This article was published on October 8, 2021

How can you safely store your vaccine status on your phone?

Vaccine cards don’t actually contain very much sensitive information, but you can protect it nonetheless


How can you safely store your vaccine status on your phone? Image by: Gabriel Hongsdusit / The Markup

If you’re vaccinated against COVID-19 and back out in the world, chances are you’re encountering requests for your vaccination card.

An increasing number of places require visitors to prove their vaccination status before being allowed in. New York City and San Francisco mandate proof of vaccination for public indoor dining, exercising, and entertainment, while New Orleans requires vaccination or a negative test. Other cities, such as Los Angeles, are considering similar measures. At least one international airline and many cruises require a vaccine. Staff and students for some school districts must be vaccinated. And many sports venues are joining the push.

One option is to carry your paper vaccination card (don’t laminate it). But there are also several ways to securely keep a digital copy handy on your mobile phone.

Are there privacy concerns? 

Though it involves your health, the information actually visible on a vaccine card isn’t as sensitive as that in other health records. Most often, the card has a name, date of birth, which vaccine that person received and when, as well as where they received the vaccination.

Of those, the date of birth is the most worrisome. But that piece of information alone isn’t dire, said Lorrie Cranor, director of Carnegie Mellon University’s CyLab Security and Privacy Institute.

“The main issue with date of birth is that it could be a link to other records,” she said. “If someone’s trying to steal your identity, the more non-public information they have available, the more likely they’re going to answer [challenge questions correctly].”

One of the main issues privacy advocates raised about so-called “vaccine passports” was a fear that people’s movements could be tracked over time if they digitally check in every time they enter a public space, and whether that information could be shared with law enforcement. To account for this, some apps upload a person’s vaccination status to a server only for a brief period, while another displays “only a red or green signal” to show whether someone has been vaccinated, according to The New York Times.

What are my options? 

Take a photo of your paper vaccine card

Make note of whether that photo is stored locally on your device or in cloud software such as Apple’s iCloud or Google Photos.

If it’s stored locally, someone would need to get physical access to your phone if they wanted to steal your vaccination card. Depending on the software your device runs, you may also be able to create a folder that requires an extra password to access so it is separate from your other photos.

Keeping it in the cloud means someone would need to get access to your phone or compromise your cloud account’s login credentials.

In both cases, strong passwords will help protect your information, Cranor said. Make sure your phone requires a password longer than four digits or biometrics to unlock it. Consider multi-factor authentication for your cloud account as well, which requires additional verification from someone attempting to log in.

Store it in software that uses encryption

Another way to keep your card on your phone is by putting the photo of your vaccine card into a password manager or digital wallet.

Password managers are software that store and encrypt sensitive information such as login credentials. Often, they allow users to upload photos or documents when creating a new entry.

This puts a further layer of security between a would-be thief and your vaccination card. Even if someone gets hold of your phone, they would need to get past both your device pin and your password manager’s login to view the information on your vaccine card. If they were to download your password manager’s software, the data would be scrambled by encryption, rendering your vaccination card unviewable.

Guy Garrett, assistant director of the University of West Florida’s Center for Cybersecurity, recommends using your phone’s digital wallet. Android users can save the photo in their Google Pay account if their phone is running Android 5 or later software, as well as on Samsung Pay.

Apple has plans to allow its users to store health information such as a verified vaccination status in Apple Wallet.

Apple declined to respond on the record to a request for comment.

Use a government-provided app

Depending on where you live, your state or county may have an app to store your vaccine status. Some states, such as Colorado and New York, developed their own mobile apps for residents. The privacy policy for New York’s app explicitly states that it does not access its users’ location.

Counties, too, may offer an app to anyone vaccinated locally. Los Angeles County uses an app called Healthvana, for example.

Garrett recommended reading the specific app’s user agreement before downloading to understand what information it collects and/or shares.

Cranor said to check whether the app verifies your vaccination status against a state database or just stores a photo of your card. If it stores a photo of the card, you might choose to do this outside of the app.

Other digital options

Several states don’t have apps but do offer portals for residents to download their vaccination status or a digital version of their vaccine cards, including California and Hawaii. A handful of states, including Arizona, Louisiana, Maryland, Mississippi, North Dakota, and Washington, use a platform called MyIR Mobile, where residents can download a digital version of their vaccination card.

Some counties in Maryland use VaccineCheck to verify residents’ vaccine status and generate a digital version of the card with a QR code to download.

These can be stored in the same way that a photo would be. Residents in California, Hawaii, Louisiana, New York, Virginia, and some Maryland counties can also elect to use the private CommonHealth App to store their “SMART Health Cards.”

According to JP Pollak, co-founder of The Commons Project Foundation, which built the app, data is stored only on the user’s device and isn’t viewable to the foundation.

Still worried about your Vax card data if your phone gets stolen?

If you are concerned about losing your phone, Garrett recommends setting up a “remote wipe” feature that allows you to reset your phone’s software from afar, erasing your vaccination card (and everything else).

This article by Malena Carollo was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with