Security concerns raised about third-party proof of vaccine apps
A technology and cyber security expert is warning Albertans about third party apps that offer COVID-19 vaccination and rapid testing verification.
It comes after users complained of one Calgary-made app not working and others showed they were able to upload false information to the app, but were verified anyway.
The app is call PORTpass and it's recommended by the Calgary Sports and Entertainment Corporation (CSEC) -- the group that owns the Flames, Stampeders, Roughnecks and Hitmen -- to provide proof of vaccination upon entry to its sporting events.
Hours before the Flames' first preseason game at the Saddledome on Sunday, PORTpass announced it was experiencing technical difficulties and told fans to bring paper copies of their vaccination record to the game instead.
"It's great that entrepreneurs want to help out, but we heard tales of a bunch of people who tried to use PORTpass and couldn't get into the hockey game," said Tom Keenan, a cyber security expert with the University of Calgary.
Beyond the frustration for users on Sunday, Keenan says apps such as PORTpass also pose security and privacy concerns, too.
"The reality is you're giving up information to a total stranger and that information could come back to haunt you as identity theft," Keenan said.
VACCINE RECORD CAN BE MANIPULATED: APP USER
Conrad Yeung is a web developer in Calgary and downloaded PORTpass to see how the app worked. He said he made a fake vaccination record on the app using a different name and was verified by PORTpass.
"The first picture I uploaded was Rob Schneider in the poster of 'Deuce Bigalow: Male Gigalo' and I was like 'they accepted that? Cool, let's use that'," he said.
Conrad Yeung is a web developer in Calgary and downloaded PORTpass to see how the app worked. He said he made a fake vaccination record on the app using a different name and was verified by PORTpass.
"Then they asked for my driver's licence and I uploaded a random photo from the internet and that got verified, so I immediately knew there was probably something sketchy going on with the app," said Yeung, who posted a Twitter thread about his experience with PORTpass.
Yeung's profile stopped working on the PORTpass app Sunday evening, around the time the company reported it was dealing with technical difficulties.
The CEO of PORTpass agreed to do an interview with CTV News on Monday afternoon, but cancelled shortly after.
In a statement issued late Monday afternoon, the company says it has taken measures to "significantly increase the system's resources to meet the ongoing demand and ensure functionality for all users, all the time."
"PORTpass would like to reaffirm the commitment to security that has been central to it’s operations since Day 1 and address the recent claims on social media falsely claiming to have had unrestricted access to the system’s database," it read.
"The statements made are unequivocally untrue and PORTpass will be working with local authorities to take action against this malicious misinformation, and the submission of fraudulent documents. Documents uploaded for proof of vaccination and test results go through both manual review and machine learning analysis, and are securely used with Amazon Web Services.
"As a further demonstration of the commitment to security and transparency, PORTpass is taking steps to implement additional layers of security including steps toward SOC 2 compliance and working with a third party on a security audit. During this time of uncertainty, PORTpass continues to live by it’s mandate to provide a seamless way for local businesses to continue to serve their communities."
Keenan, the cyber security expert, was also able to be verified by PORTpass, despite not providing his own driver's licence when signing up for the app.
"There's a lot of information on your driver's licence, your passport. So instead I gave them my United States Library of Congress card and guess what? It took it. So, they're not really looking at what's going on there," Keenan said.
"We've got to get the (QR code) soon and I think the reality is that government-issued and supported apps are going to be the way to go," he added.
The Alberta Government is working on its own QR code for proof of vaccination, but there is no timeline on when it will be available to the public.
"Work is underway to provide proof of vaccination with an Alberta-verified QR code soon. We are monitoring the experiences of other provinces and privacy and security concerns are being taken into consideration," reads a statement from Alberta Health.
CSEC said it is aware of the security and privacy concerns raised by PORTpass users and is working with the company. A spokesperson for CSEC said more information would be available to fans in the next day or two.
CTVNews.ca Top Stories
![](https://www.ctvnews.ca/polopoly_fs/1.6955136.1720438921!/httpImage/image.jpg_gen/derivatives/landscape_800/image.jpg)
Alice Munro's daughter says mom kept silent when stepfather sexually abused her
The youngest daughter of celebrated Canadian author Alice Munro has opened up about sexual abuse by her stepfather and the deep hurt she felt when her mother chose to support her husband instead of her child.
France's elections end up with no clear majority. This is what could happen next
Election results show French voters have chosen to give a broad leftist coalition the most parliamentary seats in pivotal legislative elections, keeping the far right away from power. Yet no party won an outright majority, putting France in an uncertain, unprecedented situation.
Novice northern Ont. driver charged with stunt driving, fleeing police on Hwy. 11 while allegedly impaired
A 31-year-old man from Milford Bay is facing multiple charges following a traffic stop last week.
A major Russian missile attack on Ukraine kills dozens, hits children's hospital
A major Russian missile attack across Ukraine killed at least 31 people and injured 154 on Monday, officials said, with one missile striking a large children's hospital in the capital, Kyiv, where emergency crews searched the rubble for casualties.
Ottawa councillor, residents condemn arrival of 'hateful' group Diagolon 'Terror Tour'
A community group and an Ottawa city councillor have come forward to condemn the arrival of the far-right group Diagolon after it brought its 'Road Rage Terror Tour' to Ottawa over the weekend.
Heat warnings issued for most of Maritimes Monday and Tuesday, could extend into Wednesday for some regions
Heat warnings have been issued in Nova Scotia, Prince Edward Island and most of New Brunswick Monday and Tuesday.
Beryl makes landfall in Texas as a Category 1 hurricane, knocking out power to more than 1 million
Power outages are mounting along the Texas coast after Beryl came ashore Monday and lashed Houston with heavy rains and powerful winds as the storm moved inland.
No music, dimmed lights help shoppers during sensory-friendly hours at retailers
The subdued atmosphere is all part of a sensory-friendly experience Walmart Canada recently launched every Monday, Tuesday and Wednesday at its 403 stores in a bid to make shopping trips easier for people who have disabilities, who are sensitive to busied environments, or who are just looking for a quieter retail experience.
Popular weight-loss and diabetes medications linked to lower risk of some cancers, study finds
GLP-1 medications such as Ozempic and Wegovy may help lower the risk of certain cancers, a new study suggests.