We’re Investigating Vaccine Passport Apps: Initial Findings

By Leslie Harris

As more people in the United States and around the world receive COVID vaccines, state and local leaders are struggling to ensure public safety as more people begin to travel, dine out, meet up with friends and family, and gather for events.

When New York launched its Excelsior Pass in late March, we entered a new phase of the COVID-19 pandemic recovery: using personal vaccination information to ensure those gathering in public are protected. But who should have access to that information and what are the rules to ensure privacy is protected? Right now there is no uniform guidance from the federal government to ensure that privacy is protected.

Source: CanvaPro

The demand for a safe return to normalcy, has led some state governments and hundreds of private companies to begin to develop so-called “vaccine passports,” mobile apps that can confirm an individual’s vaccination status to airlines, immigration authorities, restaurants, stores, public events and more.

For consumers, making a choice that both meets their needs and protects their privacy is daunting. For example, the nonprofit Commons Pass, developed an app for global use that is intended to ease travel across borders. Officials at the border crossings never see any personal health information in the app and no data is shared or stored during the transaction. In contrast, Clear, a company that promises expedited security checks in airports and stadiums, is now offering health passports, but users have to share biometrics to verify their identity.

Unlike countries that have a national health service and can quickly validate the identity of a passport holder without sharing personal information, the United States, with 50 state health systems, conflicting state laws, and a lack of clear federal guidance risks a patchwork approach to vaccine passports that will leave the public bewildered and uncertain about how to benefit from a passport app without sacrificing privacy.

In the coming months, IDAC will investigate these Vaccine Passport apps as they reach the market to increase transparency about privacy practices, identify harms and practices that don’t align with app users’ reasonable expectations, and highlight best practices.

Although our investigation is just beginning, below, we share the results of our investigation into the New York Excelsior Pass, the first state vaccine pass to be offered to the public.

The New York State Excelsior Pass

The Excelsior Pass, funded by the state, is available free of charge to businesses and anyone with vaccination records or test results in New York. The IDAC investigation team ran a series of tests on Excelsior Pass to determine how the app was treating user data.

In our investigation, we performed both a manual dynamic test and static test.

New York treats a pass like an airline boarding pass, with digital forms for smartphones as well as a paper backup. There are two types of apps. The “NYS Excelsior Pass Wallet” is for users to carry a digital form of their pass while a separate app is used by a venue to verify the validity of a pass, “NYS Excelsior Pass Scanner.” Both apps are supported on both Android and the iOS mobile app platforms.

A person is expected to download the Pass Wallet app to their smartphone to load vaccination or test information. A person can print a paper version of the pass if they do not have a smartphone. In each case, there is a QR code to represent the pass. The pass also presents the name and birth date of the user..

A venue operator will use the Pass Scanner app to scan the QR code. The Pass Scanner app connects to the state-run databases to present the results associated with the pass represented by the QR code. The venue operator is advised to verify the identity of the person presenting the pass with a valid identification. There does not appear to be any online verification of identity, only the pass itself.

Our results found there were no inappropriate data transmissions, and no personal information or unexpected permissions transmitted. There was minimal use of Software Development Kits (SDKs) and the firebase appeared to be configured sufficiently.

The governing privacy policy on the app is clear and outlines which information is collected and access permissions, such as the use of the camera in order to scan the pass. A person provides their First Name, Last Name, Date of Birth, and Zip Code. The Department of Health will provide the confirmation of vaccination or test results. Each app does collect anonymous user data and metrics related to app adoption, but this is in line with normal expectations and likely analytics managed by the app store. The information security policy also outlines that data is maintained in a secure manner and will not be used for sales or marketing purposes or shared with a third party.

There have been concerns reported around the ability to falsify the information in the app. If the concerns around falsified data can be addressed, the New York Excelsior Pass is a good model for other states and countries to follow.

What’s next?

Our analysis of the New York Excelsior Pass is just the first app our team is analyzing to better understand how Vaccine Passport apps can protect user data and privacy. We are taking a deep dive into privacy practices and app security and will release more information in the coming weeks.

IDAC is an independent watchdog created to improve #digitalaccountability through international monitoring, investigation, education and collaboration.