Scoping review of data privacy risks in COVID-19 apps with digital vaccination certifications
The goal was to review mobile apps with COVID-19 digital vaccination certificates between November 2022 and March 2023 and evaluate: (a) compliance with the WHO Proof of Vaccination Scenario requirements, (b) risk levels of app permissions using a Permission Accumulated Risk Score (PARS), and (c) re...
Main Authors: | , , |
---|---|
Format: | Article |
Language: | English |
Published: |
SAGE Publishing
2024-03-01
|
Series: | Digital Health |
Online Access: | https://doi.org/10.1177/20552076241239171 |
_version_ | 1797257365793275904 |
---|---|
author | Isca Amanda Savannah Graffin Maria Adela Grando |
author_facet | Isca Amanda Savannah Graffin Maria Adela Grando |
author_sort | Isca Amanda |
collection | DOAJ |
description | The goal was to review mobile apps with COVID-19 digital vaccination certificates between November 2022 and March 2023 and evaluate: (a) compliance with the WHO Proof of Vaccination Scenario requirements, (b) risk levels of app permissions using a Permission Accumulated Risk Score (PARS), and (c) readability and transparency of the app's privacy policies using a Privacy Transparency Index (PTI) score. We found 49 mobile apps with COVID-19 digital vaccination certificates from across 32 countries. Most apps were developed by governments (37/49, 75.51%). We discovered a high positive correlation between the country-wide app total installs and the people vaccinated with at least one dose in the country (r = 0.93, P = <.001). Most apps (97.96%) had sources of information available for compliance with WHO Proof of Vaccination Scenario requirements. Only two apps included all the required data items, while most apps (75%) included five or more data out of nine items. We found that most (97.96%) apps had a Google Play link to generate the Exodus platform permission report, and most (95.92%) apps had an associated privacy policy available. We identified 80 unique permissions; some (23.75%) were dangerous or special. We also found 28 types of trackers. The average PARS was 28.58 (IQR 23.25, range 15–38.25). Most of the apps’ privacy policies documents were difficult or very difficult to read (median grade level 14, IQR 2.6, range 13–15.6). The average PTI was 50.43 (SD 14.73; range 22.5–75). In conclusion, higher compliance with the WHO Proof of Vaccination Scenario requirements is desirable to support interoperability. Developers should limit the number of permissions for essential needs and disclose their purpose. Developers should write privacy policies that a wider audience can understand. |
first_indexed | 2024-04-24T22:36:29Z |
format | Article |
id | doaj.art-0d0219ee14224a51b883c1c67b3e3d00 |
institution | Directory Open Access Journal |
issn | 2055-2076 |
language | English |
last_indexed | 2024-04-24T22:36:29Z |
publishDate | 2024-03-01 |
publisher | SAGE Publishing |
record_format | Article |
series | Digital Health |
spelling | doaj.art-0d0219ee14224a51b883c1c67b3e3d002024-03-19T10:03:48ZengSAGE PublishingDigital Health2055-20762024-03-011010.1177/20552076241239171Scoping review of data privacy risks in COVID-19 apps with digital vaccination certificationsIsca AmandaSavannah GraffinMaria Adela GrandoThe goal was to review mobile apps with COVID-19 digital vaccination certificates between November 2022 and March 2023 and evaluate: (a) compliance with the WHO Proof of Vaccination Scenario requirements, (b) risk levels of app permissions using a Permission Accumulated Risk Score (PARS), and (c) readability and transparency of the app's privacy policies using a Privacy Transparency Index (PTI) score. We found 49 mobile apps with COVID-19 digital vaccination certificates from across 32 countries. Most apps were developed by governments (37/49, 75.51%). We discovered a high positive correlation between the country-wide app total installs and the people vaccinated with at least one dose in the country (r = 0.93, P = <.001). Most apps (97.96%) had sources of information available for compliance with WHO Proof of Vaccination Scenario requirements. Only two apps included all the required data items, while most apps (75%) included five or more data out of nine items. We found that most (97.96%) apps had a Google Play link to generate the Exodus platform permission report, and most (95.92%) apps had an associated privacy policy available. We identified 80 unique permissions; some (23.75%) were dangerous or special. We also found 28 types of trackers. The average PARS was 28.58 (IQR 23.25, range 15–38.25). Most of the apps’ privacy policies documents were difficult or very difficult to read (median grade level 14, IQR 2.6, range 13–15.6). The average PTI was 50.43 (SD 14.73; range 22.5–75). In conclusion, higher compliance with the WHO Proof of Vaccination Scenario requirements is desirable to support interoperability. Developers should limit the number of permissions for essential needs and disclose their purpose. Developers should write privacy policies that a wider audience can understand.https://doi.org/10.1177/20552076241239171 |
spellingShingle | Isca Amanda Savannah Graffin Maria Adela Grando Scoping review of data privacy risks in COVID-19 apps with digital vaccination certifications Digital Health |
title | Scoping review of data privacy risks in COVID-19 apps with digital vaccination certifications |
title_full | Scoping review of data privacy risks in COVID-19 apps with digital vaccination certifications |
title_fullStr | Scoping review of data privacy risks in COVID-19 apps with digital vaccination certifications |
title_full_unstemmed | Scoping review of data privacy risks in COVID-19 apps with digital vaccination certifications |
title_short | Scoping review of data privacy risks in COVID-19 apps with digital vaccination certifications |
title_sort | scoping review of data privacy risks in covid 19 apps with digital vaccination certifications |
url | https://doi.org/10.1177/20552076241239171 |
work_keys_str_mv | AT iscaamanda scopingreviewofdataprivacyrisksincovid19appswithdigitalvaccinationcertifications AT savannahgraffin scopingreviewofdataprivacyrisksincovid19appswithdigitalvaccinationcertifications AT mariaadelagrando scopingreviewofdataprivacyrisksincovid19appswithdigitalvaccinationcertifications |