Calgary Flames-endorsed proof-of-vaccination app criticized for lack of security, reliability

Photo credit:Sergei Belski-USA TODAY Sports
Mike Gould
2 years ago
A proof-of-vaccination mobile application previously recommended by the Calgary Flames is under fire over allegations it exposed hundreds of thousands of users’ personal data. 
A new CBC report alleges Portpass, which claims to have 650,000 users in Canada, has exposed the personal information of those who had signed up for the service by failing to encrypt the back-end of its website.
Tuesday’s CBC report warns that driver’s licenses, passports, email addresses, phone numbers, and birthdays submitted to Portpass can “easily be viewed” in plain text by accessing the unsecured database.
The Flames’ vaccination policy webpage, which previously described Portpass as the “preferred and fastest” method of verifying a patron’s vaccination status prior to entering the Scotiabank Saddledome, remained unchanged for two days after a previous CBC report by Sarah Rieger on Sunday raised concerns about Portpass’s reliability and the security of the data the app collects from its users. The Flames updated the webpage Tuesday afternoon.
Proof of vaccination is currently required to attend all CSEC events, including Calgary Flames hockey games at the Saddledome and Calgary Stampeders football games at McMahon Stadium.
The Flames announced their endorsement of the Portpass application on Sept. 22, touting the company’s “made-in-Calgary” roots and claiming the app “provides a solution for safely and securely sharing vaccine health status for access requirements while protecting user-health privacy and data security at the highest level.”
Flames vice president of communications Peter Hanlon told FlamesNation Tuesday morning the organization is “aware of the concerns that were raised regarding the app” and is “working with the developer to validate.”
“We will be able to provide more information to our fans in the next day or two,” Hanlon added.
Portpass claims its app confirms the validity of its users’ profiles using an artificial intelligence system and that it uses blockchain to “fully encrypt” all data. The app also offers a QR code for verification purposes.
Calgary-based software developer Conrad Yeung posted a Twitter thread on Sept. 26 detailing privacy and security issues he said he noticed in the Portpass application.
Yeung said he successfully created a fully verified profile on the app using the biographical data of actor Rob Schneider and an edited Alberta government immunization record card showing “proof” of him having received two shots of a nonexistent “Deuce Bigalow” vaccine.
During a phone conversation with FlamesNation Monday evening, Yeung reiterated his concerns about the Portpass application’s security and said it is “absolutely not” effective for verifying vaccination status.
“If something so ridiculous like that got verified, who’s actually verifying the data on the back-end? Is it actually, for example, AI and blockchain, like they said that they’re using? Because, you know, I work in the industry,” Yeung told FlamesNation. “Blockchain doesn’t work in the way that they’re describing it as.”
Yeung said he noticed Portpass’ website does not require browsers to validate SSL security certificates. He also told FlamesNation he was able to easily access Portpass’ back-end directory, “just like that,” and expressed concerns about the potential vulnerability of user data.
“Why is the Calgary Sports and Entertainment Corporation promoting something so primitive & scammy?” Yeung tweeted on Sept. 26. “This app is the easiest way for people who want to skirt the system to… well… basically bypass the system.”
CSEC’s endorsement of the Portpass system remained in its original form on the Flames’ official website as of 9:45 a.m. MT on Tuesday morning. All information recommending Portpass was removed from the Flames’ website by 12:30 p.m. MT. on Sept. 28 and was replaced by a message encouraging fans who have signed up for the service to prepare alternate forms of ID and proof of vaccination.
Screenshot of nhl.com/flames/fans/vaccinationpolicy captured at 10:26 p.m. MT on Sept. 27, 2021.
FlamesNation spoke to more than a half-dozen people who attempted to use Portpass while attending Sunday’s Flames preseason game against the Edmonton Oilers at the Saddledome.
“I tried to use it,” said Steven Poffenroth. “I had it all set up and working three days prior but the app has since glitched and no longer shows my status. I have a screenshot of my ‘My Pass’ saying I am verified and vaxxed but now it says I am ‘not verified.’
“I have no idea what’s going on with the app,” Poffenroth added.
Prior to the start of Sunday’s game, Portpass posted a statement on its official Twitter account warning users of “technical difficulties” and asking fans to bring a piece of paper carrying proof of immunization to the Saddledome.
“Everything showed up as ‘unverified – unverified,’ [I] couldn’t even see my own picture on the profile,” said Jack Warren. “The only reason I downloaded it was to go to games at the Saddledome. I had never even heard of the app until the Flames/CSEC posted about it.”
“I had downloaded it, as requested by the Flames. Submitted my vaccine info photos as well as my driver’s licence,” said James Johnson. “Checked it three hours before game time and it wasn’t working.
“The Flames (CSEC) said to use it, so, naturally, I thought it was safe,” Johnson added.
The Alberta government has yet to release a mobile application to prove vaccination status; its system for providing downloadable immunization record cards has been criticized by security experts for lacking QR code integration and allegedly enabling forgeries through its use of unlocked PDF files. The government has stated QR code verification for vaccine status is coming “in the following weeks.”
Portpass has not responded to FlamesNation‘s requests for comment as of the time of publication.

Check out these posts...