Vaccine Passport: The Government Can't Share Your Data, But Airlines Can
As the United States nears the 50% mark for fully vaccinated individuals and many Americans are eager to travel again, vaccine documentation has emerged as a hot topic in the polarized political forum.
Blue states like California, New York, and Hawaii have launched or are working to launch vaccine passports of their own, while red states like Florida, Utah, and Texas have passed laws banning the requirement of such verification systems.
While these passports continue to garner visceral political reactions, differing from state to state, public companies and nongovernmental organizations have quietly rolled out passports of their own. American Airlines, United, and The Commons Project Foundation, a digital health non-profit, have all created their own passports.
In accordance with the privacy policies of these passports, the companies and organizations that collect and store data pertaining to the COVID-19 vaccination status of individuals can share that information with third-party companies, including customs and border officials, business affiliates, contractors, and marketing providers—often for profit.
While these companies may not be actively sharing this information at the moment, John Morris, an expert in cybersecurity and privacy law with the Brookings Institution, said the wording of these policies could protect them from legal repercussions associated with doing so.
Airline Privacy Policies Allow Them to Sell Your Personal Data
"American Airlines' privacy policy's language is unclear enough that I cannot be sure that they won't share my health information to their email marketing provider," Morris told Newsweek.
After reviewing United's privacy statement, Morris shared the following thoughts:
"United appears to have simply included 'health information' in its broader privacy policy, but then provided no extra protections for such potentially sensitive information," he told Newsweek. "This appears to leave open the possibility that the company could share personal health information with its marketing partners and other third parties."
American Airlines' and its One World Alliance contracted Daon, a biometrics and identity assurance software company, to create its app veriFLY. Their privacy policy states:
"We may share your Personal Information with third party service providers working on our behalf in order to facilitate our interactions with you or request or support our relationship with you, such as hosting service providers, IT providers, operating systems and platforms, internet service providers, analytics companies, and marketing providers."
Newsweek contacted press officials with American Airlines for comment, but they did not respond in time for publication.
United Airlines has a similar policy that allows them to share and sell the personal data of their passengers.
The United policy states, "We may also share your information with third parties as necessary to complete your transaction or fulfill your requests. United may also share your information with third parties for marketing purposes, including, but not limited to, the third party's own marketing or promotional purposes or other companies' marketing purposes in order for them to present you with offers on services or products that may be of interest to you."
Newsweek contacted press officials with United Airlines for comment, but they did not respond in time for publication.
Morris said that the Delta Air Lines privacy policy stood out from the others in protecting personal data.
"Delta's privacy policy is more clear and protective," Morris told Newsweek. "Delta acknowledges that health information can be sensitive, and identifies the limited purposes for which COVID-related information might be used."
Not-for-Profit Foundation Designs Travelers Vaccine Pass
The Commons Project, which is described on its website as "a nonprofit public trust established to build platforms and services to make life better for people around the world," has designed a Common Pass for travelers.
The policy statement for the Commons Pass states, "We may share information with vendors, consultants, and other service providers who need access to such information to carry out work for us. Their use of personal data will be subject to appropriate confidentiality and security measures (e.g. cloud providers who host our App). We may also disclose personal data to border control officials, law enforcement, regulators or others if we believe in good faith that access, use, preservation or disclosure of the information is necessary."
JP Pollak, co-founder and chief architect of The Commons Project, told Newsweek that protecting the personal information of travelers was a primary concern in the design of the Common Pass app.
"The primary protection that we have in place here is complete decentralization and data minimization," he said. "The data exists on people's devices under their control."
He emphasized the data collected is very limited.
"The data that we are pushing to the cloud and sharing with airlines, is completely minimized to the point where even if you were to obtain that entire database, there's no personal health information in there," Pollak said.
Apps like Common Pass are being developed for use by individuals in air, land and sea travel, and to obtain entry to places where proof of vaccination is required. But regulations and requirements for that proof will likely differ from location to location and country to country.
