1. 38
    Vaccination Paywalls programming satire bert.org
  1.  

  2. 13

    It’s interesting the SMART Health Card standard implemented here is entirely incompatible with the Digital COVID Certificate standard (Interoperable 2D Code, pdf) being rolled out in the EU (and currently used for the digital NHS England COVID Pass).

    Perhaps the IATA Travel Pass will be more successful as a unifying standard.

    1. 5

      Just for fun, the contents of the EU covid cert have a much more concise-looking schema than the US one (less XML-y deep structure and magic URLs). And the European container seems to be CBOR + Base45 vs. the US one JSON base64’d then run through a transform that doubles byte count turning everything into decimal digits. Both use gzip. (Ed: turns out QR codes have a numeric encoding that makes three decimal digits only take ten bits, so the US way is transmitting 6 bits in 6 and 2/3 bits on average, ~90% efficient. And Base45 gets 16 bits in three 5.5-bit chars, ~97% efficient. Now it all makes more sense!)

      Interesting that both versions seem to fit in that size QR code (must just be able to hold a lot); I’d’ve thought even with gzip, everything in the US structure would be a tight fit.

      1. 3

        Note that what the US one is using is a standardised interoperable healthcare format called FHIR. The json representation looks pretty verbose, but handles many things you’d forget when coming up with your own format to represent healthcare data.

        Just look at the FHIR R4 definition for HumanName in context of Patient

        • name HumanName 0..*: A person may have 0, 1, or more names
        • For each HumanName:
          • use {usual, temporary, official, nickname, maiden, ...}: The context of this HumanName; does this person use it as a nickname, is it the person’s maiden name, …
          • family string 0..1: May or may not have a family name
          • given string 0..*: 0 or more given names (usually surname)
          • period: 0..1 Period: The time period this name was/is/will be used

        And this is just a small extract from just the HumanName data type. FHIR also has a system to manage logical IDs as well as external IDs (i.e. if a Patient is tracked in different databases in a hospital), support for various code systems used in healthcare (ICD-10, CPT, …), the most complex/complete system to handle temporal information I’ve seen, a super-integrated extension mechanism, …

        The whole documentation, data schema definition and basically everything is also completely machine-readable.

        It’s very complex, but I recommend everyone who does some sort of data modelling to take a look at some of the concepts. It’s a great inspiration.

        Source: I’ve been working with FHIR for a few years now :-)

    2. 4

      So I can just take a photo of someone’s vaccine QR-cert and use that to jump over the paywall? No, I won’t do that because that would be lying, and I’m a good person who does not lie.

      1. 5

        You could, but identity makes “limit one per customer” easy to enforce.

        1. 3

          that just means the real person who owns the ID may get locked out if their thing is “stolen” and used before they use it.

          1. 1

            Also some people were sharing pictures of theirs after vaccination - and we have an instant problem.

        2. 2

          This seems a bunch like SSNs. A unique but easily copied fact.

        3. 6

          What if we prevented people from accessing content based on their vaccination status? What if you couldn’t read Reddit, watch Youtube, or post on Instagram without first proving that you’ve been vaccinated? I think we’d up our numbers pretty quick.

          This isn’t something that @bertrandom can arbitrarily decide to do, thankfully. The major corporations who own these platforms would have to make this decision, and then implement it in a way that is difficult to bypass, despite the amount of developer attention that bypass methods for these major websites would attract. Imagine a software project like youtube-dl that was constantly being updated to bypass the latest iteration of the vaccination paywall.

          Of course, there’s an accelerationist argument that if Youtube, Reddit, etc. block more and more people from using their platforms on ideological or quasi-ideological grounds (and willingness to provide vaccination status is definitely ideologically-linked), this would weaken the network effect of these platforms and create a larger potential userbase for alternative platforms, which would create laudable competition in the space and offer an opportunity free-software platforms (e.g. Peertube) to gain mindshare.

          1. 41

            This is a joke.

            1. 7

              It is, in fact, not a joke. (Relax! This is a joke.)

              1. 7

                I don’t think the article is a joke, and I’m not joking. I think the author dresses up the article as a joke, but he’s really pretty serious about it.

                1. 7

                  The author states twice that “this is a joke”, so I’m sure it is a joke.

                  It’s also a massive, successful troll, as can be evidenced by this comment thread.

                  1. 2

                    I don’t think the author is trying with this blog post to make a serious public health policy proposal, or to seriously get the ear of people who work at Reddit or Youtube.

