Miss a day, miss a lot. Subscribe to The Defender's Top News of the Day. It's free.
Since its December 2020 launch of COVID-19 vaccines, the U.S. has set itself apart from many other Western countries by not adopting a nationwide vaccination passport, instead using paper vaccination cards issued by the Centers for Disease Control and Prevention (CDC).
But just because the federal government isn’t directly developing a national vaccine database or vaccine passport system doesn’t mean such systems aren’t in the works.
Additionally, several state-level digital vaccination verification and contact tracing apps have been developed. And state-level vaccination records, including patients’ names, do reach the CDC, though identifiable information is said to be redacted.
Existing medical data privacy laws do not appear to be an obstacle in the development of a nationwide digital vaccination passport.
Pending federal legislation and yet-to-be-enforced aspects of federal law, however, may soon turn a form of national identification cards — and a national vaccination database — into reality, despite concerns.
Where does this information come from?
Biden says it’s up to private sector to develop digital health tracking technology
In the European Union (EU), the 27 member states have digital vaccination passes. In addition to country-level apps, an EU-wide app, the “Green Pass,” is recognized throughout the bloc.
In the U.S., the Biden administration adopted a different approach. As White House Press Secretary Jen Psaki stated in March 2021:
“The government is not now nor will we be supporting a system that requires Americans to carry a credential. There will be no federal vaccinations database, and no federal mandate requiring everyone to obtain a single vaccination credential.”
Instead, Psaki explained:
“We want to drive the market toward meeting public interest goals, so we’ll leverage our resources to ensure that all vaccination credential systems meet key standards, whether that’s universal accessibility, affordability, availability, both digitally and on paper.
“We want to encourage an open marketplace with a variety of private sector companies and nonprofit coalitions developing solutions.”
However, this does not mean the federal government will not be, at least indirectly, involved in the development of a national vaccine passport.
Andy Slavitt, then-acting director for the Centers for Medicare and Medicaid Services, explained in March 2021: “[t]his is going to hit all parts of society, and so naturally, the government is involved.”
Clearly, the Biden administration is not entirely detached from the effort to develop vaccination passports, as demonstrated by this January 2021 Executive Order 13998, which states:
“Consistent with applicable law, the Secretary of State, the Secretary of HHS, and the Secretary of Homeland Security (including through the Administrator of the [Transportation Security Administration, or TSA]), in coordination with any relevant international organizations, shall assess the feasibility of linking COVID-19 vaccination to International Certificates of Vaccination or Prophylaxis (ICVP) and producing electronic versions of ICVPs.”
17 initiatives working on U.S. digital health passes
One non-governmental vaccine passport initiative that is gaining traction is The SMART Health Card.
Described as a “grassroots effort,” the SMART Health Card is not an app, but instead, an open-source computer code that can be used to “ping” a verified source of immunization data in order to produce a QR code.
The card offers digital or paper versions of an individual’s vaccination history allowing them to share this data with others via a scannable QR code. It collects and shares data including an individual’s name, birth date and the dates and brands of the vaccination doses they received.
The card is accompanied by the SMART Health Card Verifier App, whose usage is said to be doubling month over month.
A joint effort of SMART Health IT, Boston Children’s Hospital, and a coalition of private and public organizations known as the Vaccination Credential Initiative, the SMART Health Card is one of at least 17 such initiatives seeking to develop a digital vaccination passport, including:
- The International Air Transport Association (IATA), which has developed the IATA TravelPass.
- CommonPass, developed by The Commons Project and the World Economic Forum (WEF).
- The COVID Credentials Initiative (CCI), developed by Linux Foundation Public Health.
- The IBM Digital Health Pass.
- The Good Health Pass, launched by ID2020; a collaboration between Mastercard, the International Chamber of Commerce and the WEF.
As of this writing, 15 U.S. states and territories (California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Louisiana, Massachusetts, New Jersey, New York, Puerto Rico, Rhode Island, Utah, Virginia and Washington) issue the SMART Health Card.
