Digital Covid-19 passports: possible security and privacy risks

The world introduces “green” passports for people with immunity: technology and data privacy issues

Various countries start adopting the "green" passport idea that should provide more normal living opportunities for those vaccinated.

The pandemic brought new meaning to words like work, distancing, and now, passport. Covid-19 vaccination started to help people with diseases, older generations, and the ones that are more at risk, so the “green” or vaccination passport in digital form become the theme of many concerns.^[1] It should help people to access more activities. Still, many are questioning the issue that many details about a person need to be revealed to have the system effective in all aspects from verification to forgery avoidance.^[2]

The piece should certify the person with antibodies, people with one or both doses of the vaccine, and provide them more opportunities to visit particular cultural facilities, gyms, bars, etc. Knowing that the person got the vaccine and when is apparently not enough.

These passports should include more personal details like date of birth, ID document number, negative test dates, and other information. According to some developers, vaccine or “green” passports should allow traveling, so the picture beside the individual QR code is also needed.

China^[3] was the first country who introduced this form of vaccination passport for travelers, so the ones that have gotten their vaccines got their permission verification to travel around. The implemented passport includes vaccination status, recent results for the Covid-19, and antibody tests. However, there are still doubts due to the lack of evidence on vaccines and equality issues.

Smartphone usage involves revealing/storing personal or credit information

One of the features of this vaccination passport is that the QR code and all the details about immunity or negative tests get stored within the mobile application for accessibility. Of course, there are ethical reasons that not everyone uses the smartphone and can benefit from the “freedom” service, but there are more concerns when it comes to security and data privacy.

First of all, many companies develop smartphone applications with these systems for Covid-19 vaccination passports. Programs create digital credentials that can be shown when a particular venue is entered, or people want to travel to other countries. Media information like test results or proof of vaccination, hospital records, certificates get added, and the unique QR code is formed.^[4] Many apps act as the container for certificates. You can find them in smartphone app stores.

Secondly, the issue with what information should be stored on the application, so the person who verifies the data can be sure the information and details about immunity are linked with the particular holder of the app. These test details have a particular time period when they are valid; the same goes for the antibodies information and even vaccination. These variables can also depend on the particular vaccine that a person has gotten since the effectiveness of each one varies from 80% to 95%.

A point of entry – whether that's a border, whether that's a venue – is going to want to know, did you get the Pfizer vaccine, did you get the Russian vaccine, did you get the Chinese vaccine, so they can make a decision accordingly.

Lastly, these days smartphones store more than contact information and personal photographs. Many people store half of their lives on a mobile device because work emails, other services, and platforms can be managed using it. Another digital age feature – banking information and digital currency. Many apps and services store those credit card details when you shop online via your phone or pay for a particular service. It is convenient and useful, but it is risky too.

World pandemic reaches a new stage where vaccination or negative testing proof gets you into a bar or gym.

Mobile threats and digitalized money can lead to monetary loss

If you use Uber or a similar car service, order food via takeout application, or manage your finances via mobile app – there are many credit card details on those apps. Cryptocurrency exchange also happens on mobile applications, and tons of them gain popularity each day. Adding the Covid-19 passport with even more personal details regarding your health history and identification information.

When your phone gets stolen, or you lose it, that might result in huge monetary losses or even identity theft.^[5] Those payments can happen fairly quickly, and you might not even notice when the banking account goes empty. There are many concerns over forgery and the failure of government-backed technology projects.

Smartphone usage and these mobile applications becoming identification and financial service management tools become more of a security issue since users spend more and more time on the internet using the mobile phone. Internet is not the safest place to spend your time on. Especially when there are tons of mobile threats that you can download without noticing:

• adware;
• drive-by downloads;
• trojans;
• phishing scams;
• browser-based threats;
• worms;
• backdoors;
• droppers;
• mobile ransomware.

While ensuring the protection of privacy and proofing the information provided via “green” passport, security and IT vulnerabilities might be left behind. Keeping so many details on one device password security and real-life security of the device is important. If the infection or even malicious actor gets on the system, it is possible to wipe your device clean and obtain all those private details with the goal of attacks or financial gain.

Second state of world vaccination - "freedom" passports.

Questionable data privacy control and risk of breaches

Since these Covid-19 vaccine passports rely on storing the information about vaccination on centralized databases. The issue concerning the exposure of such data rises. Information can get breached, and the control of such information can be managed poorly. There were many instances when client data got breached from various databases^[6] or even when malware gets involved.^[7] Data can get breached due to:

• insider mistakes;
• physical theft of information;
• DDoS attacks;
• malware infections;
• SQL injects;
• payment card skimming;
• cyber-espionage;
• database leaks/hacks.

Some security vulnerabilities have already been discovered in such passports during the development. Individual users and organizations might not want to participate if those issues about security and privacy are not addressed when the service is launched worldwide. There are many questions, and it is not yet clear if all the countries will adopt the vaccine passport usage.

It is crucial to combat this virus and come up with coordinating solutions for all countries.^[8] Particular program developers state that privacy and transparency are important for them, as representatives for IBM and Linux foundation state:

Trust and transparency remain paramount when developing a platform like a digital health passport, or any solution that handles sensitive personal information. Putting privacy first is an important priority for managing and analyzing data in response to these complex times.

There are at least three parties involved in such practices: the provider of such information, the health provider, government institutions; the holder – a person that is provided the right to this passport; the verifier – a person or institution that can provide particular service not accessible without the particular test result or vaccination proof. So particular security measures should be implemented in various sections. There are still many questions and concerns, but it is believed that those problems can be sorted out and taken into consideration when each country releases its version of the “green” passport.