{"id":19136,"date":"2021-04-09T16:50:34","date_gmt":"2021-04-09T16:50:34","guid":{"rendered":"https:\/\/davidgerard.co.uk\/blockchain\/?p=19136"},"modified":"2021-12-20T19:37:53","modified_gmt":"2021-12-20T19:37:53","slug":"new-yorks-excelsior-pass-for-covid-19-on-ibm-blockchain-doing-the-wrong-thing-badly","status":"publish","type":"post","link":"https:\/\/davidgerard.co.uk\/blockchain\/2021\/04\/09\/new-yorks-excelsior-pass-for-covid-19-on-ibm-blockchain-doing-the-wrong-thing-badly\/","title":{"rendered":"New York’s Excelsior Pass for COVID-19, on IBM Blockchain: doing the wrong thing, badly"},"content":{"rendered":"

The New York “Excelsior Pass” is a COVID-19 vaccine passport system. It proudly proclaims its use of “secure technologies, like blockchain and encryption.” [press release<\/i><\/a>]<\/p>\n

The Excelsior Pass is a deployment of IBM Digital Health Pass, a project of the IBM Watson Works vaporware project \u2014 now that the IBM Blockchain vaporware project has shut down as a separate unit,<\/a> and been folded into Watson. [IBM<\/i><\/a>]<\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

An official promotional image for Excelsior Pass: a stock photo, with mockup screenshots pastede on yay.<\/i> [EPass<\/a><\/i>]<\/small><\/p>\n

 <\/p>\n

Tim Paydos, global general manager of government for IBM, spoke to GovTech, and was remarkably unclear on where the data is kept: [GovTech<\/i><\/a>]<\/p>\n

IBM purposefully didn\u2019t build a centralized database for Excelsior Pass in order to avoid creating a giant target for hackers.<\/p>\n

\u201cAll of the data stays distributed,\u201d Paydos said. \u201cWe\u2019re not creating a big intergalactic database in the sky. We wouldn\u2019t want to do that, nor given the time urgency could we do that.\u201d<\/p><\/blockquote>\n

This claim is factually incorrect, if the following is true:<\/p>\n

The app was actually based on work IBM did with Maersk on shipping containers moving across the world, and Paydos said it should work for travelers moving between nations as well.<\/p><\/blockquote>\n

This means that IBM reworked the TradeLens system for the Digital Health Pass.<\/p>\n

TradeLens was used for the Maersk supply chain blockchain project \u2014 one of the two systems the IBM Blockchain unit ever sold. (The other being the WalMart supply chain project, which apparently wasn’t TradeLens.)<\/p>\n

TradeLens operated as a completely normal centralised system \u2014 administered by the company, with all servers living on the IBM Cloud. The “blockchain” bit is that the back end data store is Hyperledger.<\/p>\n

TradeLens didn’t do so well \u2014 it turns out that nobody in business wants their competitors all up in their deals. [Supply Chain Movement<\/i><\/a>, 2019<\/i>] Even Maersk’s vendors couldn’t really see the point of TradeLens on a blockchain, and only signed up because Maersk, as central authority, required them to. “I believe the industry is quietly and politely saying they are not interested or at least not currently interested,” said one vendor; “Blockchain is the overly persistent salesperson.” [Journal of Commerce<\/i><\/a>, 2018, <\/i>archive<\/i><\/a>]<\/p>\n

If Digital Health Pass is based on TradeLens, then it would work similarly \u2014 and, functionally, it’ll be a completely centrally administered system.<\/p>\n

Which is, of course, precisely what you want from a government function \u2014 “blockchain” will only mean “slow distributed database.” You’d have to be high on blockchain fumes to do it any other way than fully centralised.<\/p>\n

The Hyperledger bit might make redacting erroneous data unduly difficult, which is what they’d get for putting incredibly sensitive personal data into a Merkle tree.<\/a><\/p>\n

The ethics and medical validity of vaccine passports have been widely questioned \u2014 particularly when vaccines are in short supply, and there’s a black market on the darknet for fake vaccine documentation. [EFF<\/i><\/a>; <\/i>BBC<\/i><\/a>]<\/p>\n

More specifically, the Excelsior Pass app asks for data on vaccination, but also on antigen tests [NY Health<\/i><\/a>] \u2014 which are much better than nothing, but have substantial rates of false negatives. And the Excelsior Pass system is slow to update and clunky to use \u2014 you have to show ID at the same time to use it. [Washington Post<\/i><\/a>; <\/i>Reddit<\/i><\/a>]<\/p>\n

I was also particularly impressed to see that NY, not being a health care provider, explicitly disclaims protection of this extremely sensitive medical data under HIPAA rules. But they absolutely won’t use your data for purposes other than the public health! Unless they do. [NY EPass<\/i><\/a>, <\/i>archive<\/i><\/a>]<\/p>\n

So what New York has paid IBM to do is to use a superfluous technology to implement a questionable idea, badly. So far, so blockchain.<\/p>\n

 <\/p>\n

\"\"<\/a><\/p>\n

Corona-chan looks forward to seeing you out and about!<\/i><\/small><\/p>\n

\"Become<\/a>

Your subscriptions keep this site going. Sign up today!<\/a><\/i><\/p><\/div>","protected":false},"excerpt":{"rendered":"

Corona-chan looks forward to seeing you out and about!<\/p>\n","protected":false},"author":1,"featured_media":17485,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[74,2211,2210,64,316,127,830,594,831],"class_list":["post-19136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised","tag-blockchain","tag-digital-health-pass","tag-excelsior-pass","tag-hyperledger","tag-ibm","tag-ibm-watson","tag-maersk","tag-new-york","tag-tradelens"],"jetpack_featured_media_url":"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2020\/03\/coronachan-header.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/19136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/comments?post=19136"}],"version-history":[{"count":28,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/19136\/revisions"}],"predecessor-version":[{"id":19165,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/19136\/revisions\/19165"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/media\/17485"}],"wp:attachment":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/media?parent=19136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/categories?post=19136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/tags?post=19136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}