More than a dozen other countries and jurisdictions also use the card, including Canada, Cyprus, Hong Kong, Israel, Japan, Singapore, the UK and Sydney, Australia, as do several hundred healthcare providers and private pharmacy and retail chains.
According to Klau, in California, 7 million individuals have downloaded their SMART QR code. An estimated 80% of those vaccinated in the U.S. have access to such a card.
Although available information is unclear, the SMART Health Card presumably accesses databases known as Immunization Information Systems (IIS), which exist in all 50 U.S. states, to retrieve an individual’s vaccination data.
The SMART Health Card is an example of the Biden administration’s policy to allow non-governmental actors to develop vaccine passports. But those involved in the project reportedly would have appreciated coordination or at least an endorsement from the administration.
This view is shared by Dakota Gruener, executive director of the ID2020 Alliance, who said in April 2021 that “[t]his [digital health credential] is something that can’t be driven exclusively by the private sector.”
ID2020’s founding partners include Microsoft, the Rockefeller Foundation, Accenture, and GAVI-The Vaccine Alliance (itself a core partner of the World Health Organization), UNICEF, the Bill & Melinda Gates Foundation and the World Bank.
Backers of SMART Health Card include ‘cloak-and-dagger R&D shop’
A closer look at the backers of the Vaccination Credential Initiative (VCI) behind the SMART Health Card reveals a tangled web of private and governmental entities.
VCI describes its mission as “Empowering individuals to gain access to their verifiable clinical information.”
It also proclaims itself “committed to empowering individuals’ access to a trustworthy and verifiable copy of their vaccination records in digital or paper form using open, interoperable standards.”
VCI’s website is copyrighted by the MITRE Corporation, a not-for-profit entity that is also one of the backers of the SMART Health Card.
MITRE is by no means disentangled from the federal government.
Described by Forbes as a “cloak-and-dagger R&D shop” that “runs some of the U.S. government’s most hush-hush science and tech labs,” MITRE manages federally funded research and development centers that support U.S. government agencies across numerous sectors, ranging from healthcare to defense and homeland security to cybersecurity.
Other backers of the SMART Health Card include Amazon Web Services, Microsoft, Oracle, the Mayo Clinic, the Commons Project, and the states of California and New York.
Apple is a member of VCI’s steering group. Google is also a member of the initiative.
The Good Health Pass, launched by ID2020, is another such example. A collaborative effort between Mastercard, the International Chamber of Commerce and the WEF, it is endorsed by embattled former UK Prime Minister Tony Blair, now executive chairman of the Tony Blair Institute for Global Change.
Several of these entities are heavily involved in providing technological and cloud-storage solutions to government agencies and the military.
And as previously reported by The Defender, Mastercard has worked with “FinTech” (financial technology) firms to develop technology that would allow “personal carbon allowances” — limits on carbon consumption — to be built into credit and debit cards.
CDC says no formal national vaccination database … or is there?
Εfforts such as the SMART Health Card and the Good Health Pass are, in the U.S. at least, filling the perceived void created by the lack of a national vaccine database and a national digital vaccine passport.
The CDC explains that “[u]nfortunately, there is no national organization that maintains vaccination records. The CDC does not have this information.”
This doesn’t mean the CDC does not track vaccinations taking place nationwide, or that it does not receive data that includes the identities of those who are vaccinated.
As reported by Bloomberg Law, “[t]he CDC says it needs personally identifiable data to monitor vaccine uptake and allow health-care providers to verify the proper administration of doses.”
Where does this information come from?
As Bloomberg Law explains, “[h]ealth information from states — including which vaccine was administered and where it was given — populates several CDC datasets used to track and coordinate vaccinations.”
According to Bloomberg Law, much of the data provided to the CDC “ is stripped of personal identifiers pursuant to federal privacy laws.”
The CDC describes state-level vaccination databases (IIS) as:
“[C]onfidential, population-based, computerized databases that record all immunization doses administered by participating providers to persons residing within a given geopolitical area.
