How a Calgary-based proof of vaccination app was breached

Jordan No matter how much people like to argue about the philosophy behind them, vaccine passports are a safe way to let Canadians who have done their jobs and gotten their shots have their lives back. Or at least they should be. One of the chief concerns from opponents of these passports, though, is privacy and security. This is, after all, your medical information, it should belong to nobody else. And whatever passport system a business or a government implements, both sides can agree that security is paramount. So when a number of organizations agree to promote a vaccine passport app that promises privacy and security only for it to turn out to be riddled with holes. That doesn’t help much with winning the battle for public support of proof of vaccination. So how did this scenario come to pass for a Calgary based company? What is Portpass and who is behind it? Who exposed its flaws, how many people’s records were vulnerable and what’s being done about it? And most importantly, because these verification apps are not going away. How can you make sure this doesn’t happen to your personal information?

I’m Jordan Heath-Rawlings. This is The Big Story. Sarah Rieger is a reporter for CBC Calgary. She broke the story about Portpass. Hello, Sarah.

Sarah Hi, Jordan.

Jordan Why don’t you start by explaining just what is Portpass. Who made it and what does it do?

Sarah For sure. So Portpass is a private proof of vaccination app. At the time it was made, the Alberta government didn’t have its own app for people to show to kind of demonstrate that they were vaccinated if they wanted to enter places like bars, restaurants. So some private companies were kind of jumping in to fill the gap. Basically, what happens when you sign up for Portpass is you implement some personal information, your name, your proof of vaccination as well as any test results you’ve had. If, for example, you need to prove that you’ve recently had a negative covid test.

Jordan Do we know how extensively it’s being used currently or how extensively it was being used Maybe before Alberta’s own system came online?

Sarah Portpass says that it’s being adopted quite widely, not just in Alberta but actually all across Canada. The company said that as of a few weeks ago, it had between 500,000 and 650,000 registered users. According to the company, it has a really wide user base. One of the reasons for that is it’s been promoted by a number of companies. One of those is the Calgary Sports and Entertainment Corporation, which owns both the Calgary Flames and the Calgary Stampeders. While it didn’t have a direct partnership with the app, it had kind of offered it as the choice way to get into hockey or football games.

Jordan So over the past few weeks then, I guess, maybe just take me inside your reporting on this story. When did it become clear that something was maybe not right here, how did the story start?

Sarah So in the last week of September, a local app developer named Conrad Yeung had heard about Portpass in different news reports, and he decided to take a look at it just to kind of see how it worked and test it out. Alberta’s proof of Vaccination at the time was only a paper record, which had been criticized for being really easy to edit. It was essentially just an editable PDF. So what Conrad had done is he had edited one of these paper records and uploaded it to Portpass just to see if it would accept it as valid. And Conrad says it did. Not only that, but he uploaded a fake name and a fake photo for a driver’s license of an actor. And he said the app validated it. That’s something the company has disputed. But Conrad showed me a video that kind of showed him going through the process, and it at least showing up is validated on his phone.

That got him digging a little deeper, kind of looking at different things on the site. And he publicly raised some concerns, saying he wasn’t sure the app was as secure as it was saying. So once Conrad raised those concerns, I reached out to him to talk about it and to kind of get him to explain to me what he noticed. And then I reached out to the company to see what they had to say. And I got kind of a confusing response. That same day, there was a hockey game happening in Calgary, so a lot of people were downloading it.

I called the apps founders, Zakir Hussein shortly before the game, a couple of hours before. Initially he hung up on me. Then he said that he needed to take a look at these concerns and that he would call me back before the game started that night. But he didn’t return follow up phone calls, and shortly after we got off the phone, the app started experiencing some issues. A lot of people who are trying to access it, were finding just a gray screen and the words unverified. And the app said on social media that it was having technical difficulties, and it recommended that people find another way to prove vaccination for that nights game.

Jordan So in an ideal world, I shouldn’t even say in an ideal world, in a world where this app is functioning properly, what kind of verification process should there have been to prevent someone from uploading a fake photo and name?

Sarah So the app says that it runs on artificial intelligence and blockchain. So it was saying it kind of had these high level, really technical ways of assessing that no fraudulent information was being put through. But the CEO wasn’t able to offer a lot of details on that for me. I asked, for example, how the artificial intelligence would be able to tell that a vaccine record was fake because it’s not actually tied to the government. So it’s not like, you know, it can just check on the back end to see if someone has actually been vaccinated through Alberta Health Services. The company says that the app was checking things like font size to be able to tell if those vaccine records were incorrect. But that’s also something that could be really, really easy to edit.

