Why Vaccine Cards Are So Easily Forged

My proof of COVID-19 vaccination is recorded on an easy-to-forge paper card. With little trouble, I could print a blank form, fill it out, and snap a photo. Small imperfections wouldn’t pose any problem; you can’t see whether the paper’s weight is right in a digital image. When I fly internationally, I have to show a negative COVID-19 test result. That, too, would be easy to fake. I could change the date on an old test, or put my name on someone else’s test, or even just make something up on my computer. After all, there’s no standard format for test results; airlines accept anything that looks plausible.

After a career spent in cybersecurity, this is just how my mind works: I find vulnerabilities in everything I see. When it comes to the measures intended to keep us safe from COVID-19, I don’t even have to look very hard. But I’m not alarmed. The fact that these measures are flawed is precisely why they’re going to be so helpful in getting us past the pandemic.

Back in 2003, at the height of our collective terrorism panic, I coined the term security theater to describe measures that look like they’re doing something but aren’t. We did a lot of security theater back then: ID checks to get into buildings, even though terrorists have IDs; random bag searches in subway stations, forcing terrorists to walk to the next station; airport bans on containers with more than 3.4 ounces of liquid, which can be recombined into larger bottles on the other side of security. At first glance, asking people for photos of easily forged pieces of paper or printouts of readily faked test results might look like the same sort of security theater. There’s an important difference, though, between the most effective strategies for preventing terrorism and those for preventing COVID-19 transmission.

Security measures fail in one of two ways: Either they can’t stop a bad actor from doing a bad thing, or they block an innocent person from doing an innocuous thing. Sometimes one is more important than the other. When it comes to attacks that have catastrophic effects—say, launching nuclear missiles—we want the security to stop all bad actors, even at the expense of usability. But when we’re talking about milder attacks, the balance is less obvious. Sure, banks want credit cards to be impervious to fraud, but if the security measures also regularly prevent us from using our own credit cards, we would rebel and banks would lose money. So banks often put ease of use ahead of security.

That’s how we should think about COVID-19 vaccine cards and test documentation. We’re not looking for perfection. If most everyone follows the rules and doesn’t cheat, we win. Making these systems easy to use is the priority. The alternative just isn’t worth it.

I design computer security systems for a living. Given the challenge, I could design a system of vaccine and test verification that makes cheating very hard. I could issue cards that are as unforgeable as passports, or create phone apps that are linked to highly secure centralized databases. I could build a massive surveillance apparatus and enforce the sorts of strict containment measures used in China’s zero-COVID-19 policy. But the costs—in money, in liberty, in privacy—are too high. We can get most of the benefits with some pieces of paper and broad, but not universal, compliance with the rules.

It also helps that many of the people who break the rules are so very bad at it. Every story of someone getting arrested for faking a vaccine card, or selling a fake, makes it less likely that the next person will cheat. Every traveler arrested for faking a COVID-19 test does the same thing. When a famous athlete such as Novak Djokovic gets caught lying about his past COVID-19 diagnosis when trying to enter Australia, others conclude that they shouldn’t try lying themselves.

Our goal should be to impose the best policies that we can, given the trade-offs. The small number of cheaters isn’t going to be a public-health problem. I don’t even care if they feel smug about cheating the system. The system is resilient; it can withstand some cheating.

Last month, I visited New York City, where restrictions that are now being lifted were then still in effect. Every restaurant and cocktail bar I went to verified the photo of my vaccine card that I keep on my phone, and at least pretended to compare the name on that card with the one on my photo ID. I felt a lot safer in those restaurants because of that security theater, even if a few of my fellow patrons cheated.

This essay previously appeared in the Atlantic.

Posted on March 18, 2022 at 6:12 AM43 Comments


Ted March 18, 2022 7:32 AM

But when we’re talking about milder attacks, the balance is less obvious.

Yes, this makes a lot of sense. It’s one thing if we’re dealing with an infectious disease with an extremely high mortality rate, maybe like Ebola. I’m not saying everyone’s life isn’t important. But on the flip side vulnerable people are still able to take a lot of additional precautions to mitigate their personal risk.

The costs of administering a heavy-handed top-down approach to this challenge would be missing a lot of practical and more effectively attuned calibrations.

Grahame Grieve March 18, 2022 8:25 AM

There is an approach to vaccine certificates that is secure and hard to forge, and as secure as whatever identity checking is performed (which is variable): https://vci.org. But that didn’t become widely used enough to become the expectation.

