Why a New Health Passport App Raises Privacy Concerns

Tap, hack, fly?

Key Takeaways

  • A new app will soon let passengers prove that they are negative for COVID-19.
  • CommonPass is being introduced by major airlines for certain international flights.
  • Observers say that the new app raises privacy concerns and that the data could be hacked.
Someone using a digital health passport at the airport.
Natee Meepian / The Commons Project

A new health passport app that aims to verify airline passengers’ COVID-19 test results is raising privacy concerns. 

United, JetBlue, and Lufthansa are among the major airlines which plan to introduce the app, called CommonPass. The app will issue confirmation codes allowing passengers whose test results have been confirmed to board certain international flights. But hackers potentially could gain access to the medical data that’s stored for the app to retrieve, experts say. 

"While I anticipate the organizations creating this solution have thought long and hard about protecting the underlying data," Mark McCreary, a partner at the law firm Fox Rothschild and co-chair of the firm’s Privacy & Data Security Practice, said in an email interview, "I would be concerned with having all of that information centralized with an organization that is not equipped to store healthcare information. It would be nice to hear that the underlying data is destroyed immediately after the yes/no certification is created."

From Lab to Airport Check-In

Airlines plan to use CommonPass on a wide variety of international routes although the app is still in a testing phase. It will be available for both Android and iOS.

To use CommonPass, travelers take a COVID-19 test at a certified lab and upload the results to their mobile phone. They then complete any additional health screening questionnaires required by the destination country.

"Without the ability to trust COVID-19 tests—and eventually vaccine records—across international borders, many countries will feel compelled to retain full travel bans and mandatory quarantines for as long as the pandemic persists," Dr. Bradley Perkins, Chief Medical Officer of The Commons Project and former Chief Strategy & Innovation Officer at the U.S. Centers for Disease Control and Prevention (CDC) said in a news release.

"With trusted individual health data, countries can implement more nuanced health screening requirements for entry."

Traveler wearing a facemask at the airport and looking at the flight schedule.
andresr / Getty Images

United Airlines tested the digital health pass on a flight from London to Newark, New Jersey in October. It was the first transatlantic trial of CommonPass, following a successful earlier trial with Cathay Pacific Airways between Hong Kong and Singapore.

Currently, COVID-19 test results for travel are often shared on printed paper—or photos of the paper—from unknown labs, often written in languages foreign to those inspecting them. There is no standard format or certification system.

"It strikes me as much safer than paper records as currently proposed by many governments, including the US federal government," McCreary said. "It could be argued that a universal, electronic solution would be much more effective than disparate systems that, frankly, could be at risk of fraud."

Built for Privacy, Nonprofit Says

The Commons Project, a nonprofit public health trust, which is building CommonPass, says on its website that privacy has been a key factor in the design of the app. "CommonPass delivers a simple yes/no answer as to whether the individual meets the current entry criteria, but the underlying health information stays in the individual’s control," the company says

A mobile device showing the results of a COVID-19 test in a digital health passport.
doble-d / Getty Images

But the privacy protections of CommonPass have yet to be tested on a large scale, experts say. "While CommonPass claims users will be able to validate their COVID-19 status without revealing any of their other personal health information, any system that contains sensitive personal information is sure to be a target for hackers and the other bad actors of the world," Chris Hauk, consumer privacy champion at Pixel Privacy, said in an email interview. 

Hauk said he hopes that CommpnPass will offer the same stringent privacy protections as Apple's Health app for iOS. "Health ensures the patient's information is stored securely and privately on the user's device in an encrypted format," he added. 

While the coronavirus vaccine is slowly being rolled out around the world, many travelers are anxious to get back on the road. The TravelPass may be one way to restart long-delayed trips but privacy shouldn’t have to suffer along the way.

Was this page helpful?