Vax passports - theory and practice

by tkpwaeub8 min read3rd Oct 202118 comments

17

Covid-19
Frontpage

It’s been about three weeks since New York City began - at least, nominally - enforcing its new Key to NYC program. That’s our new mandate requiring proof of vaccination for indoor dining. I’ve eaten out several times since it started, and I think that’s given me some new insight into how this ordinance is going to work. I’m not nearly as skeptical of it as I was, and I hope that what I’m about to share helps convince some of the businesses that are hostile to the idea that it’s worth their effort to comply cheerfully. 

I work for state government, and I’ve been doing a lot of field work lately in different parts of the city - Queens and Staten Island, to be specific. Staten Island, as I’m sure you’re aware, is somewhat more Republican than the rest of the city, so not surprisingly there’s a bit more resistance to the mandate. A few places I saw had desperate handwritten signs saying “Take Out Only”. One pizza parlor in Brooklyn turned its tables upside down. A Dunkin Donuts in Queens had a sign that apologized for being closed for indoor dining for the foreseeable future. I encountered outright defiance at a deli in Manhattan’s financial district when I showed my CDC card. I can’t remember the exact words but it was something like “I don’t care if you’re not vaccinated, I don’t believe in all that.” It’s not clear what the cashier hoped to gain by saying that. A few doors down, at a similar place, they were keeping their trays behind the counter, and when I asked for a tray, they asked to see my CDC card and took down my name and number “in case the health department came around.” A diner in Hell’s Kitchen had the dining section cordoned off, and checked my ID and CDC card (I have both on a lanyard) at a distance of about four feet. I very much doubt they were able to read either. More on that below. 

In the month between when the order was announced and the beginning of enforcement, it seems there wasn’t a lot done to educate the general public. Whether that’s because of a lack of resources or because they genuinely didn’t know exactly how to educate people on it is anyone’s guess. There’s very little daylight between education and regulation. The best auditors I know are the ones who are able to teach regulated entities the how’s and why’s of compliance. I don’t know the extent to which venues were provided with education and guidance. 

This was the week the pieces of the puzzle really came together for me. I’ll try to break down the various pieces, and do my best to put them together. 

The first piece of the puzzle is who the mandate is directed at. Namely, customers. The sign that’s supposed to be posted on the door to every restaurant makes that clear: “New York City requires you to be vaccinated against Covid-19 to enter.” This is significant; the primary target of the regulation is the individuals, not businesses. The mandate requires businesses to post signs and check if you’re vaccinated. It doesn’t require businesses to verify, authenticate, examine, or analyze the proof that’s presented to them. The incident at Carmine’s provides a good example of what’s not required. Namely, businesses are not expected to police incoming patrons. They’re not expected to spot forgeries, for instance. Indeed the types of proof of vaccination  and identity could include documents from so many different jurisdictions that it’s simply not possible to keep up. You’d have to develop some sort of point system similar to what’s used at the DMV to “score” various types of documents. There’s a similar scoring system for employment eligibility documents, where you have to prove identity and work eligibility. And in practice, when private businesses do attempt to “play cop” things can get bad pretty quickly. This is exactly what happened at Carmine’s when the waitress suspected that some of the CDC cards were fake, and given the racial aspects, it has eerie parallels with the George Floyd incident in 2020 - which began when a clerk suspected that a $20 bill was fake. Selective enforcement, profiling, and alert fatigue are all real issues - but they aren’t if we allow for the process to be something less demanding. 

