Private proof-of-vaccine app Portpass continues to expose personal data even after relaunch and updates
CEO of Calgary-based company says he was ‘unaware’ users’ private info was still accessible online
Personal information belonging to more than 17,000 users of the private proof-of-vaccination app Portpass is still unsecured and visible online — including, in some cases, photos of drivers' licences and passports — despite assurances from the company that its data-security problems have been fixed.
The Calgary-based smartphone app was temporarily taken offline in late September after CBC News initially reported that users' data was unsecured and accessible on the internet to anyone who knew where to look.
The app relaunched in October and the Portpass website assured users that it protects their "health privacy and data security at the highest level" and that "your data and information is kept secure at all times."
But several experts in software development have since reached out to CBC News with concerns that users' data was still accessible.
CBC News was able to independently confirm that the records of more than 17,000 users were still unsecured after the relaunch. The confirmation was done by using an automated script to scan the information that was accessible online without storing all of the users' personal information.
By examining a sample of those records, CBC News was able to view text-based data showing users' names, phone numbers, email addresses, dates of birth, vaccination status and, in some cases, Alberta health-care numbers.
Some records also included photos of users and their personal identification documents. Among the images were drivers' licences from British Columbia, Alberta, Saskatchewan and Ontario, as well as a Canadian passport, a U.S. passport and a federal Indian status card.
CBC News was able to view at least a dozen different photo IDs in the past week, some of which were accessible for days at a time. (The original images were temporarily stored by CBC News and then deleted; only blurred versions with identifying details obscured were kept.)
The Calgary-based app, which invites users to upload personal information so it can act as a proof-of-vaccination system for people who want to go to restaurants, concerts and other events that require attendees to be immunized against COVID-19, launched before governments in Alberta and Ontario created their own apps.
Portpass was widely used before it was temporarily taken down in late September amid the initial flurry of privacy concerns.
The Calgary Flames briefly promoted the app as the "preferred and fastest" method for fans attending games at the Saddledome to prove their vaccination status, but removed that recommendation after security flaws came to light.
CEO considered pulling the plug
CBC News contacted Portpass CEO Zak Hussein on Monday about the unsecured data. He agreed to an interview on Tuesday evening, in which he said he had no idea the users' records were still accessible.
"I was unaware of that," Hussein said. "That's crazy."
At that point, Hussein said he was considering pulling the plug on Portpass, especially considering Alberta and Ontario have since launched their own apps.
"Maybe we need to just take down this app, because there's just all this going on and it's not worth it," he said. "I mean, I haven't even made a dollar on this."
Hussein said he needed to talk to his software developer about next steps.
Maybe we need to just take down this app, because there's just all this going on and it's not worth it. I mean, I haven't even made a dollar on this.- Zak Hussein, Portpass CEO
"I'm just going to tell them to turn off the app," he said.
CBC News agreed to give Hussein a day to sort that out, and not publish anything about the ongoing data exposure in the meantime, in order to limit potential risk to users whose personal information remained unsecured.
Hussein did not take the app down, however, and instead updated the software Wednesday with a note reading "Improved security of the app."
Update 'does nothing,' critics say
As of Thursday afternoon, however, user data remained available online, albeit through a different method than before.
"This update essentially does nothing," said Rida F'kih, a Calgary-based software developer who noticed the vulnerabilities in the Portpass app.
"The user data is still completely accessible."
Conrad Yeung, a Calgary-based web developer who also noted the Portpass app's vulnerabilities after its relaunch, said advanced skills were not needed to view users' private information and even a "beginner" could figure it out.
"Somebody who finished a five- to 10-hour course on the internet … would be able to access the information that I was able to access," he said.
After the app's Wednesday update, a third person anonymously sent a tip to CBC News detailing how they were able to access user data, as well.
Given the ongoing exposure of personal information, the fact that a growing number of people have independently figured out how to access it, and the company's decision not to take down the app, CBC News has decided to no longer wait and publish this story now.
CBC News reached out to Hussein again on Thursday morning but has yet to receive a reply.
Privacy commissioner investigating
The Office of the Information and Privacy Commissioner (OIPC) of Alberta has said it was in contact with Portpass after the initial data-security concerns in September, and it reminded the company of its responsibility to report any information breaches.
The OIPC said Thursday it has since received a new complaint about Portpass, which is now part of an "open investigation."
Calgary police also conducted an investigation, which they said had concluded Monday. They said they found no evidence of any "criminal attacks or data breaches on the Portpass app."
Police said Thursday they have received no additional complaints since then about anything criminal in nature regarding the app. They said concerns about general data security would fall to the privacy commissioner's office.
In an Oct. 8 note on its website, the company acknowledged users' privacy concerns and apologized for "any undue stress this may have caused."
"We have been made aware of potential unauthorized viewings and we want to ensure that we have taken immediate steps and measures to verify that any potential threats have been mitigated and eliminated," the company note said.
User 'shell shocked'
One Calgary resident who signed up for the app says he's especially frustrated because he emailed Portpass on Oct. 4 to ask whether his data was exposed.
He received a reply from Hussein, the CEO, within two minutes.
"You were not affected and your data was not stored," Hussein said in the email, which was shared with CBC News. "We have removed it and are also awaiting to show facts through our audits."
But, as recently as Thursday, this user's name, email address, phone number, date of birth and vaccination status remained accessible online.
"I'm shell shocked," said the user. CBC News has agreed not to name him, because he still worries about his personal information being misused.
"I just feel like my digital identity is so vulnerable at this point. And now I have to go and figure out a way of correcting that."
F'kih, the software developer, said the ongoing security lapses in the Portpass app are entry-level errors.
"Some very basic kinds of considerations that any, I believe, competent software developer would make were missed."
He said the app is "easily exploitable" and that bad actors would not need advanced knowledge of computers to take advantage of the vulnerabilities. He noted that users' data could be collected and sold online to aid in identity theft, credit fraud, spam marketing or other illegal or unethical purposes.
F'kih said it's hard to know if any bad actors have already accessed the data, but the longer it's available online, the greater the chance it falls into the wrong hands.
Some very basic kinds of considerations that any, I believe, competent software developer would make were missed.- Rida F'kih, Calgary-based software developer
"Any chance above zero, with this kind of information, is unacceptable."
It's especially troublesome, he said, because by his estimation, Portpass has about 17,000 to 18,000 registered users, all of whom appear to be affected by the data exposure.
As well, people have continued to sign up for the app as recently as this week.
A previously cited figure of 650,000 users actually refers to the number of pre-registered users, Hussein clarified in his Tuesday evening interview, not the number of people who actually downloaded and signed up for the app.
CEO won't say who developed app
When asked who did the software development for Portpass, Hussein replied: "Oh, it's here in Calgary, but I wouldn't want to bring up their name."
However, F'kih says that conflicts with additional exposed information that reveals the account name of a back-end developer.
From there, F'kih was able to find a person by the same name with a LinkedIn account describing himself as a freelance web developer based in Pakistan. He lists the development of the Portpass app as one of his completed jobs.
Though he said there's nothing wrong with outsourcing work, F'kih says it's the job of a CEO to "make sure that the application that you're sending out is safe."
F'kih said he was motivated to highlight the app's security flaws because he worries about users' personal data being stolen and misused, and he's seen no effective actions taken by Portpass to correct the problems.