Vaccine passport apps are owned by private companies that could be sharing (or leaking) your data. With COVID vaccine cards becoming more common, which vaccine apps can we trust? And how do we know our data is safe?
Oct 14, 2021 · 3 min read
Canada’s PORTpass vaccine app made recent headlines when it was discovered that any member of the public could access the user profiles of their 650,000 users. Confirming the doubts of security researchers and privacy advocates everywhere, names, ID photos, email addresses, blood types, phone numbers, and birth dates were left exposed in an app that previously claimed to use AI and blockchain to verify records.
In the UK, vaccine passports or coronavirus tracing apps are not yet mandatory but may soon become the standard used for access large events:
Vaccine passport apps have been blasted as an infringement on citizens’ rights, a third-party marketing opportunity, and bad news for the privacy-conscious. Given the immense pressure to put a solution in place quickly, security might not be a top priority to the app developers.
Our two concerns are:
Let’s look at 3 of the most popular vaccine passport apps of 2021.
CommonPass: Compares your vaccine records with individual country requirements.
Created by The Commons Project and the World Economic Forum, the CommonPass app is free and does not store or pass any of your data to third parties.
They do not retain your data nor operate from a central repository of health data. The app simply creates a digital version of your vaccination records, inspects it, and compares it with the entry requirements of countries you may want to visit.
CovPass: (EU) Uses encryption.
If you have the EU Digital COVID Certificate, CovPass will digitize it and store it on your smartphone as a QR code.
Three things make CovPass pretty secure in our book. Firstly, your data is only ever stored on your smartphone, so even CovPass employees can’t access it. Secondly, the QR code only uses the minimum requirement of data (your name, birthday, and vaccine status, in accordance with EU regulations). And, finally, your data in the QR code is secured with encryption and requires your signature to access it, so it can’t be forged.
NHS COVID Pass Verifier: (UK) Uses encryption and links to your health clinic.
The NHS app encrypts your data. It not only stores your vaccination certificates but also lets you book GP appointments, lets you access your health records, and gives you advice. To prove who you are, you’ll need to create a username and password to sign in.
A word of warning: Opt out of using facial verification or fingerprints at login (even if the app asks you to do this by default).
It was discovered in September 2021 that the NHS app was storing facial recognition data with iProov. The London-based company has previously held contracts with HM Revenue and Customs and has also been linked with funding from the Conservative Party.
No matter how secure your COVID passport app is, your data will still be at risk if you let down your guard elsewhere. That's why we recommend that you use a VPN to enhance overall online security.
It's important to remember that a VPN cannot protect you if you're using an unsecure or high-risk application — the risks we've discussed above will still be present. However, a VPN will encrypt your data so that hackers and Wi-Fi spies can't steal your personal information through unsecured connections.
NordVPN will give you an added layer of protection whenever you go online. This is especially useful when you’re using public Wi-Fi, where a compromised router could leave your data exposed to cybercriminals. You can also get the mobile NordVPN app.