19 March 2021

The hidden dangers of QR code check-ins

| Karyn Starmer
Join the conversation
Phone scanning a QR code.

Since the COVID-19 pandemic commenced, QR codes have become an integral part of our everyday lives. Photo: File.

Thinking back to when the words ‘contact tracing’ and ‘lockdown’ were not part of our everyday language, those little pixelated squares called QR codes could be seen on product labels, but were by and large ignorable. Fast-forward to 2021 and governments are mandating we use our smartphones to scan them, sharing our personal details at every venue we enter and making our movements traceable to public health authorities.

But who else can see and use our information?

Australians have now largely accepted checking in to a venue as the price we have to pay for our freedom to socialise and return to some form of normality. However, there is minimal information available about how our data from QR codes is stored, or how secure it is.

As the backlash against the Federal Government’s COVIDSafe app showed, Australians are well tuned in to privacy concerns. Yet here we are sharing ourselves everywhere via QR code check-ins.

RiotACT QR code.

QR codes have become popular during COVID-19 due to their fast readability and greater storage capacity compared to standard barcodes. Image: File.

“Everyone just wants to do the right thing and get on with their lives, but we need to be aware of what happens to our data,” says BAL Lawyers’ director business and corporate, Katie Innes.

“Not many people realise you are giving consent about how your information can be used when using digital sign-ins, and in some cases, there can be implied consent that those personal details can be legally sold to third-parties for marketing.”

In the early days before state and territory governments moved to provide their own QR code check-in services, and after we rejected the clumsy pen and paper option, many Canberra businesses and venues were using third-party QR codes without incorporating best-practice privacy principles into the design of registration systems.

READ ALSO Insurance headaches continue for people affected by fire and storm damage

“People need to be aware that when scanning a QR code, you are giving your information to a business and that means you may be agreeing to the use of your information for ‘marketing’ via the T&Cs [terms and conditions] that no-one ever looks at or reads,” says Katie.

The average QR code check-in may require the user to input their name, home address, phone number and email address. While this information is freely being given and taken for contact tracing purposes, Katie says these sites may also become a tempting target for hackers.

She says users can be more confident using government regulated check-in apps. The NSW and ACT government apps are a more acceptable model than the third-party codes.

Katie Innes from BAL Lawyers.

BAL Lawyers director business and corporate Katie Innes. Photo: Supplied.

So what can we do to protect our data using QR codes?

“First, don’t assume every pixelated black-and-white square you come across is OK,” says Katie. “Be aware of the QR code you are scanning. Check to see if it is a fake or has been tampered with. If it directs you to a website, make sure it is a legitimate website and if it looks suspicious, don’t enter your details.”

Other precautions recommended include ensuring your email address is secured with a strong password. If a business has your email address, you don’t want them to be able to work out your password.

And the golden rule of all: never click on an embedded hyperlink in an unsolicited email.

“Clicking on a link such as that could lead you to all sorts of unintended consequences, from sharing your data to being hacked,” says Katie.

“Businesses which use QR codes have a responsibility to take reasonable steps to ensure their customers and their data don’t get hacked, but it is ultimately up to the customer to be aware of who you are handing your details to.”

Join the conversation

All Comments
  • All Comments
  • Website Comments

People need to stand up for their rights. We have no cases of Covid in the ACT, and tracking people at this time is a hysterical response. Fair enough if you want to set up a system that can be used IF there is a total outbreak in the community, but that is not the case at this time. Tracking people when there is no outbreak is not necessary, and a breach of privacy. Like many others, I will not provide my personal details as I do not know where the information will end up.

Just use a fake name and fake phone number.
The more people that resist creeping totalitarianism and protect their rights to privacy and former rights to having a coffee without providing the venue with their personal details, the sooner sanity will prevail.
History shows that paranoia and mass hysteria usually has bad outcomes, starting with the imposition of petty rules.

I hope no-one is influenced by your irresponsible suggestion.

Capital Retro12:16 pm 22 Mar 21

Wasn’t it Stalin that said that “the trust of the people is good but control of them is better”?

Doesn’t bother me, because I’m refusing to use the contact tracing apps. The ACT government can take their Stasi like “Papers bitte” act and shove it.

Capital Retro7:42 am 19 Mar 21

What does QR mean?

Quick Response code.
It’s basically a souped-up bar code.

Capital Retro10:14 am 19 Mar 21

Thanks for the “QR” on that one. I had no idea. I didn’t even have an MP1 let an MP4.

It does looks like a bar code; depicted by a post-modernist.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.