Vaccine Passports Investigation: CommonPass Results

Last month, IDAC launched an investigation into Vaccine Passport apps, examining individual apps as they reach the market. Our intention is to increase transparency about privacy practices, identify harms and data practices that don’t align with app users’ reasonable expectations. We also want to highlight best practices.

Today IDAC is releasing the results of its analysis of the CommonPass app. CommonPass is a free app in the Apple App Store and the Google Play Store, which was developed through a nonprofit public trust and is operated by The Commons Project. The Commons Project is working alongside the World Economic Forum and leaders from 52 countries to design a common framework for safe border reopening. To date, several major airline companies have started to use CommonPass and the app has garnered significant global media attention focused on its ease of use.

When CommonPass launched earlier this year, organizers billed it as a safe way for travelers to “securely document their certified COVID-19 test status while keeping their health data private.”

So far, CommonPass appears to be keeping that promise.

CommonPass is designed specifically to support travel across borders. Users need a QR code or invitation code from an airline or destination to use CommonPass. CommonPass allows users to upload their COVID test results or vaccination records to the app and then the app assesses the results to verify if a traveler meets the health screening requirements for their travel destination and if the results come from a trusted source. After the app assesses the results, a user will receive a certificate in the form of a QR Code saying “yes” or “no” the traveler has or has not met the requirements for that specific location that they can then use when traveling.

The IDAC investigations team ran a series of static and dynamic tests on CommonPass to determine how the app was treating user data. Our investigation found there were no inappropriate data transmissions and no personal information or unexpected permissions transmitted. There was minimal use of Software Development Kits (SDKs), which, if not deployed properly, can be an unnecessary threat to privacy protections.

The privacy policy on the CommonPass website is easy to read and clearly outlines how a user’s information is collected and what permissions are needed. The policy states that a user’s information that is collected by the app is kept on the app and not accessible by the developer unless the customer submits a support request. The policy also outlines that user data will not be sold for sales or marketing purposes or shared with a third party, and our investigation confirms that data practices are aligned with the policy.

What’s next?

Our team is continuing to analyze how Vaccine Passport apps protect user data and privacy. We are continuing to take a deep dive into privacy practices and app security and will release more information in the coming weeks. You can see our initial investigative results and analysis of Vaccine Passport apps here, including the New York Excelsior Pass.