“nobody ever tested the effect of each vaccine on the multitude of blood tests” – not true, it was tested thoroughly and is well understood
“Covid: Australian vaccine abandoned over false HIV response” – specific to that particular vaccine

Clive Robinson March 18, 2022 8:49 AM

@ Bruce,

After a career spent in cybersecurity, this is just how my mind works: I find vulnerabilities in everything I see.

Yup #MeToo…

It’s anoying at times because often you can not switch it off. It can at times become overly stressful as it’s a form of “Situational Awareness” that can cause “Hyper-Vigilance” that culminates in “Patrol Fatigue” and other variations on “Battle Fatigue”.

Worse in my case my brain latches on automatically to out of place antennas and similar and the directions they point in even vehicle mirrors. Just a glance can make me hyper-vigilant to what’s around me for quite some distance.

It kind of goes with the territory from years ago when spotting odd antennas etc on vehicles could alert you to what we call “Improvised Explosive Device”(IED) these days, or just “surveillance” that could be a prelude to ambush, for kidnapp or worse.

Sometimes you spot people following you or more often you spot people following other people. It can take a very great deal of practice to follow someone, and not be noticable to others, thus not only do you stand out in the crowd it’s usually remarkably easy to see who you are following… It’s why a wise close protection detail on foot has a couple of tails, the first to see who’s watching the detail, and those a bit smarter watching out for those not watching the detail but looking for the tail.

The sad thing is in my younger days I went all over the world into places some would consider a bit more than “tough neighborhoods” and I did not come to any harm from humans. BUT I have been attacked several times, all within walking distance of my front door…

As a friend put it a couple of decades ago when I got realy badly hurt “It’s your own bl@@dy fault, why did you switch off?” he had a point… Sadly he switched off a couple of years ago, and is now nolonger with us having gone backwards out of a third storey window.

The thing is nobody can live “Behind Enemy Lines” all the time it burns you out. That’s both mentally and physically with the hormones it releases, the added lack of or disturbed sleep and skewed social existance. It can be hard to be social when the person you are with sees you scanning the room and similar.

That is when you get close you can see this in not just in peoples eyes, but with experience at much greater distances in their behaviour. Habits like never sitting with your back to a door or window, never being in a room with only one usable exit, slow eye sweeps with little head movment (as head turning attracts attention).

Sometimes the only thing to do to step down is go where you can get solitude, like up a mountain or similar miles from habitation…

Oh one thing for people to remember, it’s realy quite hard to follow someone on a push bike even today with drones and the like, that means they have to use coordinated teams which is very difficult to do.

Vesselin Bontchev March 18, 2022 8:57 AM

The EU vaccination certificates contain a QR code with cryptographically signed information. That can’t be forged, unless you manage to get the private key – which did happen in one instance (it was used as a joke to issue vaccination certificates to obviously fake names, like Adolf Hitler).

However, they do not contain a photo. So, whoever it checking the certificate not only has to verify the information from the QR code (there is an app for that) but also ask for some kind of photo ID, to make sure that the person showing the certificate is indeed the one whose name is on it.

Wayne March 18, 2022 9:51 AM

I had an appointment with my immunologist a year ago or so. They wouldn’t let me in without a bit of an interrogation. When I admitted that I’d done a home enzyme Covid test the previous day, the girl asked if I’d brought the negative result.

Uh. And what is to prevent me from having tested positive, assuming I had mild symptoms, keeping a negative test from a month earlier, and wandering around being a sociopathic Typhoid Wayne? It’s not as if a date stamp magically appears on those tests as soon as you take them, or you’re required by law to take a cell phone selfie showing the result.


Yeah. Me showing you is absolute proof that I am the one that took that test, not my wife or my dog, and that I took that test yesterday, and not a month or two earlier, or that it’s one that I pass around to friends to get in to places that want us to show a negative test.

My doc did turn me on to a Covid test kit on Amazon that uses your cell phone to read the results. It only works with certain models. The intent is if you test positive on a home test and need to show a positive result to a doc, you’d then retest with this one so your smart phone has a documented positive result. Costs the same as a regular test kit.

Ian March 18, 2022 10:06 AM

The greatest theater going on here is “why are vaccine passports needed at all”?

  • If the vaccines work, you shouldn’t care whether others are vaccinated or not
  • If the vaccines don’t work, why should we track who’s been vaccinated?