Jordan And in terms of the information on this app, because it’s one thing for the app to allow for perhaps fraudulent name uploads or photo uploads. It’s another to protect the data of real people who have submitted their vaccination records. What do we know now about the back end security of this app where people’s health data is concerned?

Sarah So on that Sunday, when I first spoke to the company and to Conrad, I also spoke to a privacy researcher. I guess maybe better to call her a privacy advocate, Sharon Polsky. She looked through the apps privacy policy, and she said there were kind of some red flags for her. Inconsistencies about how the data was stored, how it was protected. And she said it’s important to question what private companies are actually doing with this information. Those questions became much clearer for me the next day.

So the day after I spoke with the company CEO and he denied flatly the allegations that Conrad had made about the app. He said there were no security issues, there were no verification issues, and he accused those of raising concerns about the app of attacking a private company that’s just trying to do a good thing here. But shortly after I spoke with him, though, I received a tip from someone who said they worked in the tech industry, and they had noticed kind of a glaring security issue on the site’s back end.

I’m not going to describe exactly how they showed me how to access it, because I really don’t want to make it easy in case there are other websites or other apps that have the same hole so people could easily access personal information. But essentially, what I was able to do is just by creating an account and looking at developer tools on any web browser, I could view people’s personal information that had been uploaded to the back end of the site. So when I’m talking about personal information, I mean, really personal info, stuff like people’s names, contact information, blood type, as well as photos of their ID documents, photos of driver’s licenses and passports. One of the issues with this is the app had said that people’s personal information was being encrypted and that it was being scrubbed from the server after it was being used for verification. But just by clicking around on this site for a bit, I realized that there were potentially thousands of people’s records that, you know, me, not a hacker, not a member of the app security team or anything was able to easily view.

Jordan What happened when you showed that to Portpass and essentially said, ‘look’?

Sarah So that was an interesting and a tough phone call. So I spent a little bit of time after I received that tip, kind of looking at it, you know, verifying what I was seeing. And then the first thing I did was I called the company and I told them I would hold off on printing an article about what I’d found, to give them some time to lock it down and to protect these people’s information. The company asked me not to publish an article on it. I told them it was in the public interest. Or at least that was my feeling. Looking at these people’s info, I felt people had to know that their information had been exposed. So that night the company locked down their website, locked down their app, and removed that information, and in the days since they’ve actually, I’m not sure if they did themselves or if this has been a decision of the app stores, but the app has been removed from the Play store and the Apple Store as well.

Jordan What happened when you published your first story, and as you say, perhaps as many as half a million people realize that they handed over their critical information to an insecure application?

Sarah People were pretty concerned. I heard from a lot of people who said they were frustrated, because they believed because this app had been recommended by major organizations that it was legitimate, and not saying that it necessarily wasn’t legitimate, but that there was clearly some sort of privacy or security flaw that allowed this information to be viewed. I still don’t know how this information was able to be accessed. Portpass has said it may have only been a few dozen people’s information that was made accessible. I know that’s not true based on what I personally was able to see, but they’ve also said that they believe they may have been hacked or that someone else maliciously exposed this.

But that still leaves a lot of people whose information was on the app with questions, and they say, the ones I’ve spoken with at least, say they haven’t been able to get answers about what’s happening with their data now or what kind of recourse they have.

Jordan This might be a dumb question, but where does the law come into play on this? I know vaccine passports are a very new thing, at least the electronic kind. At what point do companies who are taking this information from people, what obligations do they have to keep it secure, if any?

Sarah That’s not a dumb question at all. And I think that’s actually kind of cutting to the root of the problem with these things is, I don’t think people feel really informed or empowered to know what they can do about their own privacy or what kind of options they have in these scenarios. So essentially the onus falls on companies to report it once these kind of breaches happen. People can also, if they believe that their information has been compromised or exposed in some way, they can report those as well. There are both provincial offices of privacy commissioners and a federal office in Canada. Both the Alberta office and the federal office have told me that they are reaching out to Portpass and that they will be investigating this situation.

