Scoping review of data privacy risks in COVID-19 apps with digital vaccination certifications

The goal was to review mobile apps with COVID-19 digital vaccination certificates between November 2022 and March 2023 and evaluate: (a) compliance with the WHO Proof of Vaccination Scenario requirements, (b) risk levels of app permissions using a Permission Accumulated Risk Score (PARS), and (c) readability and transparency of the app's privacy policies using a Privacy Transparency Index (PTI) score. We found 49 mobile apps with COVID-19 digital vaccination certificates from across 32 countries. Most apps were developed by governments (37/49, 75.51%). We discovered a high positive correlation between the country-wide app total installs and the people vaccinated with at least one dose in the country (r = 0.93, P = <.001). Most apps (97.96%) had sources of information available for compliance with WHO Proof of Vaccination Scenario requirements. Only two apps included all the required data items, while most apps (75%) included five or more data out of nine items. We found that most (97.96%) apps had a Google Play link to generate the Exodus platform permission report, and most (95.92%) apps had an associated privacy policy available. We identified 80 unique permissions; some (23.75%) were dangerous or special. We also found 28 types of trackers. The average PARS was 28.58 (IQR 23.25, range 15–38.25). Most of the apps’ privacy policies documents were difficult or very difficult to read (median grade level 14, IQR 2.6, range 13–15.6). The average PTI was 50.43 (SD 14.73; range 22.5–75). In conclusion, higher compliance with the WHO Proof of Vaccination Scenario requirements is desirable to support interoperability. Developers should limit the number of permissions for essential needs and disclose their purpose. Developers should write privacy policies that a wider audience can understand.