All of that also ignores that public officials’ responses have entirely ignored natural immunity, which is consistently shown to be better than vaccinated immunity, that the vaccines only provide marginal protection against transmission of the latest variants/

Clive Robinson March 18, 2022 10:19 AM

@ Wayne, ALL,

Me showing you is absolute proof that I am the one that took that test…

Yup you are back to the old,

“You can not prove who you are, only who you say you are”

issue… Many years ago the head of one of the UK Security Services Stella Rimington (yup the successful author) highlighted this issue of “National ID Cards”.

There is no verifiable link between you the body, and a documentry ID device that is going to be even close to functioning in a reasonable time frame to show who your parents are etc. Even Photo ID inspected by “Passport Officers” is not that good, they can get it wrong around one time in four even with over fourty year olds.

At some point they will find Facial Recognition systems will fail and start thinking about some other bio-metric which begs the question,

“Hands up who will look directly into a laser to have their Retinal scan?”

For those tempted may I suggest watching episode 3 of Futurama where Fry goes into the bank and they ask for various bio-metric scans…


Ted March 18, 2022 10:25 AM


Safer from what?

I’m guessing Covid transmission and infection. The systems we use to promote public health aren’t tamper-proof or guarantees. However, enough factors are working here to promote a higher general level of safety.

If things were getting a lot worse instead of better, I’m sure we’d see more restrictions again. But even two-years on we’re still doing many things different than we did before.

Me March 18, 2022 10:53 AM


To address your first point, why do we care if those around us are vaccinated. You seem to have fallen victim to the idea that vaccines are either perfect or completely broken (that is 100% or 0% effective). The truth is that all (approved) vaccines are somewhere in between.

In this scenario, being vaccinated is great, but having everyone around you ALSO vaccinated is even better. That is, when an infected person has a reduced chance of infecting you, this is good, but if those around you also have a reduced risk of BEING infected, that is better.

As to your second point on natural immunity’s “superiority”:
1) No: https://www.cdc.gov/coronavirus/2019-ncov/vaccines/facts.html
2) So what? https://xkcd.com/2557/

I hope this helps, but if you still hold the stated beliefs at this point in the pandemic, I am skeptical that anything can help.

JonKnowsNothing March 18, 2022 11:06 AM

@Clive, @All

re: At some point they will find Facial Recognition systems will fail and start thinking about some other bio-metric

A recent MSM article on the US immigration tracking program and the corporation that runs it, detailed some of the items the system/corporation/ICE require from the @180,000-200,000 people in the system (soon to be expanded).

When you look at the list of technical requirements (ankle bracelets, faceID, gps tags, selfie timestamped uploads, metadata tracking, contact list harvesting, browser history, app trackers) what really sinks in is that the entire system has already failed.

At first, it looks like just plain old fashioned data hoovering, but if you really consider what’s happening it becomes clear that all the add-on tracking is done because the entire system cannot tell the difference between a person and a sofa-bed. All the extras are attempts to add validations to something that is invalid to start with.

Unfortunately for anyone applying to come to the USA, as refugee or immigrant, they have to endure this twisted logic as the corporations+LEAs attempt to bolster their failed monitoring system.

It’s also unfortunate that there is a pile of money involved and the prospect of more being spent on this security theater.

It plays well in many parts of the country, ie voters, as the US sentiment about immigrants and refugees is still gated by an ombre litmus test.


def Ombre: variegated yarn with light and dark shades of a single hue

Winter March 18, 2022 11:19 AM

“My health and health choices are none of your F-ing business.”

As long as you stay away from others while being infectious.

The point of an infection is that it can spread. As long as you can infect others, your heath status is very much the business of other people.

You would care an awful lot about my health status if I walked up to you with active lung pest or Ebola. Others have the same about you being a COVID risk. Not everyone has the luxury to shrug about a COVID infection.

JonKnowsNothing March 18, 2022 11:28 AM

@ Ian

re: why, if the vaccines are effective, you should care about my vaccination status.

Simple Simon, because I am immunocompromised and unless you have the information on your vaccination status and dates tattooed to your forehead, there is no way from me to know to “stay the f-away from you”.

Like Cooties (1), you are not safe for me to be within 45-64 feet or the 1 mile COVID-Omicron drift distance.

RL tl;dr

I have been visiting someone in the hospital. 3 weeks ago there were no visitors allowed. 2 weeks ago, 1 visitor was allowed. This week 2 visitors are allowed.

