The hidden dangers of QR code check-ins

Karyn Starmer25 March 2021
Phone scanning a QR code.

Since the COVID-19 pandemic commenced, QR codes have become an integral part of our everyday lives. Photo: File.

Thinking back to when the words ‘contact tracing’ and ‘lockdown’ were not part of our everyday language, those little pixelated squares called QR codes could be seen on product labels, but were by and large ignorable. Fast-forward to 2021 and governments are mandating we use our smartphones to scan them, sharing our personal details at every venue we enter and making our movements traceable to public health authorities.

But who else can see and use our information?

Australians have now largely accepted checking in to a venue as the price we have to pay for our freedom to socialise and return to some form of normality. However, there is minimal information available about how our data from QR codes is stored, or how secure it is.

As the backlash against the Federal Government’s COVIDSafe app showed, Australians are well tuned in to privacy concerns. Yet here we are sharing ourselves everywhere via QR code check-ins.

RiotACT QR code.

QR codes have become popular during COVID-19 due to their fast readability and greater storage capacity compared to standard barcodes. Image: File.

“Everyone just wants to do the right thing and get on with their lives, but we need to be aware of what happens to our data,” says BAL Lawyers’ director business and corporate, Katie Innes.

“Not many people realise you are giving consent about how your information can be used when using digital sign-ins, and in some cases, there can be implied consent that those personal details can be legally sold to third-parties for marketing.”

In the early days before state and territory governments moved to provide their own QR code check-in services, and after we rejected the clumsy pen and paper option, many Canberra businesses and venues were using third-party QR codes without incorporating best-practice privacy principles into the design of registration systems.

“People need to be aware that when scanning a QR code, you are giving your information to a business and that means you may be agreeing to the use of your information for ‘marketing’ via the T&Cs [terms and conditions] that no-one ever looks at or reads,” says Katie.

The average QR code check-in may require the user to input their name, home address, phone number and email address. While this information is freely being given and taken for contact tracing purposes, Katie says these sites may also become a tempting target for hackers.

She says users can be more confident using government regulated check-in apps. The NSW and ACT government apps are a more acceptable model than the third-party codes.

Katie Innes from BAL Lawyers.

BAL Lawyers director business and corporate Katie Innes. Photo: Supplied.

So what can we do to protect our data using QR codes?

“First, don’t assume every pixelated black-and-white square you come across is OK,” says Katie. “Be aware of the QR code you are scanning. Check to see if it is a fake or has been tampered with. If it directs you to a website, make sure it is a legitimate website and if it looks suspicious, don’t enter your details.”

Other precautions recommended include ensuring your email address is secured with a strong password. If a business has your email address, you don’t want them to be able to work out your password.

And the golden rule of all: never click on an embedded hyperlink in an unsolicited email.

“Clicking on a link such as that could lead you to all sorts of unintended consequences, from sharing your data to being hacked,” says Katie.

“Businesses which use QR codes have a responsibility to take reasonable steps to ensure their customers and their data don’t get hacked, but it is ultimately up to the customer to be aware of who you are handing your details to.”

Original Article published by Karyn Starmer on The RiotACT.

What's Your Opinion?