                    On the other hand, according to the author’s about page, he works at Slack, which owns another proprietary communications platform much like the other ones mentioned, that many people use (often because it’s a requirement of their jobs - that’s why I use Slack myself, for instance).

                    Slack is not a huge company, and it’s easy to imagine that a Slack employee who writes a sentence like “What if we prevented people from accessing content based on their vaccination status?” might be involved in an internal product decision about whether or not to implement something like this vaccine paywall. If not specifically for the covid vaccine, than for some potential future public-health measure where people have intense political disagreement over the appropriate response. “What if you couldn’t chat on Slack without first proving that you’ve been vaccinated? I think we’d up our numbers pretty quick.” is as good a hypothetical as the original.

                    Anyway, even if the author is writing this entirely as a joke, I assume that people exist who would actually like to influence the public-health-related behavior of the public at large by building personal medical information checks into the software they use frequently, and think about ways to bypass these checks before they actually get built. And one great way to avoid even the possibility of these kinds of checks is to avoid using platforms run by someone other than you to begin with.

                    1. 8

                      Slack is not a huge company

                      No, it’s not. Slack is a chat application. Slack is owned by Salesforce, which is an absolute behemoth of a company.

                      The author was using the idea of vaccination-status-based-access-control as a conceit to make a discussion of how to parse the data encoded in that QR code less bland. It’s neither a policy proposal nor any kind of political statement. It’s a joke to make more people read a blog post that would otherwise be extremely tedious. Like the author says. Repeatedly.

                      Your assumption that “people exist who would actually like to influence…” is really only interesting in the sense of rule 34. If you can imagine something, people exist who are interested and they are probably sharing details about it on the internet.

                2. 5

                  This “joke” feels more like a warning to me.

                  1. -2

                    It’s racism and bigotry plain and simple

                    1. 6

                      I think racism is a specific kind of bigotry, so I’m going to just use that as shorthand instead of “racism and bigotry” for the remainder of this comment. Please read “racism” as “racism and bigotry” and “racist” as “racist and bigoted” to the extent that you draw a distinction between racist bigotry and other bigotry for the purposes of this comment.

                      What is racist about telling people how to parse these QR codes using a joke about access control?

                      Please be very specific, because I’m really trying to see how it’s racist, and I just can’t. Are vaccines being denied to people on the basis of race or ethnicity? Where? How? I know there were allegations of that during the early US rollout, but even if they were true then, they are not currently true.

                      I keep trying to come up with a way to phrase my question to make it sound less combative. But I can’t, so I’ll just explicitly say that it is a good faith question and not some rhetorical point. I have not heard of vaccines being tied to race anywhere, and I would really like to understand the association you are making.

                      1. 3

                        This is a joke

                        1. 2

                          If you can be vaccinated and a vaccine is available to you and you’re not getting one, you should feel bad.

                          Again I’m not laughing

                          So go ahead build your wall. Exclude the 3rd world, it’s what the goal is.

                          1. 7

                            Read what you quoted.

                            If you can be vaccinated

                            and a vaccine is available to you

                  2. 5

                    Well, the government are not joking. What happened to medical confidentiality?

                    1. 16

                      Having to prove you have a vaccination has been a requirement in all manner of situations before this - like international travel.

                      1. 8

                        I live in France, and a number of vaccines are already mandatory (for obvious public health reasons).

                        I’ve never had to present a proof of vaccination when I go to the theatre. Or Theme park. Or anywhere within my country for that matter. Even for international travel, didn’t need to give the USA such proof when I came to see the total solar eclipse in 2019. I’ve also never had to disclose the date of my vaccines, or any information about my health.

                        What you call “all manner of situation” is actually very narrow. This certificate is something new. A precedent.

                        1. 9

                          and a number of vaccines are already mandatory (for obvious public health reasons).

                          This is why you’ve not been asked for proof for international travel, since it’s assumed that you’ll have received these immunisations or be unexposed through herd immunity as someone who resides in France.

                          We’re currently in a migration period where some people are immunised and others aren’t. We’ve had this happen before– the WHO is responsible for coordinating the Carte Jaune standard (first enforced on 1 August 1935) to aid with information sharing, but they haven’t extended it to include COVID-19 immunisation yet.

                          In a 1972 article, the NYTimes headlines “Travel Notes: Immunization Cards No Longer Needed for European Trips” regarding Smallpox immunisations.

                          Still, even today, immigrants applying to the United States for permanent residency remain required to present evidence of vaccinations recommended by the CDC: https://www.cdc.gov/immigrantrefugeehealth/laws-regs/vaccination-immigration/revised-vaccination-immigration-faq.html#whatvaccines

                          1. 3

                            (Note: international travel is one use case where I believe it’s perfectly legitimate to ask for a evidence of vaccination. It’s the only way a country can make sure it won’t get some public health problems on its hand, which makes it a matter of sovereignty.)