So what exactly is expected, if it’s not a rigorous verification? Answer: it’s a legal ritual that signifies that the incoming customer accepts the mandate. The proof of vaccination and identity are props in a ceremony. This appearance of rigor isn’t about end results, but about solemnity. It’s similar to what I do when I notarize stuff for people. In fact, I’ve notarized quite a lot of stuff for people over the past 18+ months.  First, I notarized a lot of things online pursuant to New York’s executive order. Then when I got vaccinated and the executive order expired, I started notarizing things for people in my building. (You’ll be interested to know that notaries aren’t allowed to refuse to notarize things for unvaccinated people; good thing I had my booster). Here’s what happens when I notarize stuff. You give me your ID. I look at it. I check that it has your name on it, that it has someone’s photo, and that it indicates some sort of state, city, school, or country. What I don’t do - and what I’m not required to do - is do any sort of in-depth examination of whether you’ve presented me with something fake. Nor do I do a careful examination of your handwriting, against the signature on your ID. Handwriting changes over time, people injure their dominant hands, and handwriting analysis is a pretty hoaky pseudo-science anyway. When it comes to the document being notarized, I don’t check to see if you’re of sound mind (I’m not a psychologist) and when I’m administering an oath I have no way of knowing whether you actually believe what you’re signing your name to - I’m not a polygraph machine.I don’t do any of these things. That’s because it’s not about the genuineness of the documents that are presented; it’s the act of presenting the documents. Some of my friends who’ve worked as bouncers at bars describe a similar standard. It’s all about the act. These kinds of ceremonial acts are predicated on the idea of accepting whatever putative proof is presented - emphasizing the sanctity of the fragile web of trust that binds us together. Indeed, forgery wouldn’t be considered such a serious crime if rank and file officials like me were expected to catch fakes with ease - the system would be self-healing. 

This may seem horrific to the people who expect at-the-door vaccination checks to screen people out. Even the most well-designed app can’t do that. Louisiana’s mobile driver’s license comes close - the “bouncer” scans the QR code and pulls up your name, photo, and vaccination status from an official state database. But even there, there’s a real risk of “deep fakes” - indeed, there have already been cases of anti-vax pharmacists entering fraudulent information in official immunization registries. That’s pretty much the perfect crime, once it’s been pulled off. The only way one could ever catch it would be to start taking random antibody titers of restaurant patrons. The only real value these sorts of upgrades have is to increase the solemnity of the ritual. Going back to the notary analogy, the QR codes and phone apps are similar to the fancy “seal” that some notaries (who aren’t me) like to use. New York stopped requiring seals a while ago. And we don’t even require stamps any more - the notary just needs to put their name, license number, county where they were qualified, and date of expiration of their commission. 

It’s easy to dismiss all this as mere “verification theater.” Surely, with a deadly infectious disease, we should have something a bit more airtight? But the level of enforcement for that kind of system is a fool’s errand. It would require, among other things, thousands of undercover cops to present fake-fake-proof to people checking ID’s, just to “see if they’re on the ball.” I very much doubt that’s going to happen. As it is, we don’t have the manpower for that, because that sort of “secret shopper” thing is a pretty specialized skill set, and government workers  have been retiring in droves. To its credit, the city appears to be pulling people from multiple municipal agencies to verify compliance, but the kind of compliance they’re looking for is exactly the kind of ritual described above: are the people doing the verification conveying sufficient solemnity and gravitas? If so, the venue gets its check mark. My guess is that it’s being incorporated into annual and semi-annual inspections done by various agencies as “one more thing to look for” as a way of reducing the marginal cost. That’s probably considered sufficient - and rightly so. 

Viewing the process in this way should be good news for venues concerned about compliance with the mandate. And just because there isn’t an expectation of rigorous examination of documents doesn’t mean it’s not working. If it convinces a few more people to get vaccinated, it’s working. If it conveys seriousness, it’s working. If it causes infection rates to go down, it’s working. And if it survives as a banal ritual, that’s something I can live with. Venues are not being asked to play “cop”, they’re being asked to be notaries. Or wedding officiants. Take your pick. 

And viewing the checking process as a ritual has some interesting corollaries. First and foremost, the solemnity of the ritual can be imbued with a deeper meaning. When you’re being asked to show your proof, pause for a moment to think of the hundreds of thousands of lives lost to this deadly disease, and if it hasn’t touched you, give thanks to whatever gods you believe in. Second, think of whatever follows - the nice meal, the movie, the concert - as a post-ritual celebration, following the formal ceremony when you enter the room. Third, consider tipping the “vaccine bouncer” on the way out. It’s customary to tip wedding officiants, bars typically have cover charges for exactly this reason, and this author accepts payment for his notarial services. 

