Security concerns raised about third-party proof of vaccine apps
A technology and cyber security expert is warning Albertans about third party apps that offer COVID-19 vaccination and rapid testing verification.
It comes after users complained of one Calgary-made app not working and others showed they were able to upload false information to the app, but were verified anyway.
The app is call PORTpass and it's recommended by the Calgary Sports and Entertainment Corporation (CSEC) -- the group that owns the Flames, Stampeders, Roughnecks and Hitmen -- to provide proof of vaccination upon entry to its sporting events.
Hours before the Flames' first preseason game at the Saddledome on Sunday, PORTpass announced it was experiencing technical difficulties and told fans to bring paper copies of their vaccination record to the game instead.
"It's great that entrepreneurs want to help out, but we heard tales of a bunch of people who tried to use PORTpass and couldn't get into the hockey game," said Tom Keenan, a cyber security expert with the University of Calgary.
Beyond the frustration for users on Sunday, Keenan says apps such as PORTpass also pose security and privacy concerns, too.
"The reality is you're giving up information to a total stranger and that information could come back to haunt you as identity theft," Keenan said.
VACCINE RECORD CAN BE MANIPULATED: APP USER
Conrad Yeung is a web developer in Calgary and downloaded PORTpass to see how the app worked. He said he made a fake vaccination record on the app using a different name and was verified by PORTpass.
"The first picture I uploaded was Rob Schneider in the poster of 'Deuce Bigalow: Male Gigalo' and I was like 'they accepted that? Cool, let's use that'," he said.
Conrad Yeung is a web developer in Calgary and downloaded PORTpass to see how the app worked. He said he made a fake vaccination record on the app using a different name and was verified by PORTpass.
"Then they asked for my driver's licence and I uploaded a random photo from the internet and that got verified, so I immediately knew there was probably something sketchy going on with the app," said Yeung, who posted a Twitter thread about his experience with PORTpass.
Yeung's profile stopped working on the PORTpass app Sunday evening, around the time the company reported it was dealing with technical difficulties.
The CEO of PORTpass agreed to do an interview with CTV News on Monday afternoon, but cancelled shortly after.
In a statement issued late Monday afternoon, the company says it has taken measures to "significantly increase the system's resources to meet the ongoing demand and ensure functionality for all users, all the time."
"PORTpass would like to reaffirm the commitment to security that has been central to it’s operations since Day 1 and address the recent claims on social media falsely claiming to have had unrestricted access to the system’s database," it read.
"The statements made are unequivocally untrue and PORTpass will be working with local authorities to take action against this malicious misinformation, and the submission of fraudulent documents. Documents uploaded for proof of vaccination and test results go through both manual review and machine learning analysis, and are securely used with Amazon Web Services.
"As a further demonstration of the commitment to security and transparency, PORTpass is taking steps to implement additional layers of security including steps toward SOC 2 compliance and working with a third party on a security audit. During this time of uncertainty, PORTpass continues to live by it’s mandate to provide a seamless way for local businesses to continue to serve their communities."
Keenan, the cyber security expert, was also able to be verified by PORTpass, despite not providing his own driver's licence when signing up for the app.
"There's a lot of information on your driver's licence, your passport. So instead I gave them my United States Library of Congress card and guess what? It took it. So, they're not really looking at what's going on there," Keenan said.
"We've got to get the (QR code) soon and I think the reality is that government-issued and supported apps are going to be the way to go," he added.
The Alberta Government is working on its own QR code for proof of vaccination, but there is no timeline on when it will be available to the public.
"Work is underway to provide proof of vaccination with an Alberta-verified QR code soon. We are monitoring the experiences of other provinces and privacy and security concerns are being taken into consideration," reads a statement from Alberta Health.
CSEC said it is aware of the security and privacy concerns raised by PORTpass users and is working with the company. A spokesperson for CSEC said more information would be available to fans in the next day or two.
CTVNews.ca Top Stories
Donald Trump says he urged Wayne Gretzky to run for prime minister in Christmas visit
U.S. president-elect Donald Trump says he told Canadian hockey legend Wayne Gretzky he should run for prime minister during a Christmas visit but adds that the athlete declined interest in politics.
Historical mysteries solved by science in 2024
This year, scientists were able to pull back the curtain on mysteries surrounding figures across history, both known and unknown, to reveal more about their unique stories.
King Charles III focuses Christmas message on healthcare workers in year marked by royal illnesses
King Charles III used his annual Christmas message Wednesday to hail the selflessness of those who have cared for him and the Princess of Wales this year, after both were diagnosed with cancer.
Mother-daughter duo pursuing university dreams at the same time
For one University of Windsor student, what is typically a chance to gain independence from her parents has become a chance to spend more time with her biggest cheerleader — her mom.
Thousands without power on Christmas as winds, rain continue in B.C. coastal areas
Thousands of people in British Columbia are without power on Christmas Day as ongoing rainfall and strong winds collapse power lines, disrupt travel and toss around holiday decorations.
Ho! Ho! HOLY that's cold! Montreal boogie boarder in Santa suit hits St. Lawrence waters
Montreal body surfer Carlos Hebert-Plante boogie boards all year round, and donned a Santa Claus suit to hit the water on Christmas Day in -14 degree Celsius weather.
Canadian activist accuses Hong Kong of meddling, but is proud of reward for arrest
A Vancouver-based activist is accusing Hong Kong authorities of meddling in Canada’s internal affairs after police in the Chinese territory issued a warrant for his arrest.
New York taxi driver hits 6 pedestrians, 3 taken to hospital, police say
A taxicab hit six pedestrians in midtown Manhattan on Wednesday, police said, with three people — including a 9-year-old boy — transported to hospitals for their injuries.
Azerbaijani airliner crashes in Kazakhstan, killing 38 with 29 survivors, officials say
An Azerbaijani airliner with 67 people onboard crashed Wednesday near the Kazakhstani city of Aktau, killing 38 people and leaving 29 survivors, a Kazakh official said.