                      2. 1

                        It’s not the government that’s sharing this information. It’s you when you present that QR code. This is equivalent to your doctor printing out a piece of your medical records and handing it to you. You can do whatever the hell you want with that piece. It’s your medical history. If you want to show it to someone, you can. If you don’t want to show it to someone, you can. The government only issues the pass. Nothing more.

                        1. 2

                          The QR code has a very important difference with a piece of paper one would look at: its contents are trivially recorded. A piece of paper on the other hand is quickly be forgotten.

                          This is equivalent to your doctor printing out a piece of your medical records and handing it to you.

                          No, this is equivalent to me printing out a piece of my medical record and handing it to the guard at the entrance of the theatre. And I’m giving them way more than what they need to know. They only need a cryptographic certificate with an expiration date, and I’m giving them when I got my shot or whether I’ve been naturally infected. I can already see insurance companies buying data from security companies.

                          You can do whatever the hell you want with that piece. It’s your medical history.

                          There’s a significant difference between the US and the EU here, that is worth emphasising. In the US, your personal information, (such as your medical history) is kind of your property. You can give it or sell it and all sorts of things. In the EU however your personal information is a part of you, and as such is less alienable than your property. I personally align with the EU more that the US on this one, because things that describes you can be used to influence, manipulate, and in some case persecute you.

                          If you want to show it to someone, you can. If you don’t want to show it to someone, you can.

                          Do I really have that choice? Can I really chose not to show my medical history if it means not showing up at the theatre or any form of crowded entertainment ever? Here’s another one: could you actually chose not to carry a tracking device with you nearly at all times? Can you live with the consequences of no longer owning a cell phone?

                          1. 0

                            If you carry a tracking device with you at all times, why do you care about sharing your vaccination status? And why should someone medically unable to be vaccinated care about your privacy when their life is at risk?

                            As someone who’s father is immunocompromised, and with a dear friend who could not receive the vaccine due to a blood disease, fuck off. People have died.

                            1. 3

                              fuck off. People have died.

                              Since you’re forcing my hand, know that I received my first injection not long ago, and have my appointment for the second one. Since I have good health, I don’t mind sharing too much.

                              What I do mind is that your father and dear friend have to share their information. Your father will likely need more than 2 injections. If it’s written, we can suspect immunocompromission. Your friend will be exempt. If it’s written, we can suspect some illness. That makes them vulnerable, and I don’t want that. They may not want that.

                              Now let’s say we do need that certificate. Because yes, I am willing to give up a sliver of liberty for the health of us all. The certificate only needs 3 things:

                              • Information that can be linked to your ID (some number, your name…)
                              • An expiration date.
                              • A cryptographic certificate from the government.

                              That’s it. People reading the QR-code can automatically know whether you’re clear or not, and they don’t need to know why.

                              If you carry a tracking device with you at all times, why do you care about sharing your vaccination status?

                              I do not carry that device by choice. The social expectation that people can call me at any time is too strong. I’m as hooked as any junkie now.

                              1. 2

                                I am willing to give up a sliver of liberty for the health of us all.

                                I appreciate your willingness, your previous comments made me think you weren’t. I apologize for my hostility. I think we can agree we should strive to uphold privacy to the utmost, but not at the expense of lives.

                                That’s it. People reading the QR-code can automatically know whether you’re clear or not, and they don’t need to know why.

                                That’s true, and that system would be more secure. But the additional detail could provide utility that outweighs that concern.

                                I can already see insurance companies buying data from security companies.

                                Insurance companies already have access to your medical history in the US. Equitable health care is an ongoing struggle here. ¯\_(ツ)_/¯

                                Edit: I removed parts about US law that could be incorrect, as IANAL.

                                1. 5

                                  Deep breath, C-f HIP … sigh

                                  HIPAA states PHI (personal health information) cannot be viewed by anyone without a need to know that information, and information systems should never even allow unauthorized persons to view that information in the first place. Device or software that displayed PHI to a movie theatre clerk would never go to market because it would never pass HIPAA compliance.

                                  Damn it, no, this is incredibly wrong.

                                  HIPAA applies to covered entities and business associates only. Covered entities are health care providers, insurance plans, and clearinghouses/HIEs. Business associates are companies that provide services to covered entities – so if you are an independent medical coder that reads doctor notes and assigns ICD10 codes, you’re covered because you provide services to a covered entity. How do you know if you’re a business associate? You’ve signed a BAA.