“IIS combines immunization information from different sources into a single record and … provides aggregate data on vaccinations for use in surveillance [emphasis added] and program operations, and in guiding public health action with the goals of improving vaccination rates and reducing vaccine-preventable disease.”
These databases are governed by state-level legislation which may include provisions such as informed consent requirements, whether reporting or sharing immunization information is mandatory and whether individuals can opt out of having their immunization data recorded or reported.
IIS databases form part of a broad tapestry of databases that the CDC and U.S. Department of Health and Human Services (HHS) use to track vaccine-related data, in collaboration with the private sector, “to inform decision making regarding COVID-19 vaccination.”
These “secure, certified, cloud-based data management platforms” include:
- Vaccine Administration Management System (VAMS): an “online tool to manage vaccine administration from the time the vaccine arrives at a clinic until it is administered to a recipient,” which “allows for gathering and analysis of real-time or near-real-time vaccination data in vaccination clinics.” This includes COVID-19 vaccines.Notably, “VAMS has robust security that is shared with Amazon Web Services.”
- Immunization Data Lake (IZ Data Lake): “a cloud-hosted data repository to receive, store, manage, and analyze a limited dataset for COVID-19 vaccination data.”
- Tiberius: a vaccine allocation planning system operated by HHS. The $17 million contract for this platform, later expanded to $31 million, was awarded to Palantir, a company that develops “software that empowers organizations to effectively integrate their data, decisions, and operations.”Peter Thiel, co-founder of PayPal and a Facebook board member, is a co-founder of Palantir and currently serves on its board of directors.
- COVID-19 Data Clearinghouse (DCH): which populates the IZ Data Lake with data and which “may also be used by the jurisdiction and/or healthcare providers to enable appropriate administration and dosing for individuals receiving vaccines.”
“[T]he DCH would allow healthcare providers to search for a patient, see what brand of COVID-19 vaccine they received, and see when they received their first dose of COVID-19 vaccine to ensure dose matching and appropriate vaccination intervals to complete the vaccination series.”
The latter database operates under the CDC and HHS COVID-19 Vaccine Reporting Specification, as part of “[a] strong, nationally coordinated approach [that is] is critical to collect, track, and analyze vaccination data.”
Through this framework, HHS and CDC request two datasets:
- A record-level identifiable dataset, containing “identifiable data elements” [emphasis added] which are “requested for specific purposes, including to assess and verify second-dose vaccination, to assess vaccine safety, and to allow for critical vaccine effectiveness monitoring. Identifiable elements are also needed to ensure proper deduplication of information for analytic purposes.”
We are told though that “neither HHS nor CDC will have access to or release such identifiable data, including but not limited to names and other identifying information of persons who are the subject of such data, either during the term of this [data use agreement, or DUA] or longer, except as consistent with this DUA or as may be allowed or required by applicable law.”
- A record-level redacted dataset: a dataset residing in the IZ Data Lake and which “is a condensed version of the identifiable dataset and does not include 16 of the 18 identifiers as defined under [HIPAA].”
It is clear these databases collect personally identifiable vaccination information, even though we are told federal agencies such as the CDC and HHS do not have access to personal data.
Where does this information come from?
A tangled web of private-government collaborations
It is difficult to fully ascertain which companies manage each of the cloud-based databases used by the CDC and other related federal agencies.
However, available information sheds light on companies that are closely related to the intelligence establishment, and in some cases, also associated with efforts to privately develop vaccine passports
According to Bloomberg Law, the government-run COVID-19 Vaccine Reporting Specification system, for instance, is “hosted on an Oracle cloud infrastructure.”
Another firm, Perspecta, developed the CDC COVID Data Tracker, in addition to “COVID-19 internal dashboards that provide dynamic and interactive visualizations of epidemiologic data” and the following:
“[T]he Perspecta team supplies ongoing evaluation of the impact of social distancing measures on near-real-time population movement in the United States. That data is used to identify areas with social gatherings and/or increased COVID-19 risk for targeted public health communication messaging via smartphone media channels.”
