QR Code Check-Ins Are Risky, So How Can They Be Improved?

QR Code Check-Ins Are Risky, So How Can They Be Improved?
Image: Matt Jelonek/Getty Images
To sign up for our daily newsletter covering the latest news, features and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Gizmodo Australia homepage to visit whenever you need a news fix.

The act of checking-in to a venue has been widely accepted as the price we must pay to socialise and return to some form of normality. But while the act of entering data is small, the potential ramifications of this process are not.

COVID-safe policies call for businesses and venues to implement a digital check-in system that asks users to input their personal information in the event they need to be contact-traced.

This means we have to enter our data into online systems every time we want to buy a cup of coffee, with minimal information on how this data is stored or how secure it is.

Australians are no strangers to privacy concerns. A report put out by the Consumer Policy Research Centre revealed that 94 per cent of Australians are concerned about how their data is collected and shared online. And now we’re sharing it everywhere.

Which raises the question: as we go into another year of living with these COVID-safe processes like QR check-ins, is there a better way they could be implemented?

How the COVID-safe check-in system has progressed

Remember COVIDSafe? Based on the source code of Singapore’s TraceTogether, the app was supposed to utilise a phone’s Bluetooth to alert them if they had been in the proximity of another COVIDSafe user who tested positive for coronavirus.

Unfortunately, it was greatly flawed from the get go. In addition to having difficulty running in the background on iOS devices, it was riddled with bugs and privacy concerns.

The app has since been labelled a failure, with the final nail in the coffin being the government’s refusal to use Google and Apple’s joint-API.

In the end, barely any close contacts have been identified since its launch. So when it comes to COVID-related check-in apps, it’s no wonder Australians may be hesitant.

Early processes allowed businesses to provide a pen and paper check-in option, while the government scrambled to provide proper regulation and alternative platforms.

This paper option has been viewed as largely flawed by experts in the field.

“I feel safer entering information via an app than I do filling out a handwritten sheet that can be viewed by everyone who comes after you for the remainder of the day,” Brian Hay, the executive director at Cultural Cyber Security, told Gizmodo Australia.

State and territory governments implemented mandatory digital check-in processes shortly after.

The states step in

For these processes to be effective they require individuals to be forthcoming with their personal details. However, privacy concerns around these apps and third-party webforms has turned a lot of people off doing the ‘right thing’.

“The government has been asleep at the wheel, it took nine months into COVID for the ACSC to provide advice on this,” Nigel Phair, Director at UNSW Canberra Cyber, said.

“The population just want to do the right thing and get on with their lives. They are not to know what will happen to their data.”

In the subsequent months since digital-only COVID-safe check-ins have become mandatory, the majority of state and territory governments have provided their own QR code check-in services, taking the load off of businesses and venues.

The exception is Queensland, which currently has no government-provided option.

When asked whether Queensland would be getting its own online check-in platform, a government spokesperson told Gizmodo Australia: “We have been working with a number of businesses across Queensland to trial a Queensland Government check-in app. Once these trials are complete, a decision will be made on its rollout.”

Despite these government-provided platforms, the option for certain businesses and venues to outsource to a third party check-in web form is still an option.

The risks of the COVID-safe check-in process

In both government check-in apps and third-party web forms, there still exists a lack of trust and concern about where personal data is going and how secure it is.

After all, they are collecting incredibly valuable sets of data. The average COVID check-in may require the user to input their name, home address, phone number and email address.

This data then has the potential to be used in a number of ways.

While personal data is freely being given and taken for contact tracing purposes these sites become a tempting target for hackers.

Hay sees a data breach from a COVID-safe check-in site as inevitable.

“The public rightfully possess an expectation that data provided to a third party will be secured to the point it won’t be hacked,” he said.

“However, the simple reality is that we will see data hacked, compromised, stolen, abused and exploited.”

It’s not just hackers you need to look out for

Hay also points out that another use could be for marketing purposes.

“Sometimes it may fall into the realm of ‘marketing’ via the T&C’s that no one ever reads.”

Phair shared these concerns, saying it’s highly likely the data will be repurposed for marketing efforts and continuously on-sold.

Phair said that a picture of a person can be created by looking at the venues and locations where they have checked in.

Dr Michael Axelsen, Senior lecturer in Business Information Systems from the UQ Business school, echoed these sentiments.

“You can infer from this data where that person lives, what their habits are, where they go, what they do. You can start to geo-map them,” he said.