                                  Movie theaters are not covered entities, and are not business associates. HIPAA has zero bearing on what they do. Your movie theater clerk could absolutely mandate you share your vaccination status – just like your doughnut vendor can ask in exchange for a free doughnut.

                                  1. 1

                                    Your movie theater clerk could absolutely mandate you share your vaccination status

                                    Yeah. As the movie theater is private property, and “unvaccinated” isn’t a protected group, they are allowed to discriminate all they want.

                                    But I admit I am surprised they’d legally be able to store and sell your medical records. It seems you’re correct, and I had incorrectly generalized my experience and knowledge dealing with other covered entities all day to non-covered entities. A classic blunder of a programmer speaking about law, whoops. I’ve cut those statements from my prior comment.

                                    I still don’t think that vaccination information would be any news to insurance companies, but I’m yet again disappointed by US privacy law.

                                    1. 2

                                      Yeah. As the movie theater is private property, and “unvaccinated” isn’t a protected group, they are allowed to discriminate all they want.

                                      It is conceivable you could make an ADA argument here – “I can’t get a COVID vaccination due to a medical condition; therefore, you need to provide a reasonable accommodation to me”. But that’s maybe a stretch, I’m not sure.

                                      But I admit I am surprised they’d legally be able to store and sell your medical records

                                      I think a lot of this comes down to training about HIPAA. If you’re in-scope for HIPAA, many places (rightfully) treat PHI as radioactive and communicate that to employees. And there’s very little risk in overstating the risk around mishandling PHI - it’s far safer to overmessage the dangers to people who work with it.

                                      Indeed, until I needed to get involved on the compliance side – after all, somebody has to quote HITRUST controls for RFPs – I overfit HIPAA as well.

                                      I’m yet again disappointed by US privacy law.

                                      If you want to feel marginally better, go read up on 42 CFR Part 2. It still only applies to covered entities but it offers real, meaningful protections to an especially vulnerable population: people seeking treatment for substance use disorder. It also makes restrictions around HIPAA data handling look trivial.

                                  2. 2

                                    But the additional detail could provide utility that outweighs that concern.

                                    Possibly. That would need to be studied and justified, I believe.

                                    Furthermore any reader of these QR codes should only return a pass/fail result, […]

                                    Actually that’s what I expect from official programs, including in France. The problem is the QR code itself: any program can read it, and it’s too easy (and therefore tempting) to write or use a program that displays (or record!) everything.

                                    HIPAA laws are some of the few here that have teeth

                                    Hmm, that less horrible than I thought then. Glad to hear it.

                                    1. 1

                                      Hmm, that less horrible than I thought then. Glad to hear it.

                                      As @owen points out, IANAL and these laws don’t apply in this circumstance. I still don’t think that vaccination information would be any news to insurance companies, but I’m yet again disappointed by US privacy law.

                        2. 3

                          Even though this is ment as a joke, it also serves as a nice PoC for people who will actually unironically want to deploy something like this.

                          I’m not entirely sure how I feel about this. Honestly, some jokes might better remain untold.

                          1. 6

                            The way I understand it, it’s not a joke. It’s a warning.

                          2. 4

                            This is a bad idea and you should feel bad.

                            I do not. If you can be vaccinated and a vaccine is available to you and you’re not getting one, you should feel bad.

                            Do you really expect anyone else to do this?

                            I could see it being used as a promotion […]

                            The road to hell is paved with good intentions.

                            If not dying is not enough of an incentive to get the vaccine, I’m not sure what will be.

                            In my region, we are 3.79 million people: between 24th February 2020 and 19th June 2021 (481 days) there are 2720 people who died in hospital with covid19 (and not necessarily from), the large majority of them being over 75 years old.

                            In the end, maybe “not dying” really isn’t a sufficient incentive to take these vaccines for some people, and we should respect that. Moreover, drug alternatives exists which can reduce the incentive too.

                            Cf: Sources are in french unfortunately, but charts are easily translatable.

                            1. 4

                              All this for eight hours of lost life expectancy

                              If the 18-year-old dies, he loses 61.2 years of expected life. That’s a lot. But the probability of the 18-year-old dying, if infected, is tiny, about 0.004%. So the expected years of life lost are only 0.004% times 35% times 61.2 years, which is 0.0009 year. That’s only 7.5 hours. Everything this younger person has been through over the past year was to prevent, on average, the loss of 7.5 hours of his life.