The process of having to check vaccination status need not be the burdensome policing task feared by many restaurant owners. It can be beautiful. 


 

17

18 comments, sorted by Highlighting new comments since Today at 1:21 PM
New Comment

How strongly are anti-vaxxers incentivised to create fake vaccine passports, anyways? There's a certain aspect that you mentioned—accepting the solemnity of the ritual requires that one submits to the rules, that they agree that they need to show a vaccine card to enter restaurants. Anti-vaxxers by and large either fundamentally object to the vaccine and are proud of that fact, or they are still hesitant to get the vaccine because they're scared of it/think they don't need it/it's too much of an inconvenience/whatever else. For the first group, showing a fake vaccine card shows submission and acceptance to vaccination. To the second, obtaining a vaccine card when free vaccines are available basically everywhere takes both a measure of effort and willingness to blatantly lie that doesn't seem particularly common amongst a population. Thus, I think that at the very least, requiring vaccines to do something will cause large decreases in the number of unvaccinated people doing that thing. I also believe that requiring vaccines to access large and growing parts of everyday life will directly increase the number of vaccinated people, although admittedly I am less confident in this assertion.

Excellent point. I'm reminded of this joke:

 

A man buys two horses but he can’t tell them apart, so he asks the farmer next door what to do. He says to cut one of their tails off. So the man does. But then the other horse’s tail gets caught in a bush and rips off. So again, he can’t tell them apart again.

He asks the farmer for his advice a second time. He tells him to cut one of the horse’s ears. So he does. But then the other horse gets its ear ripped in a barbed wire fence.

Again, he asks the farmer what to do and he tells her to measure them.

He comes back and says: “Thanks for your advice. It turns out the white horse is two inches taller than the black horse

You may underestimate the second group. People who are convinced that the government is mandating poisonous treatment are pretty paranoid to begin with and as many paranoid people, they will attempt to hide and blend in in any way they can manage to avoid the poisonous treatment.

They...sorta hide it, but then I think they tend to give themselves away. I think they're actually proud of their paranoia, and that's hard to contain.

Of course, those ones are much easier to notice, so it's not very informative about the people who are good at hiding it.

Fair point, but remember we're talking about people who are refusing to take life saving medication, for ideological reasons. So it's reasonable to expect they aren't so great at hiding stuff, and that they like to talk.

An anti-vaxxer co-worker of mine floored me once when she bragged about reusing uncancelled stamps. I'm her union rep, and I gently reminded her that (a) She was committing mail fraud. (b) Postal workers depend on revenue from mail to earn their salaries, and they're unionized civil servants like us.

This sounds like horns effect to me. There's no reason to assume "disagrees with you about the costs and benefits of a vaccine" has any correlation with "unskilled at lying", even if they disagree for dumb reasons and are wrong.

I agree with you that there's a set of people who will loudly announce their opposition, because they view it as the principled thing to do. But I've also seen people on reddit or mommy forums discuss the joy of successfully passing their unvaccinated kids off as vaccinated.

FYI, there is an enforcement mechanism for fake vaccination credentials, separate and distinct from what we expect (or even should expect) of "gatekeepers": fraud reporting from the public:

https://portal.311.nyc.gov/article/?kanumber=KA-03447

and

https://dos.ny.gov/news/consumer-alert-new-york-state-division-consumer-protection-warns-new-yorkers-about-risks-fake

and last but not least:

https://oig.hhs.gov/fraud/report-fraud/

The Key to NYC provides that gatekeepers can report fraud, but doesn't require them to. Fraud reporting is outsourced to the general public, so that the gatekeeper role can remain a purely administrative control (rather than an engineering control).

when a clerk suspected that a $20 bill was fake

Which was in fact true.

Actually we don't know that the $20 bill was fake. That's not been made public one way or another. In fact, the "starch pens" return a lot of "false positives".

The point is that clerks aren't actually legally required to "suspect" anything. This was imposed by his employer.