This information could also be a starting point for so much more if a breach were to happen.

“It is most likely to be traded in the Dark Web where literally thousands of cybercriminals will have the opportunity to exploit that data in a multitude of ways pertinent to their particular crime,” Hay warned.

“It’s important to understand that a data breach is not an event, it’s a legacy – it endures. Your data may continue to be exploited for many years. There is no end date.”

It seems that a data breach stemming from this COVID-safe check-in process is not an if but a when. So what needs to be done to further secure Australian’s data and what can individuals do to look out for themselves?

What needs to be done?

Getty Images

A nationwide COVID check-in app is a potential solution. But Australia has already seen the downfall of the COVIDSafe app which would likely cause another wave of scepticism.

Phair believes that a universal check-in app should be the responsibility of the Office of the Australian Information Commissioner (OAIC).

When asked whether a standard check-in app for venues across Australia was on the radar, a representative told Gizmodo Australia that the OAIC upholds Australia’s privacy laws and does not implement or design these check-in apps.

Axelsen believes that having a nationwide app collecting data would be simply too tempting for hackers. But having government-regulated state and territory check-in apps would be an acceptable model.

This model is in place for many states and territories, however, the sole use of government QR code check-in apps isn’t mandatory across the country yet.

Particularly in Queensland, businesses are forced to outsource to third party providers or create their own web forms, where patrons must then trust this data is secured and subsequently destroyed.

Certifications systems

Axelsen suggests that if state and territory check-in apps aren’t made mandatory then a certification system should be introduced.

“There needs to be a standard,” he said. “We need some form of COVID-19 electronic assurance certification. Websites or businesses have to sign up for the data security standard and they have to put the resources in to make sure they’re looking after that data properly.

“If I haven’t used a website before but it has a little tick, then I know I can have confidence in it. But I’d want some certification process for these individual providers.”

Hay said he’d also like to see some regulation from the government.

“The Australian government should set minimum standards on the privacy requirements and the cyber and physical security on the COVID-App data, limiting its life and application, requiring it to be destroyed after a period of time and ensure its safe storage in an encrypted state until the determined time arrives, all with full auditability,” he said.

The OAIC spokesperson said that the regulator is looking at addressing some of these check-in related concerns.

“From our perspective, there are two main areas to address: harmonising the different state and territory requirements for the collection of information from venues, and ensuring that those businesses providing digital check-in services are covered by and are complying with the Privacy Act.”

To do this the OAIC has put forward draft guidelines for consultation regarding the implementation of a nationally consistent approach for the collection of personal information for contact tracing.

Whether this will result in a national standard for COVID-safe check-in processes remains to be seen.

What can Australians do to protect their data?

In terms of what individuals can do to be more mindful during these check-in processes, the experts have some suggestions.

Axelsen pointed to email addresses being the weakest link in the process: “If you’ve got an email address, you can work out a password. If someone gains access to a breached database they’re bound to find somebody on it with poor password management.”

His solution was to create a separate email purely for check-in purposes. This email can then be redirected to a personal email address, so users can still be alerted if they are part of a COVID breach.

In the instance that personal data is breached, whether from a COVID-safe website or not, Hay suggests developing a personal set of processes to avoid cyber criminals and scammers.

“We need a more educated and aware community on the gravity of the cyber environment so people make better-informed decisions. We will be breached. It’s a matter of how we mitigate the harm and manage the risk,” he said.

Hay suggested precautions such as using a password manager, a VPN and a credit monitoring system. He also reiterated the golden rule: “never click on an embedded hyperlink in an unsolicited email – do that and you will never fall for a phishing attack.”

The OAIC also said patrons should raise any privacy concerns with individual venues. If an individual believes that a venue has breached the Privacy Act they can make a complaint to the OAIC or to the relevant state or territory government agency.

What is the future of the COVID-safe check-in?

It’s unclear how long the COVID-safe check-in process will be around for but don’t expect it to disappear anytime soon.

“It started out as a temporary fix and it’s grown into a permanent solution,” Axelsen said.

The experts agree that the process needs improvement, particularly in terms of setting national standards for the security of Australian’s data in relation to the ongoing pandemic.

It’s entirely possible that this process is about to enter a whole new stage. With COVID vaccines rolling out, it’s likely the government will need to implement some standard for proof of vaccination. This could, once again, come in the form of an online certification via government apps.

If these digital COVID data systems are to be the new normal then it’s long overdue for a national standard to be put in place.