Private vaccine verification app Portpass sparks privacy, security concerns - Action News
Home WebMail Friday, November 22, 2024, 08:20 AM | Calgary | -12.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Calgary

Private vaccine verification app Portpass sparks privacy, security concerns

Private proof-of-vaccination app Portpass may be easy to manipulate with fake vaccine records and may not securely protect users' personal information, experts say.

App began experiencing 'technical difficulties' shortly after CBC called the company on Sunday

A screengrab from the Portpass website. The Calgary-based COVID-19 vaccine verification app is being criticized over concerns it may not protect user information or accurately verify vaccination status. (Portpass.ca)

Read the latest on this story:Portpass app may have exposed hundreds of thousands of users' personal data


Private proof-of-vaccination app Portpass may be easy to manipulate with fake vaccine records and may not securely protect users' personal information, experts say.

The Calgary-based companyhas said it has more than 500,000 users across Canada registered for its app,which is touted as a way to store and share vaccine records and COVID-19 test results.

TheCalgary Sports and Entertainment Corporation (CSEC) has recommended the appfor getting into NHL and CFL games in the city. Alberta currently does not have a proof-of-vaccination app, but the government has said it plans to create a QR code.

Conrad Yeung, a local web developer, said he was curious about the Portpass app after reading an article about it. Butshortly after downloading the app, he noticed an issue when it asked him to upload his photo ID.

Yeung said he uploaded a random photo of a mayoral candidate in Calgary"just to see if the app would let me."

"It let me upload a random photo for my driver's licence," he said. "And then I was like, you know what? There's probably something sketchy here so I'm just going to upload fake stuff and see what happens."

Yeungmade a fake vaccination record with an actor's nameand the app verified it as legitimate.

There's a lot of questions when it comes to these types of apps who has access to it? Can it be manipulated? Is it secure?"- Ritesh Kotak, cybersecurity analyst

That prompted the web developer to take a closer look. He noticed the website does not appear to validate security certificates and has a backend that can easily be accessed by members of the public making its data potentially vulnerable to hackers.

He also noticed some details that seem to refute statements on the app's website.

Portpass says its data is housed in Canada, but Yeung pointed outit actually appears to be hosted out of an Amazon data centre in Ohio.

The app claims to use AI and blockchain to verify records and keep data secure, but Yeung didn't find evidence of that at a quick glance at the site's backend and he questions the claimbased on the app's speedy verification of his false information.

The app also names a purported network of labs, pharmacies and health clinics called the Canadian Digital Health Network as a collaborator. However, the CDHN's main webpagelinks back to the Portpass website and other links on the CDHN website ledto "404 page not found" messages on Sunday.

CBC News called Portpass founder and CEO Zakir Hussein on Sunday afternoon.

Hussein initially agreed to talk and said he had seen Yeung's Twitter postsexpressing concerns about the app.But shortly into the recorded interview he endedthe call mid-sentence, and then said in a followup call that he would speak with CBCbefore 6:30 p.m. MT that day to give his team time to look into the issues.Followup calls were not returned.

Portpass recommended by Calgary Flames

Portpass is recommended by the Calgary Sports and Entertainment Corporationas the preferred way to provide proof of vaccination for attendees atCalgary Flames hockey games at the Scotiabank Saddledome or Calgary Stampeders football games at McMahon Stadium.

CBC reached out to CSEC for commentbut has yet to receive a response.

Those planning to attend Sunday's Flames gamewere told in advance that, "for the most efficient entry possible, all ticket holders should sign up and downloadPortpassand complete their COVID-19 proof of vaccination online or through the app."

But after Yeung publicly raised concerns and CBC called Portpass'sCEO,multiple people reported that the app no longer appeared to be fully functioning simply showing a grey screen and the words "undefined undefined" instead of a name on the vaccine verification screen.

At 5:17 p.m. MT, less than two hours before the hockey game's scheduled start, the company tweetedit was having "technical difficulties" and asked users to bring a printed vaccine record to the game instead.

Flames fanMckenna Baird said he downloaded the app on the NHL team's recommendation, and when it wouldn't load he initially assumed it was an issue specific to his phone.

"Because the Portpass app is not working we're not able to get into the arena," Baird said as he waited outside the Saddledome on Sunday. "It's definitely upsetting. Hopefully they'll get it sorted out."

Calgary Flames fans head into Sunday's pre-season game at the Scotiabank Saddledome. Some ticket holders were looking for another way to present proof-of-vaccination, after the Portpass app experienced 'technical difficulties.' (Terri Trembath/CBC)

Yeung is also worried about acall he received after he posted publicly about his concerns with the app and spoke with CBC.

He said later on Sunday evening he received a call from someone who identified themselvesas a police officer and asked him about his "spam tweets."

Yeung asked the caller for their badge number, then called Calgary Police Service's non-emergency line to ask about the call. He said police told him that badge number doesn't exist. CBC has reached out to Calgary policefor comment.

He said he'd like to know what due diligence was done by companies like CSEC, whichhave promoted the app.

"That's the most concerning part you have somebody in a place of authority promoting something that is potentially unsafe and has privacy issues," Yeungsaid.

Cybersecurity tech analyst Ritesh Kotaksaid he agrees with those concerns.

"There's a lot of questions when it comes to these types of apps who has access to it? Can it be manipulated? Is it secure?" Kotak said. "You're literally giving away so much personal information about yourself that canbe used against you.That'smyword of caution when we just decide to arbitrarily give up our data to private corporations. What will they do with it? Who is accountable?"

Users attempting to access their Portpass vaccine record on Sunday evening were met with the screen above. The company said it was experiencing technical difficulties. (Portpass.ca)

Sharon Polsky, president of the Privacy and Access Council of Canada, saidthe app's privacy policy raises questions.

"Whether it's Portpass or any of these other apps, the privacy policies, and I say 'so-called privacy policies' you look at them closely, there's some inconsistencies," she said.

"Portpass says the information is held in Canada and that's great, except the very next sentence is 'we take appropriate steps to protect your personal data when it's transferred across borders.' Well, if it's scrubbed and it's held in Canada, what is there to transfer across borders?" Polsky said.

Polsky said that paper vaccine passports are more secure than apps, whileKotak suggested people only download apps approved or recommended by government agencies.

Alberta's current paper vaccine record has been criticized for being easy to edit,though falsifying a provincial health record is against the law.

With files from Terri Trembath