I show my vaccination record to the check-in folks. They make notes of where I am going and who I am visiting THEN i get the stick up the nose test. If I pass all the gates I get to see the person. (TTT)

The gate keepers told me, people do try to sneak in but they get caught PDQ and chucked out. The common refrain is: Oh? I didn’t know…

Perhaps they came the long route through the hospital as they needed the extra exercise walking the miles of corridors…

I am grateful for the gates. They keep my friend safe or rather safer.

Omicron BA2 is coming … more to the point … it has already arrived.


1) Cooties is a fictitious childhood disease

KeithB March 18, 2022 11:29 AM

First Orac’s real (easily found) identity is as a respected cancer researcher, so he is not a “random blogger”.

The basic answer to your question is that I care about my parents.

SeattleSipper March 18, 2022 11:43 AM

@Bruce –

> I felt a lot safer in those restaurants because of that security theater, even if a few of my fellow patrons cheated.

You can say this because you are (likely) vaccinated and healthy enough to fight off an infection from a cheating patron who is a carrier. Would you deem the security sufficient if you or someone you live with were in a susceptible population (old, immunocompromised, etc.)? Further, studies about Long COVID are emerging and are worth tracking, even for the nominally healthy (see Shingles aka zoster).

Sergey Babkin March 18, 2022 12:21 PM

Perhaps the other reason is that the vaccines do not prevent nor impede the infection nor its spread, so there is no point in requiring them. I’ve had vaccinated parents and coworkers contract the infection and become sick (and of course spread it too). Vaccines perhaps reduce the severity of the sickness but come with their own risk.

Another interesting piece of personal experience is that the day before the onset of symptoms the PCR tests give a negative result. If the processing is on the slow side, you can get your fever before you get the negative result of the test. So they are less useful for screening than asking “do you have fever?”

lurker March 18, 2022 12:25 PM

@Vesselin Bontchev

The EU vaccination certificates contain a QR code with cryptographically signed information.

So do NZ, but, this assumes a centralised database managed by a centralised public health system. @Bruce’s certificate was issued by one of the myriad private providers in the anarchy that masquerades as a public health system in the USA. The photo of it in the Atlantic article doesn’t even say who issued, who vaccinated, …

Petre Peter March 18, 2022 1:37 PM

Europe has been pushing the green passport for a while and I was just wondering if they’ll try to make further connections with global warming. Luckily, so far this hasn’t been the case. Professor Schneier is right: we have to keep usability in mind.

Denton Scratch March 18, 2022 1:48 PM

the vaccines do not prevent nor impede the infection nor its spread

We know they don’t “prevent” infection or spread. Nobody claims that they do.

But where is your citation to support the claim that vaccines don’t impede both infection and spread? Are you relying on some source like Tucker Carlson?

I have compromised lungs. I wear a mask in shops to protect others from any infection I might be carrying; maybe it provides me with some protection, but that’s not why I wear it. I also keep my distance from strangers – it’s common sense, and in fact it’s just good manners not to intrude on others’ personal space.

Maskless wonders wandering around shops with prominent signs at the entrance asking people to mask-up, and pressing up behind me in the checkout queue for no reason, are just jerks. Unfortunately I’ve discovered that more of my fellow-humans are jerks than I thought two years ago.

FWIW I’m against mandatory vaccination, or any kind of mandatory medical procedure. I’m not so sure about mask exemptions; if you find it hard to breathe with a mask on, perhaps you should try a different kind of mask.

lurker March 18, 2022 2:46 PM

The preferred method in NZ is for the Pass to be carried as a picture on a cellphone. I don’t know what format, as the 2FA methode for verifying the email to send it to, was too complex for my setup, so I opted to receive a printed paper version.

1) My Vaccine Pass arrived by ordinary post, no signature required, seemingly a slight error given the awareness of stolen and forged passes in the community. Out of a DL envelope fell a 1/3 A4 card, with pretty pictures and a description of how to cut the pass off one end, and keep it in a safe place;

2) the card as given is 99 x 57 millimetres and will not fit any “standard” business card holder. The word “standard” in quotes because business cards like everything else have so many standards to choose from. Curiously no country or region uses any of the ISO standard paper sizes for business cards;

3) on the card is the densest printed-on-paper QR code I have seen: a 27mm square contains a 612 byte blob, including a 7 byte type and version header. I photographed it, and used Gimp to scale the Pass to “standard” card size with the QR at 80% of the width. The official instructions warn about choice of paper and ink for those wishing to print their own from an emailed pdf.

