Cybersecurity expert warns PEI Pass website could be 'hotspot' for hackers

A cybersecurity expert in New Brunswick is warning that uploading personal documents online to apply for a PEI Pass is putting people's personal information at risk.

The applications for the pass, a document that will make travelling to the Island easier, opened last week for residents of the Atlantic provinces who are at least partially vaccinated against COVID-19.

Starting today, P.E.I. residents no longer have to upload documents to the website; instead, they can agree to let public health officials check on their vaccination status, and will be allowed to show a form of ID on arrival that proves they're residents.

But people travelling from other provinces still have to upload documents such as their driver's licence and their vaccine info.

Reg MacWilliams, a cyber security professional with Secure State Cyber, says no website is totally safe against hackers, and the amount of personal information being collected as part of applying for a PEI Pass could put people at risk of identity theft.

"You could have a website hosting driver's licence, bank account numbers, email addresses, addresses … place of birth, place of residence, that is a whole lot of information," said MacWilliams.

"It's a kind of a hotspot for malicious actors."

MacWilliams started to apply for the PEI Pass himself, to come visit his parents on the Island, when he said he became concerned about the amount of information he had to upload to the site.

He reached out to the Office of the P.E.I. Privacy Commissioner with his concerns.

"They responded back the next morning saying that … my concerns were valid and that they would remediate the situation," said MacWilliams.

Later that day, the site added a disclaimer advising non-Islanders wanting a pass to black out unneeded private details before uploading images of their IDs.

For MacWilliams, that's not enough.

"Most people aren't technically savvy enough to understand the risk behind that," he said.

P.E.I. Privacy Commissioner Denise Doiron says she spoke to the Chief Public Health Office about making changes after receiving one communication about the privacy of the site.

"I'm satisfied that they are considering the privacy issues and their obligations around privacy," said Doiron.

"I understand that people have a lot of sensitivity about their privacy, and that's a good thing. But at the same time, we are in the middle of a pandemic. We do have legislation that allows the government and Chief Public Health Office to put certain restrictions in for the good of Islanders."

Premier speaks of 'learning experience'

P.E.I. Premier Dennis King said the fact that Islanders no longer need to upload their documents to apply will make the process easier and quicker.

"For Islanders, we have essentially said, check this box and we'll be able to validate the information that we were asking you to upload," he told CBC News: Compass host Louise Martin.

"It's been a learning experience and we feel a lot better about it today than we did a couple of days ago."

Tips for keeping info safe

For now, MacWilliams advises people applying to black out the information on their photo ID that's not required.

"We trust websites a lot more than maybe we should," he said. "I don't think the onus of putting it on the individuals uploading their information is the right approach."

He also suggests immediately deleting photos of your personal documents from your phone, as soon as you've finished uploading them.

As for the PEI Pass in general, MacWilliams better approach would be to create a federal program for proof-of-vaccine for travel.

"But you've got to factor in the timeline of how fast can they build up that platform and roll it out, versus people wanting to travel," he said.

More from CBC P.E.I.