The Portpass private proof of vaccination application can be easy to manipulate with fake vaccination records and may not securely protect users’ personal information, experts say.
The Calgary-based company said it has more than 500,000 users across Canada registered for its app, which is touted as a way to store and share vaccine records and COVID-19 test results.
The Calgary Sports and Entertainment Corporation (CSEC) has recommended the app for participating in NHL and CFL games in the city. Alberta currently does not have a proof of vaccination application, but the government has announced plans to create a QR code.
Conrad Yeung, a local web developer, said he’s curious about the Portpass app after reading an article about it. But shortly after downloading the app, he noticed a problem when he asked him to upload his photo ID.
Yeung said he uploaded a random photo of a Calgary mayoral candidate “just to see if the app would allow me.”
âIt allowed me to upload a random photo for my driver’s license,â he said. “And then I was like, you know what? There’s probably something fishy here, so I’m just going to upload some fake stuff and see what happens.”
Yeung made a fake vaccination record with an actor’s name and the app verified it as legitimate.
There are a lot of questions when it comes to these types of applicationsâ¦ who has access to them? Can it be manipulated? Is it secure? “– Ritesh Kotak, cybersecurity analyst
This made the web developer take a closer look. He noticed that the website does not appear to validate security certificates and has a backend that is easily accessible to members of the public, making its data potentially vulnerable to hackers.
He also noticed some details that seem to refute the claims on the app’s website.
Portpass says its data is hosted in Canada, but Yeung pointed out that it actually appears to be hosted in an Amazon data center in Ohio.
The app claims to use AI and blockchain to verify records and secure data, but Yeung couldn’t find proof of this with a quick glance at the site’s backend – and he questions the assertion on the basis of rapid verification by the application of its false information.
The app also names an alleged network of labs, pharmacies and health clinics called the Canadian Digital Health Network as a collaborator. However, links from the main CDHN web page to the Portpass website and other links on the CDHN website led to “404 page not found” messages on Sunday.
CBC News called Portpass founder and CEO Zakir Hussein on Sunday afternoon.
Hussein initially agreed to speak and said he saw Yeung’s Twitter messages expressing concerns about the app. But shortly after the taped interview began, he ended the call mid-sentence and then said on a follow-up call that he would speak to CBC before 6:30 p.m. MT that day. there to give his team time to examine the problems. Follow-up calls were not returned.
Calgary Flames recommended passport
Portpass is recommended by the Calgary Sports and Entertainment Corporation (CSEC) as the preferred method of providing proof of vaccination for participants in Calgary Flames hockey games at the Scotiabank Saddledome or Calgary Stampeders football games at McMahon Stadium.
CBC has contacted CSEC for comment, but has yet to receive a response.
Those planning to attend Sunday’s Flames game were advised in advance that, “for the most efficient entry possible, all ticket holders must register and download Passport and complete their COVID-19 vaccination proof online or through the app. “
But after Yeung publicly voiced his concerns and CBC called the CEO of Portpass, several people reported that the app no ââlonger appeared to be working fully – simply showing a gray screen and the words “undefined undefined” in the place a name on the vaccine verification screen.
At 5:17 p.m. MT, less than two hours before the scheduled start of the hockey game, the company tweeted that it had “technical difficultiesand asked users to bring a printed vaccine record to the game instead.
Flames fan Mckenna Baird said he downloaded the app on the recommendation of the NHL team and when it didn’t load he initially assumed it was a specific problem with his phone.
âBecause the Portpass app isn’t working, we can’t enter the arena,â Baird said as he waited outside the Saddledome on Sunday. “It’s really upsetting … I hope they get through this.”
Yeung is also concerned about a call he received after publicly posting his concerns about the app and speaking to CBC.
He said later Sunday evening that he received a call from someone who identified himself as a police officer and asked him about his “spam tweets.”
Yeung asked the caller for his badge number, then called the Calgary Police Department’s non-emergency line to inquire about the call. He said the police told him the badge number does not exist. CBC has contacted Calgary Police for comment.
He said he would like to know what due diligence has been done by companies like CBSC, who have been promoting the app.
âThis is the most concerning partâ¦ you have someone in a position of authority to promote something that is potentially dangerous and has privacy concerns,â Yeung said.
Technical cybersecurity analyst Ritesh Kotak said he agreed with those concerns.
âThere are a lot of questions about these types of applicationsâ¦ who has access to them? Can it be manipulated? Is it secure? Kotak said. âYou are literally giving away so much personal information about yourself that can be used against youâ¦ This is my caveat when we simply decide to arbitrarily hand over our data to private companies. What are they going to do with it? Who is responsible ?”
âWhether it’s Portpass or one of those other apps, the privacy policies, and I say ‘the so-called privacy policies’â¦ you look at them closely, there are inconsistencies,â she said. declared.
âPortpass says the information is held in Canadaâ¦ and that’s fine, except the next sentence isâ we take appropriate steps to protect your personal data as it is transferred across borders. âWell, yes. it’s cleaned up and it’s being held in Canada, what’s to transfer across borders? âPolsky said.
Polsky said paper vaccine passports are more secure than apps, while Kotak suggested people download only apps approved or recommended by government agencies.
Alberta’s current paper vaccination record has been criticized for being easy to edit, although tampering with a provincial health record is against the law.