Private vaccine verification app Portpass sparks privacy, security concerns
Sun., September 26, 2021
A screengrab from the Portpass website. The Calgary-based COVID-19 vaccine verification app is being criticized over concerns it may not protect user information or accurately verify vaccination status. (Portpass.ca - image credit)More
Private proof-of-vaccination app Portpass may be easy to manipulate with fake vaccine records and may not securely protect users' personal information, experts say.
The Calgary-based company has said it has more than 500,000 users across Canada registered for its app, which is touted as a way to store and share vaccine records and COVID-19 test results.
The Calgary Sports and Entertainment Corporation (CSEC) has recommended the app for getting into NHL and CFL games in the city. Alberta currently does not have a proof-of-vaccination app, but the government has said it plans to create a QR code.
Conrad Yeung, a local web developer, said he was curious about the Portpass app after reading an article about it. But shortly after downloading the app, he noticed an issue when it asked him to upload his photo ID.
Yeung said he uploaded a random photo of a mayoral candidate in Calgary "just to see if the app would let me."
"It let me upload a random photo for my driver's licence," he said. "And then I was like, you know what? There's probably something sketchy here so I'm just going to upload fake stuff and see what happens."
Yeung made a fake vaccination record with an actor's name and the app verified it as legitimate.
There's a lot of questions when it comes to these types of apps … who has access to it? Can it be manipulated? Is it secure?" - Ritesh Kotak, cybersecurity analyst
That prompted the web developer to take a closer look. He noticed the website does not appear to validate security certificates and has a backend that can easily be accessed by members of the public — making its data potentially vulnerable to hackers.
He also noticed some details that seem to refute statements on the app's website.
Portpass says its data is housed in Canada, but Yeung pointed out it actually appears to be hosted out of an Amazon data centre in Ohio.
The app claims to use AI and blockchain to verify records and keep data secure, but Yeung didn't find evidence of that at a quick glance at the site's backend — and he questions the claim based on the app's speedy verification of his false information.
The app also names a purported network of labs, pharmacies and health clinics called the Canadian Digital Health Network as a collaborator. However, the CDHN's main webpage links back to the Portpass website and other links on the CDHN website led to "404 page not found" messages on Sunday.
CBC News called Portpass founder and CEO Zakir Hussein on Sunday afternoon.
Hussein initially agreed to talk and said he had seen Yeung's Twitter posts expressing concerns about the app. But shortly into the recorded interview he ended the call mid-sentence, and then said in a followup call that he would speak with CBC before 6:30 p.m. MT that day to give his team time to look into the issues. Followup calls were not returned.
Portpass recommended by Calgary Flames
Portpass is recommended by the Calgary Sports and Entertainment Corporation as the preferred way to provide proof of vaccination for attendees at Calgary Flames hockey games at the Scotiabank Saddledome or Calgary Stampeders football games at McMahon Stadium.
CBC reached out to CSEC for comment but has yet to receive a response.
Those planning to attend Sunday's Flames game were told in advance that, "for the most efficient entry possible, all ticket holders should sign up and download Portpass and complete their COVID-19 proof of vaccination online or through the app."
But after Yeung publicly raised concerns and CBC called Portpass's CEO, multiple people reported that the app no longer appeared to be fully functioning — simply showing a grey screen and the words "undefined undefined" instead of a name on the vaccine verification screen.
At 5:17 p.m. MT, less than two hours before the hockey game's scheduled start, the company tweeted it was having "technical difficulties" and asked users to bring a printed vaccine record to the game instead.
Flames fan Mckenna Baird said he downloaded the app on the NHL team's recommendation, and when it wouldn't load he initially assumed it was an issue specific to his phone.
"Because the Portpass app is not working we're not able to get into the arena," Baird said as he waited outside the Saddledome on Sunday. "It's definitely upsetting.… Hopefully they'll get it sorted out."
Terri Trembath/CBC
Yeung is also worried about a call he received after he posted publicly about his concerns with the app and spoke with CBC.
He said later on Sunday evening he received a call from someone who identified themselves as a police officer and asked him about his "spam tweets."
Yeung asked the caller for their badge number, then called Calgary Police Service's non-emergency line to ask about the call. He said police told him that badge number doesn't exist. CBC has reached out to Calgary police for comment.
He said he'd like to know what due diligence was done by companies like CSEC, which have promoted the app.
"That's the most concerning part … you have somebody in a place of authority promoting something that is potentially unsafe and has privacy issues," Yeung said.
Cybersecurity tech analyst Ritesh Kotak said he agrees with those concerns.
"There's a lot of questions when it comes to these types of apps … who has access to it? Can it be manipulated? Is it secure?" Kotak said. "You're literally giving away so much personal information about yourself that can be used against you.… That's my word of caution when we just decide to arbitrarily give up our data to private corporations. What will they do with it? Who is accountable?"
Portpass.ca
Sharon Polsky, president of the Privacy and Access Council of Canada, said the app's privacy policy raises questions.
"Whether it's Portpass or any of these other apps, the privacy policies, and I say 'so-called privacy policies' … you look at them closely, there's some inconsistencies," she said.
"Portpass says the information is held in Canada … and that's great, except the very next sentence is 'we take appropriate steps to protect your personal data when it's transferred across borders.' Well, if it's scrubbed and it's held in Canada, what is there to transfer across borders?" Polsky said.
Polsky said that paper vaccine passports are more secure than apps, while Kotak suggested people only download apps approved or recommended by government agencies.
Alberta's current paper vaccine record has been criticized for being easy to edit, though falsifying a provincial health record is against the law.