Lawanda March 18, 2022 2:55 PM

However, they do not contain a photo. So, whoever it checking the certificate not only has to verify the information from the QR code (there is an app for that) but also ask for some kind of photo ID, to make sure that the person showing the certificate is indeed the one whose name is on it.

That’s a major privacy invasion that seems widespread among these proof-of-vaccination systems. There’s no reason someone should need to know what name the government has on file for a person (especially the parts of that name that are never used in public, e.g. middle name), nor other private information like date of birth and possibly sex printed on those government ID cards. Forcing anyone bothered by this to go through the beaurocratic process of making the government reissue the card with different parameters is not a solution.

The card should have a photo and some sort of digital signature, and should not reveal any other personal information. It might be kind of a moot point now that people are basically declaring COVID-19 to be over (based on something other than science), though the same applies to proof of age cards (e.g. for buying alcohol). Of course, the very concept of “photo ID” is moot when one is not allowed to show one’s face.

Are the SARS-CoV-2-negative-test requirements at borders “theater” too? I think they might be. They might make sense for boarding a plane—several hundred people will be breathing the same air for hours, although there’s some evidence the filtration might be good enough. Were I in charge of the rules, I’d require airlines to give refunds to anyone declaring themselves CoV-positive, and make sure such people had paid leave from work, to remove the obvious financial incentives to break the rules. But I don’t see much harm in letting CoV-positive people into countries where the virus is already widespread, which is most countries.

Clive Robinson March 18, 2022 4:32 PM

@ Lawanda,

It might be kind of a moot point now that people are basically declaring COVID-19 to be over (based on something other than science),

Totally untrue.

What they are actually claimong is that,

“The disease has moved from the pandemic to the endemic phase”.

This means that things are actually “WORSE not BETTER” and “most definately “NOT OVER” by any measure, as far as contagion is concerned.

What many appear not to undetstand is the difference between,

1, Contagiousness,
2, Pathnogenicity.

We have been very very lucky in that,

1, Omicron is more Contagious,
2, Omicron is less Pathnogenetic.

That is Omicron in it’s various variants, infect people faster than any other varienents so far due to being “More contageous” so effectively replace them. The fact it the Omicron varients are also considerably less likely to cause you to be significantly unwell or hospitalised, takes the strain off of not just healthcare, it also redices the “known deaths” from Covid.

However what few experts are talking about is that,

1, The mutation rate is proportional to infection rate (that is a logical given).
2, What might change when not if Omicron or other varient still infecting people mutates.

That is, there is actually a significant chance that a new varient will be more contageous than the Omicron current varients, and could easily be more pathogenic.

There are close beta-corona viruses that are more certainly more pathogenic than SARS-2 Omicron varients (MERS for instance kills around 3 in 10 of those who become infectioned). There are also those that are more “vaccine evasive”.

It has been postulated, that being infected by an Omicrom varient, gives you considerably broader immunity than mRNA vaccines. The reason is the mRNA vaccine only causes a narrow band of infection recognition, to develop in a human, whilst a wild varient will actually cause a much wider band of infection recognition.

Only time and accurate checking and reporting will confirm this. Unfortunately in many places authorities have incorrectly decided to pe irresponsible and stop collecting data…

Thus if we do get a new more contagious variant arise, it will have greater community spread. And will spread faster and wider before it becomes recognised… And if it is more pathogenic then the first thing we are likely to see would be a significant upturn in the hospital admissions and deaths.

We have many years to come of Covid related infections and sequeli, not least of which will be an increase in the likes of cancers in ten to twenty years and likewise other autoimmune diseases.

We are already seeing so far open ended cases of “Long Covid” and incresing cases of “disease reservoir” in other mammals where reverse zoonotic onfections from man to other mammal has occurred and can cross back as appears to have happened with the Omicron varients.

So only a fool or one with political agenda would claim “Covid is over”, it’s not, nore is it likely to be for several years yet, depending on what further active meaures we do or do not put in place.

Whilst I do not expect you to take my word for it I do expect you to research any claims you hear in the scientific literature. Something you are obviously not currently doing, and could cost you your health and longevity, but as they say in the UK,

“It’s your funeral”.