This system appears to be a product of a $40 million, five-year contract awarded to Perspecta in 2018 for the CDC’s Geospatial Research, Analysis, and Services Program, or GRASP, “to use geospatial information to respond to public health threats” and to link “geographic information system science analytics, technology and visualization capabilities to public health initiatives.”
The company more recently was awarded a $60 million contract from the CDC for cloud computing tasks. In August 2020, the U.S. Department of Homeland Security (DHS) awarded Perspecta a $112 million contract for “managed IT services for data center and cloud migration support.”
For instance, Mike Kirkland, Perspecta’s senior vice president, offerings and solution development, is a former Lockheed Martin senior fellow and chief technology officer for intelligence.
Pespecta President and General Manager Petros Mouchtaris was formerly director of Oracle’s product development and a principal investigator for projects funded by the Defense Advanced Research Projects Agency (DARPA).
Kirkland, Mouchtaris, and other Perspecta executives previously were affiliated with Vencore Labs, which in 2018 was merged into Perspecta.
A look at the Peraton advisory board reveals a who’s who of national intelligence personnel, including Jeanne Tisinger, who served as deputy director of support for the Central Intelligence Agency (CIA).
Also of note is a $2 million contract awarded in 2018 by the CDC to Four Points Technology, a technology services reseller, to provide the agency with an unspecified Amazon Web Services cloud hosting task.
In 2014, Amazon Web Services received a $600 million contract from the CIA for cloud computing services, while in 2020, the CIA awarded its Commercial Cloud Enterprise (C2E) contract to five companies: Amazon Web Services, Google, IBM, Microsoft and Oracle.
Vaccine passports and U.S. law
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) “is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”
While HIPAA makes provisions for the privacy of health data, according to Bloomberg Law it also contains “carve-outs for public health entities — allowing them in many instances to share data without explicit patient permission,” even if in some states, individuals may opt out.
As previously reported by The Defender, the U.S. House of Representatives on Nov. 30, 2021, passed H.R. 550, the Immunization Infrastructure Modernization Act of 2021. The bill is pending before the U.S. Senate, where it is being reviewed by the Committee on Health, Education, Labor, and Pensions.
If passed by Congress, H.R. 550 would provide $400 million in funding to expand vaccine-tracking systems at the state and local level, enabling state health officials to monitor the vaccination status of American citizens and to provide this information to the federal government.
Vaccine passports and no-fly lists for the non-vaccinated — a concept Fauci supports — could be created under the law.
No action appears to have been taken on this bill by the Senate since it was received on Dec. 1, 2021.
At the state level, a bill before the Illinois House of Representatives, House Bill 4244 would take effect in 2023, and would amend the state’s Immunization Data Registry Act by requiring “healthcare providers, physician’s designees or pharmacist’s designees” to provide the Illinois Department of Public Health with the immunization records and private medical information of every Illinois resident.
Some states write laws to enact vaccine passport systems, enact bans
As mentioned previously, 15 states have adopted the SMART Health Card for digital verification of an individual’s COVID vaccination status.
New York made a “blueprint” of its vaccine pass platform available, “as a guide to assist other states, territories, and entities in the expansion of compatible COVID-19 vaccine credential systems to advance economic development efforts nationwide.”
Other states have developed online portals that allow individuals to receive and download a QR code verifying their COVID vaccination status.
These states include California, via its Digital COVID-19 Vaccine Record portal, Connecticut through its CT WiZ portal and Illinois via its Vax Verify system, which utilizes data broker Experian — itself no stranger to controversy — to verify the identity of those accessing the online system. The system even requests the person’s Social Security Number to streamline the process.
Other states have developed digital COVID exposure and contact tracing apps. These include California’s CA Notify, Hawaii’s AlohaSafe Alert, Oregon’s Exposure Notifications App (developed by Google and Apple) and Washington’s WA Notify app.
Illustrating the controversy over such digital verification apps, however, 20 states have prohibited proof-of-vaccination requirements, according to Ballotpedia.
