Names, birthdays, jab records, and more got shared with the private sector through the app.
The recently introduced Scottish vaccination passport app was caught leaking personal information of its users to a long list of private companies – of which Amazon, Microsoft, and Royal Mail are probably the most famous ones.
In an attempt to create a safer health environment for its citizens, the Scottish National Health Service (NHS) released its first COVID status app, also known as COVID Passport. The app was designed to show the vaccination status of its users and limit the contact between vaccinated and non-vaccinated citizens.
Their efforts, however, ricocheted in the first week of operation. Aside from creating irreversible losses to the hospitality sector, the enforcement of Scotland's vaccination passport app has now raised major privacy concerns.
The public trust is broken, and it will be very difficult for the project to bounce back from this situation.
How was the vaccine passport supposed to work
The government announced its vaccine passport scheme on October 1st, with a 17-day grace period until its full enforcement on October 18th. The idea was to ease the upcoming and potentially difficult winter.
A government spokesperson said that this was a well-balanced measure that should allow the hospitality business to keep going while at the same time encouraging more people to get vaccinated.
Delusions of grandeur?
The goal was to create a solution in the hospitality field that would allow the business to make enough revenue to get through the winter, but in a safer environment.
The vaccination passport app allows anyone vaccinated twice, and older than 12, to download and print the certificate with a QR code that confirms their status. The government scheme obliged everyone above 18 to show – if asked – their vaccination certificates when joining night venues such as clubs, specific indoor entertainment venues, or outdoor events with over 10,000 people.
When reality strikes
What was planned as a win-win arrangement soon turned into an unmitigated disaster. A concerningly high number of staff reports showed bullying and abuse by unhappy customers over the rejections they faced. Many of them also claimed that the overall atmosphere had changed due to long queuing.
The last straw was when the it was revealed the vaccination passport was sharing personal data with Microsoft, Royal Mail, and Amazon.
Later, it was discovered that the app reveals users' personal data – sharing it with Microsoft Azure, Royal Mail, Amazon Web Services, CFH Docmail, the Gov.uk Notify Service, iProov, Jumio, NetCompany, and Albasoft.
Upon these discoveries, Head of Policy and Campaigns at Liberty, Sam Grant expressed his opinion that this only further deepens the (already existing) concerns that citizens have regarding the COVID passport.
It's extremely concerning that, in doing so, data has been shared with third parties without people having the option to opt-out or without even being made aware that this is happening.
Scottish Liberal Democrats leader Alex Cole-Hamilton reminded that every person has the right to medical privacy and added that:
Nobody should ever have to provide part of their medical history to a bouncer or a series of private companies. That is just simply absurd.
What followed was a swarm of frustrated posts all over Twitter. Scots took the whole thing to social media, making sure that their voices were heard. Considering that some of their basic privacy rights have been violated in what was supposed to be a safe health measure, the disappointment and anger are completely understandable.
Rebuilding trust in COVID apps
While the members of the opposition and civil liberty campaigners remain enraged, the government stated that, even though some information is shared, not every company will have access to sensitive data.
Unconvincing as this statement is, it had little to no effect on the public, which continues to express their rage and dissatisfaction. It'll be hard, if not impossible, to rebuild the trust in people who are already exhausted from the pandemic, opposing opinions, and apps that are using the chaotic situation for privacy intrusions and ultimately profit.
This is far from being the only known COVID app fiasco in the world. Different COVID apps around the globe have already gained the reputation of privacy nightmares. Among them, the Gulf COVID apps like Bahrenian BeAware, Qatari ENTERAZ, and Kuwaiti Shlonik are among the most intrusive ones.
These apps use Bluetooth and GPS technologies to track the COVID-19 cases in real-time, making the phones extremely prone to malware and other forms of cyber-attacks. On top of that, the app's system designs are highly intrusive, asking for permission to access most of the private files on your phone (including camera and photo albums) and it won't work without that. Finally, the governments made these apps compulsory, forbidding everyone to leave their homes without turning them on – or else they could face heavy fines and even jail time.
Unfortunately, we live in a time when it's very difficult to draw the line between technological advancements, gadgets, and software that are here to protect us or improve our quality of life and those that are achieving the opposite. It's up to us to challenge governing bodies and private corporations to keep making improvements in the privacy field. Without that, our skepticism towards new apps will only grow, while our privacy rights continue to suffer, and complete digital freedom remains just a myth.