In the wake of COVID-19, governments and companies around the world are seeking ways to maximize the safety and security of airline passengers, the staff of airlines and airports, and the broader population with which passengers interact. These efforts include requiring COVID-19 testing, vaccination, or immunization prior to authorizing individuals for flights. In addition to conventional paper-based systems, various digital solutions catering to this need have been developed by governments. In April 2021, close to 50 airlines have signed up to trial ITP. For example, the European Union developed the EU Digital COVID Certificate, which stores and verifies COVID-19 statuses by QR codes; Doan, a US-based company, developed a mobile application VeriFL; and the International Chamber of Commerce developed AOKPass.
The International Air Transport Association (IATA, a trade association of the world’s airlines) has developed IATA Travel Pass (ITP), a COVID-19 digital passport solution led by an international NGO. Citizen Lab researchers conducted a security and privacy audit of the application and found two vulnerabilities: an impersonation vulnerability with limited impact and a server information leak. They also found that ITP utilizes a non-conventional blockchain technology in a way that mostly neutralizes the benefits of the technology, resulting in a system with security properties that are fundamentally the same as conventional server-client systems. This core technology of the app is implemented by the company Evernym. This study adds to growing research on security and privacy issues with technologies and data privacy policies for tracking and managing COVID-19 information.