The evolution of federal digital ID legislation in the U.S.
Many countries have instituted mandatory nationwide identification cards, linked to a national database.
For instance, in Greece, the national social security number used for COVID vaccination appointments is linked to one’s tax identification number. These databases serve as the backbone supplying vaccination data to Greece’s ‘Green Pass’.
Similarly, as reported by The Defender, 96% of users of the Ayushman Bharat Digital Mission, India’s digital health ID system, are linked with India’s controversial national biometric identification system, Aadhaar.
In this regard, the U.S. is an outlier among western nations — efforts to develop a national identifier, or to appropriate the Social Security Number as a national ID, have long been resisted.
The Sept. 11, 2001, attacks in the U.S., however, spurred renewed interest in developing a national ID card system, with Larry Ellison, head of Oracle, championing such a system and offering to donate the technology to develop it.
The legislation that ultimately emerged was the REAL ID Act of 2005, passed by the U.S. Congress with no hearings, after being inserted as a rider to a bill providing tsunami relief and military appropriations.
This REAL ID Act requires states to standardize driver’s licenses into a single national identity card and database. According to the law, such documentation cannot be accepted for “federal purposes” without meeting all of the law’s conditions.
With numerous states opposing the law, and delays caused by COVID-19, it has not fully been implemented. The final deadline for full enforcement of the law by the DHS was repeatedly postponed, most recently to May 3, 2023.
In the interim, the original legislation was updated. In June 2017, the National Institute of Standards and Technology published Digital Identity Guidelines, which include recommendations for improving national identity, credentials and access management.
On Dec. 28, 2020, Congress passed the REAL ID Modernization Act, which includes a provision to “[a]ccept the identity and lawful status information from individuals using electronic transmission methods.”
Additional legislation is pending before Congress. The Digital Identity Act 2021 is currently before the Oversight and Reform; Science, Space, and Technology; and Ways and Means committees in the House of Representatives.
The aim of this legislation is “[t]o establish a governmentwide approach to improving digital identity, and for other purposes,” including via the establishment of “a framework of standards, methodologies, procedures, and processes … as a guide for Federal, State, and local governments to follow when providing services to support digital identity verification.”
Another similar federal effort, the National Strategy for Trusted Identities in Cyberspace, launched by the Obama administration, floundered, as it was not adopted by any service providers.
Where does this information come from?
Critics say passports are ‘the makings of a social credit system’
At the political and legislative level, opposition to vaccine passports in the U.S. has manifested itself in the form of bans in 20 states, as mentioned above.
There have also been protests. On Jan. 23, about 30,000 people attended a “Defeat the Mandates” rally in Washington, D.C. And some U.S. truckers joined with Canadian truckers in an 11,000, 93-mile-long “Freedom Convoy” to protest Canada’s mandate that all Canadian and U.S. truckers crossing the Canada-U.S. border provide proof of vaccination.
In Europe, Green Pass restrictions on the non-vaccinated, along with vaccine mandates in many countries, have prompted large-scale protests, including the Jan. 23 protest estimated to have brought between 50,000 and 600,000 people to Brussels.
Some civil society organizations in the U.S. have expressed concerns over vaccine passports.
The Electronic Frontier Foundation (EFF) described the passports, in various blog postings, as “a stamp of inequality” and as “digital vaccine bouncers,” warning that “[t]his new infrastructure and culture will be difficult to dismantle when we reach herd immunity.”
“This would be a giant step towards pervasive tracking of our day-to-day movements. And these systems would create new ways for corporations to monetize our data and for thieves to steal our data … they will give rise to new databases of information not protected by any privacy law and transmitted on a daily basis far more frequently than submitting a one-time paper proof-of-vaccination to a school.
“Since we have no adequate federal data privacy law, we are relying on the pinky-promises of private companies to keep our data private and secure.”
The EFF said data collected with each scan in a vaccine passport system could be pooled and sold by (and to) businesses or government, adding there have been examples of law enforcement purchasing commercially-available geolocation data, while a restaurant reservation app, OpenTable, is integrating vaccination credentials into its system.
