Serious privacy and security concerns raised about the Portpass vaccine verification app

0

The Portpass private proof of vaccination application can be easy to manipulate with fake vaccination records and may not securely protect users’ personal information, experts say.

The Calgary-based company said it has more than 500,000 users across Canada registered for its app, which is touted as a way to store and share vaccine records and COVID-19 test results.

Conrad Yeung, a local web developer, said he was curious about the app after reading an article about it. But shortly after downloading the app, he noticed a problem.

“He asked me to upload my photo ID… I literally uploaded a random photo of a mayoral candidate here in Calgary just to see if the app would allow me,” he said. -he declares. “It allowed me to upload a random photo for my driver’s license. And then I was like, you know what? There’s probably something fishy here, so I’m just going to upload some fake stuff and see this. that is happening.”

Yeung made a fake vaccination record with an actor’s name and the app verified it as legitimate.

There are a lot of questions when it comes to these types of applications… who has access to them? Can it be manipulated? Is it secure? “– Ritesh Kotak, cybersecurity analyst

This made the web developer take a closer look. He noticed that the website does not appear to validate security certificates and has a backend that is easily accessible to members of the public, making its data potentially vulnerable to hackers.

He also noticed some details that seem to refute the claims on the app’s website.

Portpass says its data is hosted in Canada, but Yeung pointed out that it actually appears to be hosted in an Amazon data center in Ohio.

The app claims to use AI and blockchain to verify records and secure data, but Yeung couldn’t find proof of this with a quick glance at the site’s backend – and he questions the assertion on the basis of rapid verification by the application of its false information.

The app also names an alleged network of labs, pharmacies and health clinics called the Canadian Digital Health Network as a collaborator. However, links from the main CDHN web page to the Portpass website and other links on the CDHN website led to “404 page not found” messages on Sunday.

CBC News called Portpass founder and CEO Zakir Hussein on Sunday afternoon.

Hussein initially agreed to speak and said he saw Yeung’s Twitter messages expressing concerns about the app. But shortly after the taped interview, he ended the call in the middle of a sentence and then said on a follow-up call that he would speak to CBC before 6:30 p.m. MT that day. to give his team time to look at issues. Follow-up calls were not returned.

Calgary Flames recommended passport

Portpass is recommended by the Calgary Sports and Entertainment Corporation as the preferred method of providing proof of vaccination for participants in Calgary Flames hockey games at the Scotiabank Saddledome or Calgary Stampeders football games at McMahon Stadium.

CBC has contacted CSEC for comment, but has yet to receive a response.

Those planning to attend Sunday’s Flames game were advised in advance that, “for the most efficient entry possible, all ticket holders must register and download Passport and complete their COVID-19 vaccination proof online or through the app. “

But after Yeung publicly voiced his concerns and CBC called the CEO of Portpass, several people reported that the app no ​​longer appeared to be working fully – simply showing a gray screen and the words “undefined undefined” in the place a name on the vaccine verification screen.

At 5:17 p.m. MT, less than two hours before the scheduled start of the hockey game, the company tweeted that it had “technical difficultiesand asked users to bring a printed vaccine record to the game instead.

Flames fan Mckenna Baird said he downloaded the app on the recommendation of the NHL team and when it didn’t load he initially assumed it was a specific problem with his phone.

“Because the Portpass app isn’t working, we can’t enter the arena,” Baird said as he waited outside the Saddledome on Sunday. “This is really upsetting… I hope they will sort this out.”

Calgary Flames fans will head to Sunday’s preseason game at the Scotiabank Saddledome. Some ticket holders were looking for another way to show proof of vaccination, after the Portpass app encountered “technical difficulties”. (Terri Trembath / CBC)

Yeung said he would like to know what due diligence has been done by companies like CBSC who have been promoting the app.

“That’s the most worrying part… you have someone in a position of authority to promote something that is potentially dangerous and that poses privacy concerns,” he said.

Technical cybersecurity analyst Ritesh Kotak said he agreed with those concerns.

“There are a lot of questions about these types of applications… who has access to them? Can it be manipulated? Is it secure? Kotak said. “You are literally giving away so much personal information about yourself that can be used against you… this is my caveat when we simply decide to arbitrarily hand over our data to private companies. What are they going to do with it? Who is responsible ? “

Users attempting to access their Portpass vaccination record on Sunday evening encountered the screen above. The company said it was experiencing technical difficulties. (passport)

Sharon Polsky, president of the Canadian Privacy and Access Council, said the app’s privacy policy raises questions.

“Whether it’s Portpass or one of those other apps, the privacy policies, and I say ‘the so-called privacy policies’… you look at them closely, there are inconsistencies,” she said. declared.

“Portpass says the information is held in Canada… and that’s fine, except the next sentence is“ we take appropriate steps to protect your personal data as it is transferred across borders. ”Well, yes. it’s cleaned up and it’s being held in Canada, what’s to transfer across borders? ”Polsky said.

Polsky pointed out that paper vaccine passports are more secure than apps, while Kotak suggested people download only apps approved or recommended by government agencies.

Alberta currently does not have a proof of vaccination application, but the government has announced plans to create a QR code. Its current paper vaccine record has been criticized for its ease of modification; although falsifying a provincial health record is against the law.

Leave A Reply

Your email address will not be published.