Lawanda March 18, 2022 6:30 PM

So only a fool or one with political agenda would claim “Covid is over”

Well, that’s one significant group I was talking about: the politicians. Note that I wrote “declaring” it over—not claiming that it is over in any factual sense—and even this declaration isn’t usually literal. But they, and people in general, seem to be acting as if they might be able to make it disappear by fiat. Many areas are ending vaccine passports, mask requirements, capacity limits, distancing guidelines, workplace vaccine mandates and symptom screening, close-contact isolation, etc. Phrases like “back to normal” have been used.

So, no, if you ask someone “do you think COVID-19 is as dead as smallpox?”, they probably won’t say that it is. But if you take a realistic look at how people behave, on both an individual and societal level, I don’t see how you can avoid coming to the conclusion that they’re acting like COVID is over. Or acting like fools, if you prefer. Does it matter if the news stories often say, in the “fine print”, that it’s not over?

Take a look at this story from Canada headlined “Ontario to drop most mask mandates on March 21, remaining pandemic rules to lift by end of April“. 4th paragraph: “‘does not mean the risk is gone’ or the pandemic is over”. 4th page: “‘Not supported by science,’ head of science table says”. 5th page, a quote from an expert: “There’s a kind of almost a narrative being driven here that everything’s over. We’re all done. Let’s just move forward.” (And then there’s the section right after that, talking about “isolation guidelines” and about what people will “have to” do. “Have to” is not a phrase that makes any sense in relation to a “guideline”. Between stuff like this, and the rules/guidelines changing every month, how’s anyone supposed to know what the fuck they’re supposed—or required—to do?)

Roboticus March 18, 2022 9:57 PM

“It also helps that many of the people who break the rules are so very bad at it. Every story of someone getting arrested for faking a vaccine card, or selling a fake, makes it less likely that the next person will cheat.”
I’m not sure I agree with that, since in my experience the people most inclined to break the rules are the people who believe they are smart enough to get away with it and pretty much ignore evidence to the contrary.

Nick Levinson March 19, 2022 11:24 AM

You say, “create phone apps that are linked to highly secure centralized databases”.

Only if the examiner has their own terminal with the app on it, preferably with an ID scanner that feeds ID info into the app, could that work.

You wouldn’t want a person to show their personal phone with a look-alike app that uses fake data since the examiner wouldn’t know the difference. A look-alike with slight errors would usually escape detection.

ATN March 20, 2022 7:34 PM

@Clive: “Only time and accurate checking and reporting will confirm this. Unfortunately in many places authorities have incorrectly decided to pe irresponsible and stop collecting data…”

Ask South Africa what good there is in doing a good job at recognizing a new variant and publishing scientific results? No-one will ever publish discovering a new variant!

Anyway, Covid being endemic, you get it every 6 months and it affects you for one or two days, time for your body to adapt to the new variant. You were able to fight the virus the first time, the second time, the third time your chances are good.

Vaccine are considered by some to prevent getting the illness, which is in most case not their intent, vaccines are useful so that you will survive getting the illness the first time…

Ivan Durakov March 20, 2022 7:57 PM

Better yet, like here in Florida where the fascists don’t rule, outlaw the entire need for preventing card forgery by outlawing the entire need to ever show a card. Since the vaccines have been shown by CDC’s own data to cause more harm then they prevent under age 80, they are worse than useless, as is therefore any card documenting one’s vax status. We need to devolve the central government back to a true federal system, where idiots in New York are free to choose to have cards, and other states can be free not to, without interference from the clerk-tyrants, plus 10000 other reasons.

Qn March 20, 2022 8:32 PM

Since the vaccines have been shown by CDC’s own data to cause more harm then they prevent under age 80
That is a blatant lie, and no, you don’t need to link to some ludicrous blog that claims to have derived that conclusion from the VAERS data. Your post and its petty name-calling should be deleted.
@Moderator – this post can be deleted too.

William March 21, 2022 9:04 AM

Faking a negative test result has to be even easier with a home test — don’t stick it in your nose.

I’ve heard in the UK, school kids figured out very quickly that home tests could produce a false positive if dipped in orange juice. School admins quickly devised a test for OJ.

Kyle Wilson March 21, 2022 9:16 AM

I think the best approach to vaccine cards is the classic ‘high cost of committing but relatively lazy checking’. If one is banned from flying for ten years or fined $10,000.00 if entering a crowded venue with a forged card but only 1 in 100 or 1 in 1000 cards are later verified with the provider listed the cost and inconvenience of enforcement is limited but the incentive remains strong.