New York’s Excelsior Pass also raised concerns, due to the discovery of a “phase 2” of the Excelsior Pass project, estimated to cost $27 million, expanding the documentation the app can contain, including driver’s licenses.
In the UK, Entrust, the IT firm hired to develop the national COVID passport, suggested the digital infrastructure be repurposed into “a national citizen ID program.”
The Defender recently reported on efforts to develop such “digital wallets,” containing documents such as driver’s licenses, birth certificates and health credentials, in several states and countries.
These examples highlight the ease with which vaccine passports can become all-encompassing. As the EFF described, “[o]nce the infrastructure is built, it requires just a few lines of code to turn digital bouncers into digital panopticons.”
In an interview with The Defender, Catherine Austin Fitts, publisher of The Solari Report and former U.S. assistant secretary of housing and urban development, explained how only a minor tweak to a digital passport app’s algorithm would be enough to repurpose it for another use.
According to Fitts, digital vaccine passport systems, far from enforcing “mass formation psychosis,” deliver “fully automated control to the individual level.”
“Running on an automated basis — one person at a time —the control system uses AI, software, and invasive surveillance implemented through smartphones, TVs, computers, Wi-Fi, and various other digital devices.
“These individualized systems are now being used to engineer both a global coup and a new totalitarian system, with our home, our car, and our office — all our intimate spaces — converted into a digital concentration camp managed on a one-by-one basis.”
Also remarking on the issue, Michael Rectenwald, chief academic officer of American Scholars and author of “Google Archipelago: The Digital Gulag and the Simulation of Freedom,” told The Defender, “Privacy has already been destroyed; this is the makings of a social credit system.”
France, for instance, recently converted its version of the Green Pass to “vaccinated only,” meaning that individuals who could previously access various public and private spaces with a negative COVID test can no longer do so.
In the U.S., the EFF and the American Civil Liberties Union (ACLU) have raised questions about National ID cards, including efforts to develop such a regime in the U.S.
The EFF warned “today’s vaccine passport will act as a catalyst toward tomorrow’s system of national digital identification that can be used to systematically collect and store our personal information.”
The EFF argued:
“National ID cards and the databases behind them comprise the cornerstone of government surveillance systems that creates risks to privacy and anonymity. The requirement to produce identity cards on-demand habituates citizens into participating in their own surveillance and social control.
“Mandatory national ID cards violate essential civil liberties. They increase the power of authorities to reduce your freedoms to those granted by the card.”
The ACLU warned that the Real ID Act, if and when fully implemented, “would facilitate the tracking of data on individuals and bring government into the very center of every citizen’s life” and “would have a tremendously destructive impact on privacy.”
The complaint stated:
“The government and private companies are collecting, storing, and accessing personal health information at a massive scale.
“Multiple studies have shown that industry standards for deidentified data (e.g., sharing so-called ‘aggregated’ mobile location data) fail to preserve anonymity and can still lead to privacy breaches.”
Others have openly wondered how long COVID passports are intended to last. The Atlantic questioned the lack of a sunset date on such mandates.
EFF echoed those concerns:
“When we get to an approximation of normal, what is the plan for vaccine passports? Most proposals are not clear on this point. What will become of that medical data? Will there be a push for making this a permanent part of life?”
All in the name of ‘protecting’ public health
Then there is the issue that brings us back to the purported purpose of vaccine passports: protecting public health.
As the vaccinated can both transmit and be infected by COVID, some have questioned the “public health” argument that we need vaccine passports.
In response to such criticism, authorities in Greece announced they would temporarily disable the Green Pass for those with active COVID infections.
Legislative gaps have also become apparent in the U.S. and other countries. In Norway, conversely, national law does not allow employers to demand vaccination of employees, while Sweden’s constitution guarantees freedom of movement.
Ultimately though, in looking at the U.S., it is apparent that even without a formal national CDC vaccination database, such an infrastructure already exists — and has enabled the development of tools such as the SMART Health Card.