                              1. 4

                                Everything this younger person has been through over the past year was to prevent, on average, the loss of 7.5 hours of his life.

                                That’s discounting all the lost hours that may have arisen from people infected by that 18 year old if he caught COV19. Which is kinda messed up, no?

                                1. 1

                                  Not really. Since we’re talking about broad policies, thinking about “well what if an 18-year-old infects X many people” is not very instructive. Instead, we should consider the total number of people who would be infected, if we changed policies.

                                  Herd immunity for SARS-CoV-2 would be reached after perhaps 70% of the population has been infected… While perfect protection would eliminate the risk of infection, few people can practice it. Based on data analyzed by economists at the University of California, Berkeley, we assume that actual protection reduced the risk of infection by roughly half. Therefore, imperfect protection reduced the risk of infection for the average American from 70% to 35%.

                                  That is, roughly twice as many Americans would have been infected.

                                  1. 1
                                    1. 1

                                      I figured we both had read the article which I linked two posts above.

                                2. 4

                                  No dead 18 year old loses 7.5 hours of life. You’re saying that it’s cool for 0.004% of 18 year olds to die.

                                  Also your calculation is BS because you’re not taking account of the long term health effects of non-fatal covid; and you’re not using any kind of quality of life adjustment. And over the whole population the calculation is different, and disease protection is a whole population effort.

                                  1. 5

                                    You’re saying that it’s cool for 0.004% of 18 year olds to die.

                                    You make him say it, he didn’t.

                                    Every death is a tragedy in itself, but you should take some distance to find incoherence in this global situation.

                                    For example, according to WHO 4 millions of deaths are related each year to diabetes; yet do we see as much passion as for covid from governments and corporations to prevent it ? If not, we should ask ourselves why, especially if every people count. I am yet to see MacDonald’s lock down.

                                    And the same analysis can be said for pesticides, air pollution, water pollution, ground pollutions, cigarets, cancers, etc…

                                    1. 3

                                      To expand on what @Student said, mutations are a big reason to control spreading. Mutation is what gets you vaccine-resistant strains, not to mention the risk of more lethal strains.

                                      Diabetes isn’t contractable, nor does it mutate on infection.

                                      Externalities like pollution are even further distanced from infectious diseases.

                                      1. 1

                                        My point was more about deaths and how governments/corporations/media react to it, not targeting a death cause in particular.

                                        The current situation may have another meaning when you take some distance with just talking about covid and vaccines.

                                    2. 2

                                      Also your calculation is BS because you’re not taking account of the long term health effects of non-fatal covid

                                      The case rate of “long covid” is roughly the proportional to the death rate. That is, prolonged symptoms occur in people who might have died if their symptoms were more severe. Therefore, this has the same cost distribution as death does.

                                      and you’re not using any kind of quality of life adjustment.

                                      Of course I am.

                                      The costs of protection include reduced schooling, reduced economic activity, increased substance abuse, more suicides, more loneliness, reduced contact with loved ones, delayed cancer diagnoses, delayed childhood vaccinations, increased anxiety, lower wage growth, travel restrictions, reduced entertainment choices, and fewer opportunities for socializing and building friendships.

                                      I’d say that forcing a reduced quality of life on so many people is too big of a cost.

                                      And over the whole population the calculation is different, and disease protection is a whole population effort.

                                      The risk is primarily concentrated in the old.

                                      SARS-CoV-2 is highly discriminatory and views the old as easy targets. Had policy makers understood the enemy, they would have adopted different protocols for young and old. Politicians would have practiced focused protection, narrowing their efforts to the most vulnerable 11% of the population and freeing the remaining 89% of Americans from wasteful burdens.

                                      1. 1

                                        Would they really have adopted? Would that have been the right course of action?

                                        Seems someone in the comments is also trying to correct someone else being wrong on the internet:

                                        As is well known, as viral cases spread more mutations arise leading to further spread in the community. Blithely recommending that younger individuals should have simply avoided all covid protections flies in the face of prudent epidemiologic practice and ignores the costs associated with covid morbidities.

                                        Not to mention the pandemic that lasted 50 million years when one might think herd immunity should have been reached.

                                        Of course different countries have had different blunders and anyone’s free to believe what they want, but it’s as if some of the most basic things are forgotten in these opinionated discussions.

                                    3. 2

                                      Preach to the choir ;)

                                      Thanks for the interesting article, I will read it after work !

                                  2. 0

                                    Good idea, we need to exclude more of the 3rd world, and poor.

                                    Also screw those who got sinovac, because again screw anybody outside of California.

                                    American bigotry is the worst.