Compare how it's done in Europe: Vaccinations happen in vaccination centres, and your status as well as the vaccine details (lot number etc) get registered with the government. Each country has an app that generates a QR code that is common throughout the EU, and restaurants etc can check it in places which require a vaccine passport. I'm more inclined to trust those than some random cards which are often handwritten!

No argument there. Even with that, there's still the very human process of checking, which still ends up being ministerial (especially if they're having to check people against photo ID's, etc - I look nothing like my drivers license, especially when I forget to shave).

Things will get better on that front (more and more places seem to be adopting the SMART Health Card framework, and mobile drivers licenses are becoming more common) but that's going to take time.

Every little bit counts though, and if some mandates are less enforced (or not enforced at all) that still sends a general message. The really important point is that the ultimate target of the mandates is the individual, not the business. To the extent that it really matters, individuals who openly defy vaccination mandates will get caught, especially when we take underlying controls into account (cell phone data, credit card transactions, security footage, etc). We will certainly be able to trace outbreaks back to unvaccinated individuals, as needed.

This may seem horrific to the people who expect at-the-door vaccination checks to screen people out. Even the most well-designed app can’t do that. Louisiana’s mobile driver’s license comes close - the “bouncer” scans the QR code and pulls up your name, photo, and vaccination status from an official state database. But even there, there’s a real risk of “deep fakes” - indeed, there have already been cases of anti-vax pharmacists entering fraudulent information in official immunization registries. That’s pretty much the perfect crime, once it’s been pulled off. The only way one could ever catch it would be to start taking random antibody titers of restaurant patrons.

This sounds like a mistake people new to computer security sometimes make. You hear "well, here's how you could defeat that control, so we shouldn't do it". It's not that simple. It's absolutely true that sometimes the assurance isn't worth it, sure, but sometimes it is. And not only because of "ritual deterrence".

Remember that the goal isn't, or shouldn't be, to get "perfect" success. It's to cut down on the number (and impact) of failures. That's true in computer security, and even more true in disease spread.

Even if you can't make violations impossible, making them significantly harder truly does reduce the number of actual problems. That applies even when you're dealing with professional criminal adversaries who aren't deterred in any way by "rituals" and who fully understand the limitations of your measures. It applies even more than that when you're dealing with casual adversaries. And, frankly, it applies even more than that when you're dealing with stupid adversaries, who are surprisingly common in some circumstances.

It's significantly harder to find a complicit pharmacist, or to otherwise subvert a public record, than it is to simply fake a piece of paper. The difficulty very probably deters a large number of people, and the complexity creates a real risk of getting caught.

Auditing is interesting. A lot of auditors really do seem to get conditioned to performing rituals, without really giving thought to impact. And since the formal rules auditors are asked to enforce are often SO BADLY THOUGHT OUT, I suppose that maintaining your sanity as an auditor might force you to avoid looking to hard at effectiveness beyond ritual. But that effectiveness really is there, or at least can be.

... and, by the way, it sounds like you notaries need to up your game. At least if somebody comes to you with state-issued ID from the state you're operating in, there is really no reason you should not be able to at least check the photo in the issuer's database.

No, we don't need to "up our game". It's simply not a legal requirement for laypeople - civilians - to identify fakes. And it shouldn't be. That's not our role. We help prevent fraud by emphatically communicating, through our words and our affect, that signing your name to something is a big fucking deal.

Auditors don't need to "up their game" either for systems to be effective. The role of venues is to communicate the mandate to its targets (the general public), not to "enforce" it.

Employers are another matter because they have the infrastructure to implement engineering controls (chipped ID cards, key fobs, turnstiles, panic buttons)

You might not know this, but in case you do

Is it true that Key to New York program makes no distinction between first and second shot, and you are literally considered vaccinated as soon as the first shot is recorded in your card?

This reminds me that I really need to add links and references.

Yes - that's correct. I suspect there are sound reasons for this, but I'm writing this from my phone right now, and I'm about to walk from lower Manhattan to Bedford Stuyvesant. I'd love to hear someone else's guesses about why I think there are sound reasons, and if they're right, I'll upvote.