ResearchApp Privacy and Controls

Privacy and Security Analysis of the IATA Travel Pass Explained

On April 13, the Citizen Lab published an analysis of the IATA Travel Pass. In this post, we discuss the significance of the report’s findings.

What are the main technical and policy findings of this report?

The registration process of the IATA Travel Pass (ITP) is flawed. The flaw allows an attacker to create an ITP account impersonating any person, while only needing the victim’s passport details, but not the passport itself. This flaw is currently circumvented by requiring users to present their physical passports whenever an ITP account is being authenticated at a physical location.

ITP utilizes a blockchain-based technology “Sovrin” to verify the validity and authenticity of user-supplied digital COVID-19 test reports. Sovrin provides a way for entities to issue unforgeable digital proofs, and a way to independently verify them. However, in ITP, most if not all issuers (COVID-19 testing laboratories) rely on the same cloud-based web application centrally managed by Evernym, a provider of Sovrin technologies. With this design, it is technically possible for Evernym to issue valid digital proofs in the name of the laboratories without their knowledge. This is one of the flaws that we show, in which the ITP system design nullifies the advantages brought by Sovrin, a decentralized blockchain system.

This report reveals a vulnerability in the IATA Travel Pass app that is the result of an intentional design decision. Does this mean the developers didn’t foresee this issue? Or was convenience prioritized over security?

From our correspondence with IATA, it appears that they were aware of this issue when making the decision.

The developer were faced with two options, each having different drawbacks:

  1. Sending user information (passport details and liveness test captures) to the server for verification will give trustworthy verification results, since the user could not interfere with the verification process. However, this means that the server has to process highly sensitive user information. This increases the possibility of a data breach.
  2. Verifying user information on the phone itself makes it much easier for the user to interfere with the process, yielding a forged result, as we have demonstrated. Since the result could not be trusted, verifiers have to rely on other sources for verification instead. IATA stated that physical passports are currently required to verify user identity at COVID-19 testing laboratories. Checking physical passports is of course secure, but also eliminates the need for digital passports, because they intend to serve the same purpose (authenticating user identity).

As we have shown, the developer chose the second option.

ITP uses blockchain technology but part of the verification process is outsourced to a single provider, seemingly nullifying the benefits of a decentralized system. What challenges does this present?

Sovrin, which is a decentralized blockchain ecosystem, allows entities to issue, transmit, and validate digital proofs, without needing any centralized authority. Compared to centralized ecosystems (such as mainstream social networking websites), a decentralized system tends to be more resilient against cyber attacks and network outages, because there is no single point of failure. Failures (such as outages and data breaches) only affect the node (entity) itself, but not the others. Decentralized systems are also less prone to surveillance because surveilling a single node would not yield data of the others.

In a decentralized system, entities have to keep operation and maintenance to their own hands, because outsourcing operation and maintenance would also give out controls, which defeats the purpose of decentralization. This is one of the issues our research has shown with ITP.

The decision to outsource operation and maintenance of laboratory systems was likely driven by resource constraints, as a single laboratory would have much less information technology capabilities than a technical service provider. A single technical service provider operating systems for multiple laboratories is also likely to bear lower overall cost than each laboratory operating their own systems.

This dilemma presents a challenge in choosing between decentralized and centralized system architectures. A centralized system consolidates control and responsibility to a central authority, which could leverage the economics of scale to operate an efficient system, while keeping operational costs low for most users. A decentralized system distributes control and responsibility to each participant. While not having to rely on a central authority, each participant must now bear more responsibility. Weighing these pros and cons is a central challenge when choosing between decentralized and centralized system design.

ITP’s system design is a hybrid. Its current low-level system architecture is decentralized; however, it is encapsulated by a centralized high-level interface. If operated through the centralized interface (which is currently true for most cases), the system possesses the same set of security and privacy properties as conventional centralized systems.

What implications does this report have for travellers using IATA Travel Pass?

The “digital passport” feature of ITP is only intended to be used when registering with laboratories, and not as replacements to physical passports. When registering with laboratories, physical passports have to be crossed-checked with the digital passport because ITP’s system design flaw allows digital passports to be issued without possession of the physical counterpart.

Travellers might already expect their passport data to be shared with laboratories, because a consent form in the app is shown. They might also expect their data to be processed by the laboratories’ technical provider. However, they might not have expected that the laboratories’ technical provider, Evernym, is also in charge of the development of the ITP app, and is a contractor of IATA. These relationships create trust issues, as it is technically possible for IATA to demand user passport data from Evernym.

What implications does this report have for companies looking to adopt, or already adopted, the IATA Travel Pass?

Despite utilizing a decentralized blockchain technology, Sovrin, under its hood, ITP implemented a centralized interface to encapsulate Sovrin. This centralized interface is used by laboratories. If operated through the centralized interface, the system possesses the same set of security and privacy properties as conventional centralized systems.

Instead of the laboratories, Evernym actually has the ultimate control to issue COVID-19 test reports, because laboratories delegate their private issuer keys to Evernym for easy management.

The softwares for issuing and verifying digital COVID-19 test results are implemented by the same vendor, Evernym. This creates a conflict of interest, because Evernym now has to make sure all digital test results are issued properly (i.e., that the software does not leak private issuer keys and that results are issued only on the instruction of laboratories), while also being the same entity to produce software to scrutinize whether the issued results were trustworthy.

The digital passport produced with ITP is not guaranteed to bear the same information as the physical counterpart that it was derived from. A digital passport could also be produced with arbitrary data, without needing a physical passport at all, because of ITP’s design flaw. The digital passport should be treated as an unverified copy of its physical counterpart.