Sun., September 26, 2021
A screengrab from the Portpass website. The Calgary-based COVID-19 vaccine verification app is being criticized over concerns it may not protect user information or accurately verify vaccination status. (Portpass.ca - image credit)More
Private proof-of-vaccination app Portpass may be easy to manipulate with fake vaccine records and may not securely protect users' personal information, experts say.
The Calgary-based company has said it has more than 500,000 users across Canada registered for its app, which is touted as a way to store and share vaccine records and COVID-19 test results.
The Calgary Sports and Entertainment Corporation (CSEC) has recommended the app for getting into NHL and CFL games in the city. Alberta currently does not have a proof-of-vaccination app, but the government has said it plans to create a QR code.
Conrad Yeung, a local web developer, said he was curious about the Portpass app after reading an article about it. But shortly after downloading the app, he noticed an issue when it asked him to upload his photo ID.
Yeung said he uploaded a random photo of a mayoral candidate in Calgary "just to see if the app would let me."
"It let me upload a random photo for my driver's licence," he said. "And then I was like, you know what? There's probably something sketchy here so I'm just going to upload fake stuff and see what happens."
Yeung made a fake vaccination record with an actor's name and the app verified it as legitimate.
There's a lot of questions when it comes to these types of apps … who has access to it? Can it be manipulated? Is it secure?" - Ritesh Kotak, cybersecurity analyst
That prompted the web developer to take a closer look. He noticed the website does not appear to validate security certificates and has a backend that can easily be accessed by members of the public — making its data potentially vulnerable to hackers.
He also noticed some details that seem to refute statements on the app's website.
Portpass says its data is housed in Canada, but Yeung pointed out it actually appears to be hosted out of an Amazon data centre in Ohio.
The app claims to use AI and blockchain to verify records and keep data secure, but Yeung didn't find evidence of that at a quick glance at the site's backend — and he questions the claim based on the app's speedy verification of his false information.
The app also names a purported network of labs, pharmacies and health clinics called the Canadian Digital Health Network as a collaborator. However, the CDHN's main webpage links back to the Portpass website and other links on the CDHN website led to "404 page not found" messages on Sunday.
CBC News called Portpass founder and CEO Zakir Hussein on Sunday afternoon.
Hussein initially agreed to talk and said he had seen Yeung's Twitter posts expressing concerns about the app. But shortly into the recorded interview he ended the call mid-sentence, and then said in a followup call that he would speak with CBC before 6:30 p.m. MT that day to give his team time to look into the issues. Followup calls were not returned.
Portpass recommended by Calgary Flames
Portpass is recommended by the Calgary Sports and Entertainment Corporation as the preferred way to provide proof of vaccination for attendees at Calgary Flames hockey games at the Scotiabank Saddledome or Calgary Stampeders football games at McMahon Stadium.
CBC reached out to CSEC for comment but has yet to receive a response.
Those planning to attend Sunday's Flames game were told in advance that, "for the most efficient entry possible, all ticket holders should sign up and download Portpass and complete their COVID-19 proof of vaccination online or through the app."
But after Yeung publicly raised concerns and CBC called Portpass's CEO, multiple people reported that the app no longer appeared to be fully functioning — simply showing a grey screen and the words "undefined undefined" instead of a name on the vaccine verification screen.
At 5:17 p.m. MT, less than two hours before the hockey game's scheduled start, the company tweeted it was having "technical difficulties" and asked users to bring a printed vaccine record to the game instead.
Flames fan Mckenna Baird said he downloaded the app on the NHL team's recommendation, and when it wouldn't load he initially assumed it was an issue specific to his phone.
"Because the Portpass app is not working we're not able to get into the arena," Baird said as he waited outside the Saddledome on Sunday. "It's definitely upsetting.… Hopefully they'll get it sorted out."
Terri Trembath/CBC
Yeung is also worried about a call he received after he posted publicly about his concerns with the app and spoke with CBC.
He said later on Sunday evening he received a call from someone who identified themselves as a police officer and asked him about his "spam tweets."
Yeung asked the caller for their badge number, then called Calgary Police Service's non-emergency line to ask about the call. He said police told him that badge number doesn't exist. CBC has reached out to Calgary police for comment.
He said he'd like to know what due diligence was done by companies like CSEC, which have promoted the app.
"That's the most concerning part … you have somebody in a place of authority promoting something that is potentially unsafe and has privacy issues," Yeung said.
Cybersecurity tech analyst Ritesh Kotak said he agrees with those concerns.
"There's a lot of questions when it comes to these types of apps … who has access to it? Can it be manipulated? Is it secure?" Kotak said. "You're literally giving away so much personal information about yourself that can be used against you.… That's my word of caution when we just decide to arbitrarily give up our data to private corporations. What will they do with it? Who is accountable?"
Portpass.ca
Sharon Polsky, president of the Privacy and Access Council of Canada, said the app's privacy policy raises questions.
"Whether it's Portpass or any of these other apps, the privacy policies, and I say 'so-called privacy policies' … you look at them closely, there's some inconsistencies," she said.
"Portpass says the information is held in Canada … and that's great, except the very next sentence is 'we take appropriate steps to protect your personal data when it's transferred across borders.' Well, if it's scrubbed and it's held in Canada, what is there to transfer across borders?" Polsky said.
Polsky said that paper vaccine passports are more secure than apps, while Kotak suggested people only download apps approved or recommended by government agencies.
Alberta's current paper vaccine record has been criticized for being easy to edit, though falsifying a provincial health record is against the law.
No comments:
Post a Comment