False hits become easy enough to back-fill as the affected person can provide additional information and work to resolve any failures. The threat of a huge penalty (similar to what is done for drunk driving, a rather similar offense) should be enough to get people’s attention and limit fraud. Publicize those who ARE caught and the consequences of their actions and I expect that (as with drunks on the road) you’ll at least make people seriously consider whether to present forged vaccination or testing documents.

Randy Saunders March 21, 2022 11:14 AM

Of the federal crimes you have the skills to commit, this is arguably the least significant. You’re seeing vaccine cards as super-important. They are a federal document, and it’s a crime to forge them, but so is a $1 bill. Perhaps vaccine cards are between the $1 and the $5 on the list of government document security problems. You can realistically only forge on per person, that puts a real limit on the damage. Of course if you start selling them on eBay the Secret Service might show up, but they’re likely to email you to “cut this out”, because Secret Service agent time costs money too.

There are plenty of schemes out there, and they might move these cards up to the $10 – $20 value range, but often at costs that simply aren’t justified.

People should definitely get vaccinated, and forging is wrong, etc.

Clive Robinson March 21, 2022 12:12 PM

@ ,

If one is banned from flying for ten years or fined $10,000.00 if entering a crowded venue with a forged card

What you are proposing is what has been tried with drunk driving, and half a century or more later it is still failing to work.

However you need to regard those hwving forged cards as much much worse than drunk drivers.

Because just one infectious person in a crouded venue can kill and injure not just four or five people but multiples of tens, or hundreds.

But before anyone suggests “Putting them up against the wall” history very clearly shows that even the mandated death penalty or life in incarceration is not a deterrent to a sizable fraction of the population.

Punishment of offenders is not a solution that is going to make us safe from their wonton activities.

Who? March 22, 2022 6:48 AM

@ Ian, Winter, and KeithB

As Ian, I highly value my privacy and the privacy of my health records. We are giving too many rights for free; this one has been the way governments had been stealing rights from citizens for decades. Think on 9/11, Paris attacks and the current pandemic for three good examples in which people have chosed to drop their rights for nothing.

Winter and KeithB, on the other side, are right about being away from others while being infectious.

They key concept here, however, is that our current vaccines generation do not provide complete sterilizing immunity.

We are in a world of liars; both anti-vaccine and pro-vaccine people are sharing fake facts about the (in)ability of vaccines to fight the pandemic.

Before you ask, I am vaccinated too. I trust on vaccines, but not as the only line of defense (something our governments, another bunch of liars, are transmitting so we work hard to recover the economy with a total contempt for our health).

Let me say a few words about the vaccine cards. First, they are illegal in most countries. Second, they are just a punitive method; there is nothing in the vaccine cards strategy that helps us fight against the pandemic. On the contrary, this strategy makes vaccinated people a serious vector for SARS-CoV-2 propagation. Remember what I said, our current vaccines do not provide sterilizing immunity.

Max Weber said that “a compulsory political organization with continuous operations will be called a ‘state’ [if and] insofar as its administrative staff successfully upholds a claim to the monopoly of the legitimate use of physical force (das Monopol legitimen physischen Zwanges) in the enforcement of its order.”vaccine cards are just another example of punitive method used by governments around the world, there are no scientific claims behind its application.

As said before, I am vaccinated, but I have not downloaded the vaccine card as it would be against my sense of moral duty. In my opinion, the COVID-19 passport establishes a dangerous precedent for our society.

Who? March 22, 2022 6:58 AM

To be more clear about my last post: in my country, vaccinated people can download a vaccine card allowing them to do dangerous activities that make no sense on our current sanitary emergency; like staying inside restaurants without masks.

I have choosed not downloading this document, both because I do not trust on the “rights” it provides on a sanitary crisis that is far from ending, and because it is against my sense of moral duty allowing government to classify people in a way that is clearly violating our rights as citizens.

Right now this document is for COVID-19, in a few years it will apply to flu, some years later to illegal immigrants, and finally to anyone that has an independent thinking.

Kyle Wilson March 22, 2022 2:06 PM

@Clive Robinson

‘What you are proposing is what has been tried with drunk driving, and half a century or more later it is still failing to work.’

It does work, just not perfectly. I personally have known people who decided to get a cab home rather than risk driving drunk. There ARE still drink drivers but then there are still murderers as well. As with vaccines, no preventative measure is 100% effective.

