Data privacy, security concerns as corporate providers step into US health pass vacuum

Airlines and non-governmental bodies are developing digital health passes to allow travel in the U.S. in the absence of a federal system. Travelers may be forced to use apps with terms and conditions which allow the passing on of their health data to third parties for profit. Meanwhile digital identity providers eye a global travel market as trials provide case study at Heathrow.

As certain U.S. states, typically Democrat, develop their own digital health passes to certify passengers to travel during the COVID-19 pandemic, there is still no federal system. At the same time, other states, typically Republican are banning such vaccine passports, reports Newsweek.

To allow travel to go ahead, airlines have developed their own software and digital non-profit The Commons Project Foundation has also created a digital health pass.

Newsweek reports issues with the privacy policies of these new apps, showing how passenger data – including health data – can be shared with third parties, possibly even for profit. Centralized databases with identity and health data — possibly including biometrics — held together could also be particularly vulnerable to attack especially if databases are designed to be read by multiple foreign governments for immigration purposes, according to the report.

State-level passes such as New York’s Excelsior Pass promise much stricter privacy policies, while the EU Digital COVID Certificate isolates user data to the platform, keeping it at arm’s length when a certificate is verified via human check or a QR code scan.

Alongside national, EU and airline schemes, private digital ID firms are working on health passes which could be scaled globally or at least iron out difficulties in health data sharing for global interoperability.

UK-based identity verification firm Yoti has been providing a biometric health pass service for Virgin Atlantic staff to log their test results and allow flight crew to attend shifts. The service is provided via Yoti’s digital identity app and the company’s CCO believes the experience of developing a system that can accept and share personal data allowed them to create a simple and secure.

Speaking to Business Travel News, Yoti’s John Abbott says, “delivering verified passenger testing and checks to open up travel on a global scale is a very different story. Technology is not the limiting factor. The ability for organizations to unite for globally accepted standards and interoperability is far from simple. This begins in the foundations of national health care systems and continues through to the processes used by every stakeholder in the journey.”

He adds that the additional checks of COVID-19 status at check in and immigration have blocked automated services, slowing systems down and that health data requirements may persist indefinitely like API data requirements following 9/11.

Health data, unlike APIs, is non-standardized and varies by country and held by different actors from airlines to national health systems. “Accessing health records is not straight forward and there is no defined standard for the payload and data format which is crucial for both sharing and verification,” says Abbott.

“A common set of standards for passengers, carriers and immigration authorities is essential and on a global scale.”

Abbott also states that airlines simply do not want to hold any further personal information on their passengers. The answer is for passengers to be able to “claim their health data and anchor that information to their identity”. Functionality for this is already built into his own company’s app. Virgin crew’s test data was submitted directly to the app which can be shared with authorities on arrival via a QR code.

Pre-travel trials at London’s Heathrow airport have proved that the combined sharing of health data and identity data can be handle quickly and securely through the biometric app. According to Abbott, this shows that self-service kiosks can be reintroduced, speeding passenger flow through airports.

This approach will require airlines to integrate an API into their platforms to share health data from an app of their choice. Abbott believes it is possible to align health data, airlines and third-party apps for travel and immigration, but that a huge amount of collaboration on standards is required.

Article Topics

airport biometrics  |  biometrics  |  border management  |  credentials  |  data protection  |  digital identity  |  health passes  |  identity verification  |  interoperability  |  privacy  |  standards  |  travel and tourism  |  Yoti