While use of these apps remain optional at the moment, they already allow travelers to gain access to express lanes within certain airlines and destinations.
New York, California, EU and Canada Lead Vaccine Passport Push
Unlike the United States, not all nation's have turned to nongovernmental agencies for help. Travelers to Canada must upload documentation to the nation's ArriveCAN application, where their data is protected under Canada's Privacy Act.
The European Union developed the E.U. Digital COVID Certificate, which isolates data to the platform and does not store or retain it when the certificate is verified through its QR code or by human checks.
Like these passes, New York state's Excelsior Pass follows legal guidelines set by its region of operation, abiding by New York State Information Security policies. Its privacy page states, "(Data) will not be used for sales or marketing purposes or shared with a third party."
Lucia Savage, chief privacy and regulatory officer at Omada Health, a digital health care program provider, spoke with Newsweek about where the storage of data by the airline passes stands within the discourse around vaccine verification methods, comparing it to the policies of California and New York state.
"What's genius about what New York state and California are doing is the person gets to decide if they want their vaccine record exposed to other people, as opposed to being profiled," Savage told Newsweek. "What really worries me is when we have organizations that might try to reach a conclusion about a person's vaccinated status from indirect data or badly matched data."
Unlike data held in the traditional healthcare space, Savage notes that people can be tracked and targeted with medical-related advertisements when they're conducting searches through traditional web browsers. When certain smartphone settings, like Apple's app tracking feature, are turned on, applications can track data across other companies' apps and websites.
While proof of vaccination is not anything new, its circulation through mainstream digital mediums is a relatively recent phenomenon. As Savage notes, the rules around healthcare data and sharing differ by sector, as well as by country.
"In America, there's a very big divide between the way your health information is protected inside healthcare, including public health agencies, and the way it's protected in the commercial realm," Savage told Newsweek. "What's happening in (New York and California) is individuals are being given a chance to access the records the state already has about them."
Beyond the concern of data sharing, there are also concerns about the potential for these passports to fall victim to a cybersecurity attack. Since the outbreak of the pandemic, private companies including SolarWinds, JBS meat processing, and the Colonial Pipeline Company have fallen victim to attacks.
Vaccine Passport Cybersecurity a Serious Concern
Morris of the Brookings Institution is concerned about the cybersecurity of the personal healthcare information being stored in these applications.
"If the app has to be able to disclose to a foreign government exactly when and where a particular vaccine was given, then it has to be able to maintain that and provide that in an unencrypted form," Morris told Newsweek, "which means that if the app is itself insecure or the database behind the app is insecure, then yes, there is increased cybersecurity risk."
If foreign governments require the passports to share access to their underlying databases, Morris said they then face an increased risk of falling victim to a cybersecurity attack. However, if they are willing to accept traveler validation through looking at a user's screen or scanning their QR code, then the passports face far less of a risk, he said.
With the threat of a ransomware attack facing "anyone operating on an app," Morris said, these vaccine passports could encounter a cyberthreat down the line. He said protecting them requires a dedication to ensuring security within both the coding of the app and its database.
Though these apps are run by nongovernmental agencies, Morris said this does not inherently make them more vulnerable to a cyberattack. Because the United States does not have a federal COVID-19 status verification system, he sees these apps as tools being used to fill a requirement necessary for American travelers. However, as the nation moves forward with them, he urges companies to show transparency around their usage of customer data.
"With a governmental agency, you might have a higher level of confidence that the person operating the app is not trying to sell your data," Morris said. "It would be very critical for any private entity that wants to offer this kind of app to make very clear assurances that it's not marketing the data for other purposes, and that the only purpose is to validate your vaccination status."
Correction (12:15 p.m., 7/16/2021): Following publication of this story, American Airlines contacted Newsweek and provided the following information on their privacy policies as they relate to health care data provided by passengers for their VeriFLY application: "American Airlines, along with several other oneworld carriers, makes the VeriFLY app available to our customers as a convenience for their travel. We are not the app developers so Daon is best able to speak to how they manage users' data."