That said, in this case everyone who IS caught can be banned from flying or using any other public, gated service (perhaps rental cars as well say) pretty easily and for many people being prevented from flying for 10 years with no easy to cheat the system would be worse than having their license revoked where they can still drive (illegally) if they choose.

We aren’t going to get the idiots on board. We won’t get acceptance of fine grained measures. If the penalties for forging vaccination information are ruinous enough I expect they’ll cut down on the forging (not eliminate it).

It generally makes me sad that so many Americans are making up alternative facts to feel better about putting their fellow citizens lives at risk in order to present a conservative virtue signal (I can’t see this as anything else as the actual facts show a miniscule risk of harm from being vaccinated and very effective vaccines).

Not Me! March 22, 2022 4:34 PM

Making these systems easy to use is the priority.

Also: Financially viable and available to all.

I traveled internationally once during the pandemic. To fly back to the US, the airline required a negative test certificate.

The rapid tests were available right there in the airport. They cost 80 USD. For the exact same test which the country’s government had made available for free to all.

I took the test at home before I boarded the plane. It was negative, and I would have never boarded the plane had I tested positive.

I had an “official looking” document attesting to the negative test. You can guess where it came from, but I didn’t pay 80 bucks for it. I could not in good conscience give money to these profiteers.

dokey March 27, 2022 1:33 PM

I would just like to thank Who? for bringing such a vital, nuanced perspective on this issue. The ethical implications of these vaccine cards need to be addressed. That is if they are to be used based on genuine trust.

Peter March 27, 2022 2:27 PM

I live in Denmark, one of the countries that has done most PCR-testing.
And has made the statistics, including those on breakthrough infections, publicly available.

I find it hilarious that people still believe being vaccinated against the Wuhan-lab virus prevents you from getting or spreading corona-virus.

The Danish statistics clearly demonstrate that to not be the case.
The overwhelming majority of positive 37cT PCR-tests in Denmark are amongst the “fully vaccinated”, and a clear majority of the hospitalised are also “vaccinated”, the latest numbers for hospitalisations are:

186 unvaccinated
20 vaccinated 1 time
202 vaccinated 2 times
855 vaccinated 3 times

Population in Denmark is 5,8 million,
2,872,831 have thus far tested positive, the health-authorities estimate that the actual number of infections is 50% higher.
5370 people have died from/with covid-19,of these 4630 where 70 years of age or older.
Comorbidity is 91%.

Natural immunity is far superior to vaccine-“immunity”, provided you survive acquiring it.
And that is not something I “think”,
Danish health-authorities and the leading Danish virologists and epidemiologists are saying it.

We have no covid-restrictions in Denmark. No mandates for useless facemasks, no corona-passport, no restrictions on freedom of assembly, nothing.

Weekly updated official Danish covid-statistics here:


Daily updated official Danish statistics on hospitalisations and breakthrough infections here:


filippo March 30, 2022 6:11 PM

“The EU vaccination certificates contain a QR code with cryptographically signed information.”

Today an outage at one of the information center in Italy prevented people to download their Covid certificate (or “green pass”, as they love to call it here).

The fact that you MUST download the QR coded with the cryptographically signed information – here “simple” vaccine certificates, printed or photographed, are NOT accepted – was much more than a nuisance. Maybe someone was barred from entering a restaurant, maybe others were barred from boarding a flight.

Jason April 4, 2022 10:28 PM

Sure, but would it have really made the system harder to use to print blank cards on some sort of security paper to make them a bit harder to forge? The government had nine months to prep this and extensive experience with security printing. Up to a point, the usability-security tradeoff doesn’t really exist.

Steve April 15, 2022 9:51 AM

You have a photograph on your vaccine card? Wow. My card is a small form of strange size smaller than a 3×5 index card, printed on some material with a slef-adhesive backing it I want to adhere it to something, and the details of my particulars are hand-written on the ‘form’.

Quite some time later(days, weeks), I had a message on my iPhone that related to my Covid-19 ‘status’. Supposedly. From some App that was installed on the iPhone, yet I didn’t install it, so presumably was sent out as an update from Apple for ios. I forget what it actually said, as it didn’t apply to me, and was addressed by name to somebody I didn’t know. I contacted the people and told them there database was in error, as I’d had that phone for a few years and nobody should be legitimately texting to someone else at the phone. I got back an apology, and they said they were aware of problems, and that the design of the system didn’t allow them to track-back the notification and try to contact the right party. After that, I deleted the App.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.