Jordan I want to ask you a little bit about the bigger picture of this and maybe just get your perspective as a journalist and also as somebody who lives and works in Alberta, vaccine passports have been such a divisive issue, and it’s been so hard to get people to buy into them and to recognize that this will help keep us safe. What’s happened, maybe in the mood out there around Calgary, as this story has become public? Like this can’t do anything good for trust in these policies.

Sarah That’s exactly what I’ve heard from people is even though this was a private app, it had no ties to government or more official vaccine verification apps. People say that this really worries them about, you know, sharing their personal data in this way. There have been some changes in Alberta since all of this happened. So the government has, as I mentioned before, rolled out a QR code. But the problem is there’s still no official app to scan it with, so it’s essentially still not a functioning system. And here in Calgary, the city has implemented its own vaccine passport bylaw that applies to a number of non-essential businesses. But it’s fair, I think, to say that it’s been a really divisive conversation and any kind of questions around security certainly don’t help that.

Jordan What about the companies that did business with Portpass and promoted it as a way to safely verify your vaccination status? I mean, obviously the fault lies with Portpass, but what do those companies do now?

Sarah So Calgary Sports and Entertainment Corporation has said that it’s looking into this. It has pulled its recommendation for Portpass off of its website, and it said it’s aware of some of the concerns about it, and in the meantime, is kind of just recommending people stick to those paper vaccine records which have their issues as well. It is a tricky situation for companies to be in because in the void left without a functioning provincial system, a system that people could feel safe and secure about, I think a lot are kind of looking for ways to keep their staff keep their customers safe at different events or facilities. It’s a tricky situation, and I don’t envy the people trying to sort it out.

Jordan I also want to ask you and you don’t have to talk about how the hackers might have done this or anything. But if there were hackers, as the company claims, and it wasn’t just a security breach or security hole, what could someone with malicious intent do with this kind of information?

Sarah The tricky thing about the internet is once something is kind of out there on it, it’s really hard to get that information back. Once information like this is out there, it’s pretty common for it to be collected and uploaded to different sites or even sold. If you think about the information that’s on your driver’s license, you know, from your name to your driver’s ID number to your home address, there’s a variety of criminal activities that could potentially be done with that information. People could worry about identity theft or potentially even security concerns. I know as a journalist, I wouldn’t want everyone having my home address, so I can imagine that people have various reasons that they wouldn’t want this information out there.

Jordan So the app is off the stores for now. Have you spoken to Portpass at all recently in the last couple of days? Do we know what happens next here? What are we waiting for?

Sarah I actually reached out to them yesterday to ask a number of questions. I’m hoping to know where their investigation is going internally. If they’ve learned how this information exposure happened, how many people were involved, what they’re doing now. Unfortunately, the company hasn’t responded. I have heard from Calgary Police that there is an ongoing investigation into the situation, but no details there yet either.

Jordan In terms of going forward because these vaccine passports are not going away. The need for them is not going away. And people are not going to want to use that piece of paper forever. What can someone do to make sure that the app or program that they’re using for proof of vaccination is secure?

Sarah So I spoke to both cyber security and privacy experts for this story, and they say there’s kind of a few things you can do to keep yourself safe. The first is if you do intend to use an app, see if it’s one that is not a third party app, essentially, is it one that is either created by or recommended by a government agency. And I know no one likes to do this, but take a look at that privacy policy. Take a look at those terms and conditions, make sure you really understand what an app says it’s going to do with your data once it has it. And while that paper record isn’t maybe fun to carry around, it’s a safer option. It’s an old school tool, but that way you’re not providing your data to anyone else.

Jordan Sarah, thank you so much for this. And thanks for your work on the story.

Sarah Thanks for having me.

Jordan Sarah Rieger of CBC Calgary.

That was The Big Story. And if you are looking for another podcast to check out, I have a new one for you at Frequency Podcast Network. It is called The Reheat . What this show does is dig back into the dirtiest time for Celebrity scandals, the late 1990s and the early 2000’s. If you were alive at the time, you remember how nasty the tabloids got. The reheat looks at that time with an eye to history and critical gender studies. And, of course, incorrigible gossip.

Anyway, that’s my spiel. If you like The Big Story, you really should check out The Reheat. You can find it at frequencypodcastnetwork.com or wherever you get your podcasts.

Thanks for listening. I’m Jordan Heath-Rawlings we’ll talk tomorrow. Back to top of page