Skip to main content

Security concerns raised about third-party proof of vaccine apps


A technology and cyber security expert is warning Albertans about third party apps that offer COVID-19 vaccination and rapid testing verification.

It comes after users complained of one Calgary-made app not working and others showed they were able to upload false information to the app, but were verified anyway.

The app is call PORTpass and it's recommended by the Calgary Sports and Entertainment Corporation (CSEC) -- the group that owns the Flames, Stampeders, Roughnecks and Hitmen -- to provide proof of vaccination upon entry to its sporting events.

Hours before the Flames' first preseason game at the Saddledome on Sunday, PORTpass announced it was experiencing technical difficulties and told fans to bring paper copies of their vaccination record to the game instead.

"It's great that entrepreneurs want to help out, but we heard tales of a bunch of people who tried to use PORTpass and couldn't get into the hockey game," said Tom Keenan, a cyber security expert with the University of Calgary.

Beyond the frustration for users on Sunday, Keenan says apps such as PORTpass also pose security and privacy concerns, too.

"The reality is you're giving up information to a total stranger and that information could come back to haunt you as identity theft," Keenan said.


Conrad Yeung is a web developer in Calgary and downloaded PORTpass to see how the app worked. He said he made a fake vaccination record on the app using a different name and was verified by PORTpass.

"The first picture I uploaded was Rob Schneider in the poster of 'Deuce Bigalow: Male Gigalo' and I was like 'they accepted that? Cool, let's use that'," he said.

Conrad Yeung is a web developer in Calgary and downloaded PORTpass to see how the app worked. He said he made a fake vaccination record on the app using a different name and was verified by PORTpass.

"Then they asked for my driver's licence and I uploaded a random photo from the internet and that got verified, so I immediately knew there was probably something sketchy going on with the app," said Yeung, who posted a Twitter thread about his experience with PORTpass.

Yeung's profile stopped working on the PORTpass app Sunday evening, around the time the company reported it was dealing with technical difficulties.

The CEO of PORTpass agreed to do an interview with CTV News on Monday afternoon, but cancelled shortly after.

In a statement issued late Monday afternoon, the company says it has taken measures to "significantly increase the system's resources to meet the ongoing demand and ensure functionality for all users, all the time."

"PORTpass would like to reaffirm the commitment to security that has been central to it’s operations since Day 1 and address the recent claims on social media falsely claiming to have had unrestricted access to the system’s database," it read. 

"The statements made are unequivocally untrue and PORTpass will be working with local authorities to take action against this malicious misinformation, and the submission of fraudulent documents. Documents uploaded for proof of vaccination and test results go through both manual review and machine learning analysis, and are securely used with Amazon Web Services.

"As a further demonstration of the commitment to security and transparency, PORTpass is taking steps to implement additional layers of security including steps toward SOC 2 compliance and working with a third party on a security audit. During this time of uncertainty, PORTpass continues to live by it’s mandate to provide a seamless way for local businesses to continue to serve their communities."

Keenan, the cyber security expert, was also able to be verified by PORTpass, despite not providing his own driver's licence when signing up for the app.

"There's a lot of information on your driver's licence, your passport. So instead I gave them my United States Library of Congress card and guess what? It took it. So, they're not really looking at what's going on there," Keenan said.

"We've got to get the (QR code) soon and I think the reality is that government-issued and supported apps are going to be the way to go," he added.

The Alberta Government is working on its own QR code for proof of vaccination, but there is no timeline on when it will be available to the public.

"Work is underway to provide proof of vaccination with an Alberta-verified QR code soon. We are monitoring the experiences of other provinces and privacy and security concerns are being taken into consideration," reads a statement from Alberta Health.

CSEC said it is aware of the security and privacy concerns raised by PORTpass users and is working with the company. A spokesperson for CSEC said more information would be available to fans in the next day or two. Top Stories

Stay Connected