues in New York City.
SMART Health Cards, which are vaccine passes that adhere to a set of standards developed by the Vaccine Credential Institute. Smart Health Cards are currently being used by businesses in California, Hawaii, Louisiana, and Virginia. New York state also upgraded its Excelsior Pass Scanner app so that it can scan out-of-state SMART Health Cards, too.
While Excelsior Pass started out as a tool to help New York businesses recover from the pandemic, the state is now exploring how the platform could be retrofitted to verify other types of records and credentials. New York hasn’t decided exactly what the Excelsior Pass system could be used for next, but it is confident there’s a role for these apps in the future.
“Probably one of the biggest lessons learned coming out of the Covid environment [is] our experience with the digital vaccine credential, in that it’s accelerated our thinking about digital governments,” Beattie told Recode.
But if New York’s experience with Excelsior Pass is any indication, when faced with digital solutions, the government can overengineer problems that have more analog solutions. After all, it’s not clear how valuable these high-tech tools will be if people don’t actually use them.